The future of technology risk

14 November 2017

In September this year we hosted the FS Technology Risk Leaders conference where we hosted 50 senior clients across the banking, insurance, asset management and market infrastructure sectors and the agenda focused on technology developments and the risks and regulation impacting the sector. In addition we were also by joined the Heads of the IT and Cyber Resilience teams at the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA)- a session which did not disappoint.

What we learned: 

A big message from the conference and the focus of discussion at the FS Technology leaders’ dinner held on 9 November 2017 was the stance of the UK regulators. The PRA stated its objective for "Operational Resilience and Financial Resilience to have equally standing by 2020".  Across the UK regulators there is a clear view that firms' should be able to withstand technology disruption and carry on, rather than falter and recover. There is expectation of greater regulatory focus and firms are anticipating the following over the coming months:

  • another "Dear Chairman"- type exercise- an information gathering exercise issued across the FS sectors.  
  • a deeper focus on IT vendor/third party risk- supervision focus will increase and there will increased efforts by the regulator to identify concentration risks across common vendors
  • challenge on the measurement of cultural improvements- there is a growing interest in how firms measure these improvements from IT risk awareness to cyber training for staff 
  • greater examination of technology risks within capital adequacy- technology is a capital risk and will be formally accessed within the ICAAP (SREP) process from 1 January 2018. 

Against this regulatory agenda, the quality and capability of technology risk functions have strengthened but firms are now really pressured on cost, headcount and coverage.  It feels like tougher times for IT risk functions. 

Beyond adolescence: 

There is a strong recognition across the sector that technology risk disciplines need to evolve and mature beyond current 'adolescence' state to remain fit for purpose and relevant given major shifts in technology. Whilst flexibility to do so in 2018 budgets remains challenging the imperatives for functions include the need to:

  1. Future proof the target operating model for the technology 3LoD- organisation alignment and sourcing of skills and capabilities requiring development. There is undue reliance on a legacy 'time and materials model for technology risk activities. 
  2. Technology-enabled risk management - coverage across the "legacy" or basics still remains a challenge. The scope and coverage of technology risk needs to move to a data enabled footing, providing efficient coverage, more substantive comfort and timeliness of alerting and risk intervention. 
  3. Access capabilities and approaches to tackle emerging technology- emerging technology is already being deployed, often through 'digital/incubator' capabilities which are outside of traditional IT and governance structures.  'Sins of the future' may already be here and risk approaches and frameworks need to be developed, including controls and monitoring as Day 1 requirements.
  4. Get clarity on the end-to-end processes and define the true Operational IT and Cyber Resilience need - Understanding within the business and IT on 'critical services' still remains variable and the technology supporting these is not understood end-to-end. Customer or market outcomes cannot yet be sustainably protected and there remains confusion between business and IT ownership of these risks
  5. Achieve greater commonality of IT risk approaches across the sector- whether it be control frameworks, an approach to resilience or coverage of vendor risks, increased standardisation focused on "bite-sized" common agendas is not only desirable and possible across the sector, leading to better collaboration, utilities and reduced cost.  

If you would like to discuss any of the above themes and how PwC can help you accelerate your technology risk management agenda at reduced cost, please contact David Lukeman on david.lukeman@pwc.com or +44 (0) 7801 227259.

David Lukeman | Partner
Profile    
Follow @david_lukeman
Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.