Risk management is nothing new to bankers. Interest rate and credit
However, the increasing competitive significance of technology and the
And as the pace of change accelerates, new opportunities and new risks
As many banks shift key applications from mainframe/dumb terminal
If you do not think technological change exposes your bank to an
One bank had to give up on a conversion after 15 months because the
Another institution, after installing a loan origination system in 30
A loan officer lost a laptop computer that contained a list naming
Whether your bank has experienced similar scenarios or you chuckled
Common sense and the intensifying scrutiny of regulators require that
Companies that plan for these risks are better positioned to control
In this two-part series, we will examine the major categories of
Risk generally can be divided into six categories:
Vendor risk. All banks rely on at least one and often many vendors for
Indications of exposure to vendor risk include the following:
Multiple missed deadlines on a single project.
User priority lists that are inflexible and do not change from year-to-
Exorbitant price quotes for projects-a sign that the vendor is
High turnover of vendor account representatives.
The closing of a data center or the loss of major customers by the
Information risk. The risk that data and information cannot be put to
Indications of exposure to this type of risk include:
Systems yielding tons of data, but no useful information.
A recurring inability to get product or customer profitability
Reports from different sources that seem to contradict one another.
Employees spending too much time creating reports.
Hesitation in decision-making due to lack of confidence in information.
Infrastructure risk. Infrastructure is the hardware, software, printers,
The following are symptoms of exposure to this type of risk:
Frequent requests from bank employees for upgrades of hardware or
Large amounts of zero-balance assets.
Investments in technology products from vendors who have small market
Security risk. Because PC-based systems are inherently less secure than
Some symptoms of this type of risk are:
A lack of physical security for critical hardware (e.g. servers).
Administration of system security spread out in multiple departments.
Dial-in system access is unregulated.
A lack of control over what data can leave the bank on laptops.
Availability risk. This involves the danger posed by systems being
This probably gets the most attention from bank examiners. It also is
However, more and more mission-critical systems run on bank PCs and
This is especially true when it is necessary to relocate employees-just
There is one major symptom of this risk-an incomplete or untested bank
If your plan does not specifically address bank hardware, networks,
Likewise, if you have a beautifully written plan that has never once
Strategic risk. This is the biggest and most insidious type of
How do you know if a technology investment saves you as much money as it
Requests for technology expenditures should be justified through a
Symptoms of strategic risk include:
Significantly higher technology spending with little improvement in
Investment in branch and loan delivery systems that do not produce
Customer-contact employees not increasing as a percentage of total
Technology initiatives frequently starting out with great fanfare but
The identification of the key components of technology risk is an
In measuring your bank's exposure to the components of technology risk,
First, the cost of increasing flexibility and functionality brought
Second, to remain competitive, you must accept that some risk increase
Good planning, communication of expectations, monitoring, and focus are