How to Structure an IT Governance Committee as per RBI Guidelines: The Complete Setup Guide

In 2024, the RBI’s supervisory review of a mid-sized NBFC found that while it had a board-approved IT policy on record, there was no functioning IT Strategy Committee, no appointed CISO and no evidence of quarterly governance meetings. The policy existed but without a governance structure behind it. The result was a show-cause notice and a corrective action plan imposed under regulatory oversight.

This is one of the most common patterns across RBI inspections – institutions that have documentation without operationalisation. The Master Direction on IT Governance, Risk, Controls and Assurance Practices (effective April 2024) addresses this directly by mandating not just what policies must exist, but exactly who is responsible for them and how that accountability must be structured.

Understanding how to structure an IT governance committee as per RBI guidelines is the starting point for building a governance framework that holds up under regulatory scrutiny.

Why committee structure is the RBI’s primary governance instrument

The RBI’s IT governance framework rests on one principle: IT risk must be governed at the board level, not managed within the IT function. The key focus areas of IT governance include strategic alignment, risk management, resource management, performance management and business continuity and disaster recovery management. All of these require board-level oversight, not just senior management execution.

The Master Direction operationalises this through a three-tier governance structure. Each tier has defined composition requirements, mandatory meeting frequencies and specific responsibilities – none of which are discretionary.

The three-tier IT governance structure under RBI Master Direction

Here is what each tier of the IT-governance structure requires in practice.

Tier 1 (Board Level)

• IT Strategy Committee (ITSC): Regulated entities must establish a Board-level IT Strategy Committee comprising a minimum of three directors as members, chaired by an independent director with expertise in managing or guiding technology initiatives. The committee must meet at least on a quarterly basis. The ITSC is the primary governance body.
• Risk Management Committee of the Board (RMCB): The Risk Management Committee of the Board must periodically review IT-related risks and review and update the risk management policy including IT-related risks, in consultation with the ITSC, at least on a yearly basis. The RMCB is not a separate IT body but must actively incorporate IT and cyber risk into its mandate.

Tier 2 (Senior Management)

• IT steering committee: Regulated entities must establish an IT Steering Committee with representation at senior management level from IT and business functions for assisting the Board and IT Strategy Committee in the implementation of the IT policy and IT strategy. The IT Steering Committee must meet at least on a quarterly basis. The IT Steering Committee is the execution layer. It translates board-approved strategy into operational outcomes, tracking project delivery, reviewing IT risk management and escalating material issues to the ITSC. It must include business function representation, not just IT heads.
• Chief Information Security Officer (CISO): The CISO must be a permanent invitee to both the ITSC and the IT Steering Committee, must report directly to the Executive Director or equivalent executive overseeing the risk management function, and is responsible for establishing the cybersecurity strategy and ensuring compliance with regulatory instructions.

Tier 3 (Assurance)

• Information Systems Audit Function: The Information Systems Audit function must operate independently of both IT operations and the IT Steering Committee. It reports to the Audit Committee of the Board. The Master Direction requires continuous auditing for critical systems and regular review of audit findings at the board level, not just management review.

The most common structural gaps RBI inspectors find

Based on documented patterns and compliance assessments, the most repeated gaps in how to structure an IT governance committee as per RBI guidelines are:

• ITSC not constituted or meets irregularly: Quarterly meetings are compulsory. Entities that convene the ITSC only annually or on an ad hoc basis are non-compliant irrespective of what their policy documents state.
• CISO reports to CTO or CIO: The Master Direction requires the CISO to report outside the IT function. This structural independence is examined during inspections.
• IT Steering Committee lacks business function representation: Committees staffed only by IT heads do not satisfy the cross-functional membership requirement.
• No documented meeting minutes or action closure records: Regulators look for evidence that committees are functioning, not just constituted. Meeting minutes, action logs and escalation records are the audit trail.
• RMCB not reviewing IT risk: Many boards treat IT risk as the ITSC’s sole domain. The RMCB must also review and update the risk management policy to incorporate IT and cyber risk.

Conclusion

Structuring IT governance correctly is not a matter of creating committees on paper, it is about building an accountability chain that functions at every level and can be evidenced during a supervisory inspection.

At CyberNX, our RBI Master Direction compliance services help regulated entities establish governance frameworks that satisfy RBI scrutiny – from ITSC constitution and CISO placement to IS audit independence and board reporting cadences. If your institution needs expert guidance on how to structure an IT governance committee as per RBI guidelines, our team is ready to help. Connect with us to know more.

How to Structure an IT Governance Committee as per RBI Guidelines FAQs

What is the IT Strategy Committee (ITSC) and who must be on it?

The ITSC is the mandatory board-level IT governance body under the RBI Master Direction effective April 2024. It must have a minimum of three directors, chaired by an independent director with substantial IT expertise. It must meet at least quarterly and is responsible for approving and reviewing IT strategy, cybersecurity policy, BCP and IS governance annually.

What is the difference between the IT Strategy Committee and the IT Steering Committee?

The ITSC operates at the board level and is responsible for strategic oversight – approving policies, reviewing governance effectiveness and holding senior management accountable. The IT Steering Committee operates at the senior management level and is responsible for implementation. Both must meet quarterly.

Where must the CISO report under RBI guidelines?

The CISO must report directly to the Executive Director or equivalent executive overseeing the risk management function. The CISO cannot report to the CTO or CIO, as this would create a conflict of interest between IT operations and information security oversight. The CISO is also a permanent invitee to both the ITSC and the IT Steering Committee.

Is the IT Steering Committee required to include business function representatives?

Yes. The Master Direction explicitly requires the IT Steering Committee to have representation from both IT and business functions at the senior management level. A committee staffed only by IT heads does not satisfy this requirement and would be flagged during an RBI inspection.