32. As part of the overall internal control framework [Institutions should refer to Title V of the EBA guidelines on internal governance.], including internal control mechanisms [Please also refer to Article 11 of Directive 2015/2366 (PSD2).], institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks [See also EBA guidelines on ICT and security risk management and G7 fundamental elements for third-party cyber risk management in the financial sector.].
33. Institutions and payment institu
…