Comment: Controlling High Tech Risks: First You Have to Spot Them

Risk management is nothing new to bankers. Interest rate and credit risk in particular have long been a major concern of most managers.

However, the increasing competitive significance of technology and the migration from mainframe technology to client/server environments have significantly changed the face of risk management.

And as the pace of change accelerates, new opportunities and new risks will continue to arise-probably at an ever increasing rate.

As many banks shift key applications from mainframe/dumb terminal environments to PCs and networks, they also are changing the responsibility for security, service, data management, and business resumption from outside vendors to in-house personnel-effectively transferring risk from "them" to "us."

If you do not think technological change exposes your bank to an increasing amount of risk, consider the following examples related to us by our clients:

One bank had to give up on a conversion after 15 months because the vendor could not make two of its own systems integrate correctly.

Another institution, after installing a loan origination system in 30 offices, learned the new system required telephone line upgrades at a cost of $4,000 per site.

A loan officer lost a laptop computer that contained a list naming every customer the bank planned to solicit in a loan refinance program. The list also contained the customers' current loan numbers and balances.

Whether your bank has experienced similar scenarios or you chuckled uncomfortably to yourself at the prospect, it should be clear that the implementation of new technology inherently poses risks.

Common sense and the intensifying scrutiny of regulators require that management devote more time and resources to managing that risk.

Companies that plan for these risks are better positioned to control them, since risk exposure is a matter of choice, not fate.

In this two-part series, we will examine the major categories of technology risks for banks today. In this article, we will identify technology risks faced by banks and discuss symptoms you can look for. In the second article, we will discuss ways to mitigate these risks.

Risk generally can be divided into six categories:

Vendor risk. All banks rely on at least one and often many vendors for their systems and programs. This reliance leads to the risk that new and upgraded third-party systems will have flaws or not get support as needed, causing service interruptions or errors.

Indications of exposure to vendor risk include the following:

Multiple missed deadlines on a single project.

User priority lists that are inflexible and do not change from year-to- year.

Exorbitant price quotes for projects-a sign that the vendor is incapable of increasing its role at the bank.

High turnover of vendor account representatives.

The closing of a data center or the loss of major customers by the vendor.

Information risk. The risk that data and information cannot be put to its best use is a large one for bank, because of the huge amount of data they have at their disposal.

Indications of exposure to this type of risk include:

Systems yielding tons of data, but no useful information.

A recurring inability to get product or customer profitability information.

Reports from different sources that seem to contradict one another.

Employees spending too much time creating reports.

Hesitation in decision-making due to lack of confidence in information.

Infrastructure risk. Infrastructure is the hardware, software, printers, wiring, modems, telephone systems, and other data processing equipment used by banks. Infrastructure risk is the risk associated with the obsolescence, malfunction, incompatibility, etc. of this equipment.

The following are symptoms of exposure to this type of risk:

Frequent requests from bank employees for upgrades of hardware or software before such equipment is fully depreciated.

Large amounts of zero-balance assets.

Investments in technology products from vendors who have small market shares or declining sales.

Security risk. Because PC-based systems are inherently less secure than legacy systems, auditors and regulators put a great deal of emphasis on security risk.

Some symptoms of this type of risk are:

A lack of physical security for critical hardware (e.g. servers).

Administration of system security spread out in multiple departments.

Dial-in system access is unregulated.

A lack of control over what data can leave the bank on laptops.

Availability risk. This involves the danger posed by systems being unavailable for use due to a natural disaster, employee error, or sabotage.

This probably gets the most attention from bank examiners. It also is the most familiar type of technology risk to bankers, since most have had plans for recovering their mainframe systems.

However, more and more mission-critical systems run on bank PCs and networks every day. Banks who have needed to execute their disaster recovery plans have found that recovering PCs, networks, internal software programs and data bases, FAX machines, and telephones is usually a much bigger undertaking than getting the mainframe up and running.

This is especially true when it is necessary to relocate employees-just ask any California bank that has dealt with an earthquake.

There is one major symptom of this risk-an incomplete or untested bank disaster-recovery plan.

If your plan does not specifically address bank hardware, networks, telecommunications, and other issues not supported by your core systems vendor, you could face significant liability.

Likewise, if you have a beautifully written plan that has never once been tested, you really have no idea of what financial exposure you might have to a disaster.

Strategic risk. This is the biggest and most insidious type of technology risk banks face today, because strategic risk can involve millions of dollars and often goes undetected.

How do you know if a technology investment saves you as much money as it should? How can you tell if your technology is increasing or decreasing the efficiency of your employees? How do you ensure that your investment is "paying off?"

Requests for technology expenditures should be justified through a combination of revenue enhancement and expense reduction.

Symptoms of strategic risk include:

Significantly higher technology spending with little improvement in overhead ratio.

Investment in branch and loan delivery systems that do not produce increased revenue.

Customer-contact employees not increasing as a percentage of total staff.

Technology initiatives frequently starting out with great fanfare but then quietly disappearing.

u

The identification of the key components of technology risk is an important first step in planning for, controlling, and managing that risk rather than being managed by it.

In measuring your bank's exposure to the components of technology risk, bear the following in mind:

First, the cost of increasing flexibility and functionality brought about by technology change is always paid for by increased risk.

Second, to remain competitive, you must accept that some risk increase is inevitable, and must be prepared to recognize and manage it.

Good planning, communication of expectations, monitoring, and focus are the keys to mitigating the effects of technology risk.