By Sandeep Gupta
The metamorphosis of the banking sector is a shinning illustration of IT enabled growth and technology powered amalgamation of banking services. Today, it’s impossible to even think of a bank that runs without IT applications. From mundane back-end processes to multimedia based e-banking interfaces, IT has enabled banks to overcome geographical limitations and rising transaction volumes.
As per a survey by Capgemini, almost 90% of budgets in any bank for technology purpose are spent in maintenance of legacy applications. This only means that corporate governance today leans strongly on IT.
In India, IT governance in banking has assumed deep significance and one can now see a majority of customer processes being automated, especially with the advent of new payment systems.
In banks, effective governance can increase accountability, provide quantifying criteria, and improve planning for its IT functions, but beyond these, it progresses the ability to support the bank’s strategy and deliver value.
Risks and Security Measures
Risks are People, Process, and Technology.
In banking today, more systems, applications and services are exposed to the customer through self-service channels which have a direct bearing on customer experience. They can create significant opportunities but increase the risk of poor performance. Thus, quality of IT governance has become an important tool for managing risk and marketplace effectiveness.
However, IT governance comes with a slew of risks, and the distinctions among them are distorted with the merger of people, process and technology. This can lead to a serious impact on operational effectiveness.
There is a need for security governance within banks, which entails building a robust framework and laying down a comprehensive information security policy. In addition, it relates to creating a data prevention framework for minimizing data breach.
Model to Assess IT Governance in Banks
IT governance is now used as a tool for business transformation. Five metric models can used to assess the effectiveness of IT governance in any financial institution.
Following are the metrics (COBIT Framework):
Strategic Alignment: This involves the involvement of all the stakeholders to ensure that IT strategy is linked to business strategy and is directed towards balancing investments and making appropriate use of IT resources.
Value Delivery: It deals with making sure that IT delivers the value across the value chain which has been recognized at start of any governance project.
Performance Delivery: In this the business value obtained from IT is quantified to understand the return on investment.
Risk Management: A separate IT governance model can be proposed around risk management as it’s the most important pillar of any IT governance initiative.
IT Governance Model Based On Integration of Risk Functions: This model is based on the idea that control functions operating within banks can be integrated for the purpose of assessing IT Governance.
As per Basel norms, there are three mandatory control functions in banks:
-- Controlling Risks: it is accountable for monitoring and analysis of risk, and participation in the design, implementation and oversight of risk management models
-- Managing compliance: is concerned with identification and assessment of compliance risk and assessing the impact of changing regulations
-- Internal audit: is responsible for managing the internal business processes and establishing a change control framework around the same.
These all functions are complete independent units and can be actively used to monitor business activity.
These are some of the areas falling under various control functions that need to be evaluated for assessing IT governance: Information and IT risk management, Physical and logical access control, Information Security asset, Operational and system files, Password security, Configuration management, Change management, Business continuity management, and Disaster recovery.
Key Practices for Effective Governance:
For a financial institution to benefit from IT governance, some of the practices which they can employ are detailed below:
-- Risk Management Collaboration - It deals with the collaboration between business and IT to develop an overall approach to IT risk management.
-- Unambiguous project metrics - Laying down all the project metrics right at the start such as efficiency improvement and how to drive revenue.
-- Preventing data loss: Data loss prevention (DLP) helps detecting and preventing confidential data from being “leaked” out of an organization’s boundaries for unauthorized use.
-- Process-driven environment – The organization will need proper documentation for all the processes and, the use of various process improvement tools such as six sigma and lean practices.
-- Restructuring Approach and abiding- Redefining the IT governance structure as per company culture. It can be decentralized or centralized as per operational extent and make IT governance a strategic component of overall corporate strategy
-- Asset management – This involves making appropriate use of all the resources while aligning them to various business needs.
-- Measuring customer satisfaction – Employing feedback and surveys to understand customer satisfaction.
-- Effective communication –Building effective communication culture within the IT organization
By developing Effective Architecture Governance and managing Information Risk and Security, IT governance can manage demand, deliver value, and protect against risk. A robust IT framework in banks helps to establish equilibrium between rigor and responsiveness on an ongoing basis. If the IT governance framework is implemented properly, it can directly affect how IT is perceived at higher management levels. With apparent benefits accruing from IT governance- such as reduced costs, reduced exposure to legal risk and improved performance, thus developing and implementing an Information Governance Framework (IGF) is of paramount importance for any banking institution.
(The author is head - banking practice at Nihilent Technologies)