Related Knowledge

Most Viewed Knowledge

Making IT risk management profitable

Technology has changed the face of financial services faster than any other single factor in modern times. With this rapid change have come new risks, and more attention from regulators on how banks manage those risks. In the first half of 2006, 73% of examined banks were rated as safe and sound but with moderate weaknesses. As information security and technology risks continue to evolve, those moderate weaknesses are becoming critical to banks and regulators.

Making sure your bank is in compliance with the latest rules, and the ongoing series of guidelines and directives intended to protect both banks and their customers, is just a minimum. Compliance doesn’t drive information technology (IT) management, but it is an important component. Compliance has to address the internal directives of the bank’s governance and risk strategies as well as regulatory requirements.

True IT risk management focuses on governance and overall risk which can drive revenue, reduce costs, inspire customer loyalty, and encourage adoption of new products and services.

The Technology Edge
In most banks, technology decisions are based on the business benefits of automation and greater efficiency. Improvements in security, reliability and compliance are also important, but are usually balanced against implementation costs. Ultimately, bankers are looking for their technology decisions to add value to the bottom line.

How the bank approaches risk issues will impact how the examiners view its commitment to compliance. The integration of technology into the bank’s business process can both increase and mitigate risk, even if security and compliance weren’t driving the technology decision. Acceptable risk is managed according to governance-defined goals and objectives and overall “risk appetite” of the bank, but can never be greater than regulator expectations. IT risk management must be integrated with the overall bank risk-management-process framework, however, monitoring and enforcing the controls falls under compliance management.

A Different (Better) Way, To Approach IT Policies
By default, information technology risk touches many areas of the bank. So rather than having specific policies for each bank function, a better holistic approach is to look at the common key areas that technology impacts across all parts of the bank:

  • Access
  • Data privacy
  • nformation security
  • Operations
  • Development and acquisition of hardware and software
  • Business continuity
  • Technology outsourcing
  • Alternative delivery (e-banking, payment • systems, remote capture, online banking, phone banking, etc).

Having identified the key areas of IT risk, the bank can now set its benchmarks for acceptable risk in each area and create higher-level policies that will accurately reflect the bank’s position. Examiners will be looking for specific criteria to determine demonstrated compliance. These include: named staff responsible for defined areas, an information security policy, regular compliance audits, ongoing employee training, and Board of Director reporting. Examiners will also be checking to see that the information security policy and demonstrated compliance are effective and appropriate for the size and complexity of the bank.

Examiners’ areas of greatest concern are:

  • Lack of an Enterprise Risk Assessment where IT Risk Assessment is not tied to overall bank risk
  • Insufficient IT Audit coverage.
  • General internal controls reviews that do not adequately address IT risk
  • Policies and control systems out of date and/or out of sync with bank operations.
  • Vendor management documentation and due diligence reports (must be kept current throughout the entire lifecycle of the vendor relationship).
  • Handling of current data-security threats, including phishing/pharming and insider threats.

By managing IT risk from the top down and using regulatory compliance requirements as a baseline, your bank can do a better job of proving to regulators that your IT risk-management policies are appropriate for your bank.

[as published in Oklahoma Banker, Banking Matters & Arkansas Banker]