Most financial institutions make a significant investment in managing enterprise IT risk yet continue to suffer losses. Examples include the security breaches at a payment processor that put over a million MasterCard and Visa credit card numbers at risk, and the technical problems with the trading platform that hampered Facebook’s initial public offering.
So how can financial institutions implement IT controls that address the changing risk landscape effectively?
The key is to recognise that risk frameworks and guidelines only deliver value when calibrated to a company’s specific needs.
Five key principles apply to implementing more effective IT controls:
1. Link IT risk measures to key business objectives
The metrics relating to IT risk can be overwhelming and difficult to tie to specific business objectives. As a result, they may fail to reflect the priorities of senior management. Address this problem by qualifying business objectives and then drill down to specific IT measures. When trying to assess customer creditworthiness, for example, measure the criteria that give a good credit score. Make it clear to all stakeholders why each measure has been chosen and what the impact on the business would be of failing to control each particular risk.
2. Apply a single risk management system across the enterprise
The whole business is served best when there is a single system of risk management across the enterprise. Make sure business units and IT departments avoid the temptation to establish their own systems. The effort involved in reconciling separate systems, and the way seemingly minor differences in systems’ configuration (such as the way time data is collected) yields significant reconciliation errors, undermining confidence in the enterprise-wide system.
3. Calibrate for both today’s and tomorrow’s risks
Evaluate the risks posed by new technologies (such as field-programmable gate arrays and cloud computing) and trends (such as bring-your-own-device) on the basis of the business’s appetite for and exposure to risk. Core risk management practices may remain unchanged but evaluate the risk horizon regularly to identify new threats and determine whether you need to make changes to controls such as authentication rates.
4. Preserve information that is meaningful for the business
Traffic-light dashboards highlight priorities for action and support management decision making. But a common failing is to strip away much of the metadata that is meaningful to business. For example, a red, amber and green system does not show the relative importance of a project worth £10,000 to the company and one worth £1,000,000. As a result, the dashboard not only fails to convey the potential impact on the business of a particular risk, but also presents a misleading picture of the relative significance of different risks. Make sure the dashboards you use are founded on a rich set of information – they will be impaired without it.
5. Enable a strong risk management culture and governance
Even the best risk management system is ineffective without a strong risk culture in place. Develop a culture that allows challenges to assumed ways of thinking and behaving. IT risk functions embedded within business units result in silos and lead to poor risk communication across the company. Manage IT risk on an enterprise-wide basis to cut across silos and allow the business to respond dynamically.
From improving safety critical systems at BP to building resilience at a global retail bank, PA has extensive experience working at the forefront of IT and cyber security, risk and resilience.
To find out how we can help your organisation manage IT-related risk effectively, please contact us now.