Technology risk – what (should) keep CROs awake at night?
06 December 2017
We’ve seen payments outages met with serious reputational damage for the organisations involved. They have been nothing short of a game-changer as the scale of potential contagion throughout the UK’s financial system became clear to the regulator. What also became apparent was that the regulator needed to increase its ability to investigate the underlying causes of technology-driven failures.
Since then, we’ve seen technology moving up the risk agenda fast. And of course, technology itself within banks and financial institutions is also evolving at a breakneck pace. Not only is it being used to optimise costs, digital technologies are driving new ways of working and responding to customer demands. The move to cloud comes with new challenges. In many ways, financial services businesses are simply not being enabled by technology, they are themselves becoming de facto technology businesses.
Being able to precisely map critical business outcomes to the technology landscape is far from straightforward. The regulator is seeking to understand the dependencies and paths that end-to-end processes follow. Given the number of critical functions all financial services businesses must perform, and the complexity of accurately mapping each one to the supporting technology, simply understanding where the risks are is extremely challenging.
An additional factor that makes effective technology risk management difficult is the awareness and engagement of the board. Fundamentally, technology is a business risk. Certainly, that’s how the regulator sees it. Yet it has not tended to be addressed in that way. Technologists can find it hard to translate the concerns and challenges they face into the language that the business (and therefore the board) can understand.
So how do risk functions address these issues?
The first line of defence tends to be IT risk professionals who are focused on immediate technology risks and may not be equipped to call out the major business risks. Reliance on time and materials models remains a key feature of the approach for most banks. But automation of risk activities would provide a more mature, data-driven way to provide more effective coverage, more robust comfort and timeliness of alerts and interventions.
In the second line, the risk function, we see a degree of fragmentation, with IT risk quite often sitting outside of operational risk. Multiple functions may touch on aspects of technology, but none is able to take the more holistic and expert perspective that’s needed to provide an effective challenge. And the greater the dependency on technology as processes are automated, the more important the skills and know-how to provide effective challenge become.
Better alignment between regulators’, the business’s, IT’s and third-party contractors’ understanding of priorities is fundamental. So, connection between the business and IT needs to be stronger. The adequacy of the ability to challenge also needs to be assessed and addressed as a full-scale capability and discipline within the formal operational risk structure.
The risks created by technology will only trend in one direction as IT continues to expand its impact and criticality across all operations. Financial institutions need to act now to reconsider if IT Risk is given right prominence and has the strength of capability needed to get to these key issues and be heard.
For more information on managing technology risk click here.