IT Risk Management - Foundations in a technology driven world - Banking blog

Ch-blog-banking-it-risk-management

As technology becomes more pervasive across Financial Services, so do the associated risks; failing to manage these risks creates front page news, as well as an unwelcome and often material financial, customer and reputational impact. Regulators are responding accordingly, with many EMEA regulators paying particular attention to the risks associated with technology. For example, FINMA issued a draft of their revised circular 2008/21 on operational risk management in March 2016 with revised guidelines for managing IT risk.

In our recent EMEA IT Risk Management survey for Financial Services - "Foundations in a technology driven world"–  we surveyed IT risk professionals across EMEA to comment on the key risks, issues and challenges they face in managing IT risk the financial services industry. This publication provides our thoughts on how these challenges can be overcome, and the challenges that might be lurking around the corner. We identified 5 main key risks areas peers across the Financial Services industry are facing today:

1. Managing technology risk strategically

Unsurprisingly, our respondents recognised that executive attention on IT risk management is ever increasing. Compliance with new and existing regulation was a clear leader in terms of focus with over 85% indicating it was one of the top two priorities for their executive. Many organisations still do not feel fully equipped to respond to the regulatory challenge, especially those with a global and multi-product footprint.

2. Getting the IT risk operating model right

With the Business, IT and operational risk functions all in the process of re-evaluating their own operating models, the IT risk function itself has had to adjust too. Our survey indicates that many organisations are struggling with the same fundamental questions how to position the IT risk function as a ‘value creator’ rather than a cost centre and how to enhance the three lines of defence model to better serve key stakeholders.

Ch-blog-banking-it-risk-management1.1

3. Keeping up with the evolving risk landscape

Emerging risks around change execution and operational resilience have joined cybercrime, data security, and third party management as being the most pressing IT risks identified by our respondents. In many ways though, risk identification is just the tip of the iceberg – IT risk is often the risk that the typical Board member may be the least well equipped or informed to understand and oversee. For example, there may be a relatively narrow view of IT risk taken by the Board (e.g. cyber, system availability), rather than a holistic appreciation of other IT risk areas such as change management, risks posed by automation, and underpinning factors such as execution risk.

Ch-blogs-banking-it-risk-management3

4. Staying in control – the divergence between risk exposure and risk appetite

Our survey indicates a gap between business risk exposure - which is growing due to the increased strategic and operational dependence on IT - and business risk appetite, which is not increasing at the same pace. The significant increase in risk exposure demonstrates how critical effective IT risk management is to an organisation. Respondents also identified with a common challenge around accurately measuring business risk appetite.

Ch-blog-banking-it-risk-management5

5. The talent conundrum

With the rapid pace of change across Financial Services, having individuals with the right blend of IT, risk and business experience is often the key to being able to respond to the evolving needs of the business. As IT risk functions compete to attract the best talent, those without a focused Talent strategy are struggling to keep up, often acting as "risk administration" functions rather than true "risk management" functions.

Ch-blogs-banking-it-risk-management6

Conclusion

Our survey findings indicate an underinvestment in people, processes and supporting systems across the Financial Services industry, coupled with an ever increasing reliance on technology to achieve business strategy and exposure to increasingly complex risks, such as cybercrime. This creates an extremely challenging environment in which to manage IT risks efficiently, effectively and in a way that adds value to the business; illustrating that the strategic importance of managing technology has never been higher. The consequences of getting it wrong severely impact an organisation’s reputation, customer confidence and loyalty, thus driving IT risk management firmly up the board agenda.

Ch-profiles-rob-dighton

Rob Dighton, Senior Manager, Risk Advisory

Rob is a Senior Manager within our Technology Risk & Controls team and is responsible for leading the delivery of our IT Risk proposition across Financial Services. He has 10 years’ experience in delivering large scale governance, risk and control projects across the Financial Services sector. His core areas of focus are the design, implementation and enhancement of 1st and 2nd line risk management processes and operating model design for Technology Risk functions.

Email

Ch-profiles-steffan-pietz

Steffen Pietz, Director, Risk Advisory

Steffen is a Director in our Risk Advisory team in Zurich with a focus on operational risk management. He has significant experience in technology and process risk, process controls and risk auditing, as well as Sarbanes Oxley compliance. Steffen holds a Master degree in Business Administration and Economics from the University of Passau, Germany, and has an additional degree in Sinology & Economics from Fudan University, Shanghai.

Email

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Categories