Version française prochainement disponible
By: Carina Himstedt and Merlin Jung
Over the past two decades, IT risk management in financial institutions has transformed dramatically. We’ve seen:
- Enhanced liquidity requirements
- Increased market and capital risks
- A heightened demand for transparency with both the public and regulators
- Elevated standards for risk reporting
- More focus on stress testing
- Rampant cyber threats and other IT security concerns
Clearly, the work of safeguarding data, systems and services is both a top priority and challenge for bank executives.
For a first-hand perspective on this evolving landscape, we interviewed 20 Kyndryl executives who work with top brands across the financial services sector. The conversations surfaced three consistent recommendations for banks and financial services companies to address technology risk and resilience moving forward.
Recommendation #1: Improve your IT risk governance
Our research found that, when it comes to IT risk management, using data and technology to integrate business and IT functions can result in a more effective risk model overall.
For example, financial services institutions can use big data—through modeling scenario planning and automation—to help reduce bias in IT risk decision-making while also reducing overall non-financial risk.
With increasing financial and reputational threats, financial institutions may also want to rethink existing governance around decision-making, budgeting and ownership. Separating the latter enables more purposeful IT spending actions and decision-making.
Some practical steps to achieve this goal include:
- Overseeing your IT risk governance and ownership model
- Running recurring IT risk awareness campaigns and trainings
- Forming a risk committee that includes board members
- Making IT risk and its facets—top IT risks, past critical IT incidents, IT investments, risk management culture, vendor risk and more—a regular board meeting agenda item
Recommendation #2: Establish an integrated IT risk model
Talk of transformation in financial services is ubiquitous.
Whether the agenda involves moving to a hybrid cloud model, digitizing services or other infrastructure updates, IT transformation initiatives ultimately must align with a single goal: the integration of IT with lines of business to establish a broader operating model.
Our research found that effective IT operating models tend to link IT business drivers (such as growth, costs and risks) and connect them to required operating model components (like governance, management processes, tolls and technology). This connection helps to enable IT risk management across the organization and link those management practices back to the institution’s IT management areas (like service continuity, vendor management and IT strategy).
While the names or configuration of these areas may vary from company to company, they are typical of the activities required to implement IT capabilities in a financial organization. Risks may still occur in such a model due to unsound management or delivery of any of the components, but the inherent design of comprehensive accountability reduces the likelihood.
Recommendation #3: Adopt a more cyber-resilient posture
Our research fund that IT risk management tends to be stronger when combined with a more cyber-resilient posture. It’s vital to actively account for and manage:
- The age of IT infrastructure elements (hardware, software, middleware, networks)
- The availability, criticality and stability of its components (apps, servers, databases)
- The IT security framework throughout the organization
Building a taxonomy for these elements can help identify blind spots and produce real-time recommendations for prioritized actions.
For example, there is a general understanding throughout the industry that tackling the issue of obsolescence is critical to both an institution’s overall well-being and its ability to keep pace with competitors.
Our interview findings suggest that while some financial services customers have chosen to adopt mitigation tactics like reducing movement in present and planned transformation activities, such approaches are not viable in the long term.
While the transformation of legacy technology is no simple endeavor, it ultimately cannot be avoided. Delaying the refresh of obsolescent technology components not only poses further risks, but also impacts the entire IT transformation. As such, it’s important to focus on updating any obsolescent technologies before moving on to broader transformation efforts.