In part one of this series, which ran last Wednesday, we identified six areas of technology risk faced by banks. This article examines ways to mitigate these risks.
Effective technology risk management requires that bank managers adhere to four general principles.
The first of these is that risk management responsibility must be assigned to one person rather than to a group. Senior management must recognize the critical importance of this function and select a member of the organization, such as the chief information officer, who has enough experience to be responsible for setting policies and developing standards. Once policies are in place, department heads can be charged with managing compliance, but it should never be left to individual department heads to create their own distinct set of procedures.
The second principle is that banks should not use multiple operating systems, disparate hardware configurations, or different versions of software programs unless there is a compelling business reason for doing so. Use a common set of technology policies whenever possible to avoid miscommunication and confusion.
The third principle is that standards and policies must be documented. Do not let critical knowledge of your systems reside exclusively in the heads of a few key employees.
The fourth principle is to plan carefully and communicate the plan to bank employees. Many banks today have not formally developed technology plans and are thus operating in a reactive technology environment that increases their technology risk.
With these principles in mind, let's examine some of the ways a bank can mitigate individual types of technology risk.
Mitigating vendor risk: Clearly define what the term "strategic partnership" means to you and your vendor. Ensure that the vendor's strategies, financial resources, and service commitment will support the bank's strategic plan. Formally communicate the strategic plan and goals to the vendor, at least annually. Tell the vendor what you need to support your strategic direction, and ask how it plans to meet those needs.
In addition, it is important to go through a formal vendor selection process each time you renew a contract even if you are generally satisfied with your current provider.
Mitigating information risk: Standardize your data structure within the organization and assign formal responsibility for data management to one person in the technology group. Standardization and centralization are the keys to reducing the risk posed by applications tools that cannot be effectively integrated. In addition, to guard against information overload and inefficient use of technology resources, decrease the number of reports produced.
Mitigating infrastructure risk: Set bankwide standards for hardware, operating systems, and desktop software, and require that all systems decisions comply with them. And remember this rule of thumb: Common systems are safer.
In addition, make regular investments in infrastructure. In particular, since your technology infrastructure depends increasingly on networked PCs, upgrade at least 25% of your desktop systems annually.
Mitigating security risk: Assign all security administration to one employee or group that does not post transactions or do other work on any of the systems. Require that local area network administrators restrict systems access to those who need to use it, and make sure department heads adhere to these access restrictions.
Mitigating availability risk: As you develop a disaster recovery plan, make sure that it addresses your key technical systems.
In particular, it should provide contingencies for the following: core systems, automated teller machine networks, PCs, printers, modems, wide area networks, telecommunications.
Once your plan is adopted, test it annually. Make sure the local applications and infrastructure components listed above are included in the test. Look to third parties to help develop, test, and carry out your plan. Many core systems vendors have expanded their proven expertise in disaster recovery to include bank PC networks and software.
Mitigating strategic risk: Develop a formal information strategy plan, or ISP; update it; and share it with your board annually. This plan should outline and set priorities on your technology initiatives over three years, and it must pinpoint how each initiative will support bank strategy and justify itself financially.
Require that major technology investments be accompanied by demonstrable organizational improvement or efficiency. Before making an investment, set measurable performance goals that will allow you to track investment payoff continuously.
Finally, once your plan is adopted, stick to it!
Technology risk management should be a continuous activity rather than an infrequent, episodic function. As part of your risk management strategy, continuously monitor your level of technology risk exposure. Plan internal risk assessments at frequent, scheduled intervals. Include a scorecard on which you rate yourself on a variety of key risk exposure areas.
Such a tool will enable you to better understand and mitigate the effects of risk on your bank, and perhaps equally importantly, allow you to communicate your risk management strategy to regulators and examiners.