Information technology is a fundamental business enabler in today's financial services sector. Now more than ever, financial institutions are looking to IT solutions to help them address fundamental business challenges - from delivering more personalized customer service to managing risk to improving operational efficiency. The now inextricable link between IT and business operations has fueled a compelling need for FIs to implement comprehensive and holistic IT governance, risk and compliance (GRC) strategies.Global FIs that have evolved over time use hundreds of applications that are custom-built, acquired from third parties or part of a legacy system - many of which operate across multiple IT platforms. Today, most FIs manage IT governance activities in silos, an approach to GRC that creates a disconnect between interrelated risk and compliance initiatives, and duplicates efforts embedded within ineffective IT transformation plans. Time and again, the financial costs of IT failures plaguing organizations underscore the interdependency between risks, controls, policies and procedures across the global enterprise. Rigid processes and a lack of visibility into the IT ecosystem compound the case for easy adaptability to changing business and regulatory needs.
Effective IT governance demands the alignment of IT processes with business needs and requires the ability to model and manage IT processes around clear business strategies. This strategic understanding streamlines IT processes, and instills discipline in the execution and management of assets and change. In today's economy, business and IT alignment has been elevated to a "must-have" in the financial services industry as it drives bottom-line benefits.
A holistic approach to GRC enables FIs to save resources, while providing a robust platform for communication between disparate entities. Additionally, it increases visibility into the true cost of facilitating IT process transformation plans; provides transparency across processes, policies and workflows; and enables insight into IT objectives, activities and performance. These capabilities help to optimize IT costs, improve risk management, effectively measure performance and facilitate process improvements based on derived insights, while ensuring the scalability and readiness to manage future requirements. Further, an integrated approach can improve regulatory compliance with internal controls and facilitate sound decision making.
A Multi-Pronged Approach In pursuing a holistic and integrated approach to IT GRC, FIs need to establish a process framework that incorporates best practices across various IT processes, frameworks and models. This framework should include an integrated mechanism to identify risks inherent in all process areas and underlying activities, and define controls to mitigate these risks. Integrating controls into processes is key to the success of this approach, and managing controls and processes together delivers tremendous cost and time benefits. FIs should require compliance with these controls to ensure a healthy process and risk management framework.
The integrated GRC framework includes the following elements:
Abstract Process Framework: FIs should establish a repository of best-of-breed processes and combine these resources with an embedded system along the process map to identify, track and mitigate risks as they occur. FIs can customize, simulate and analyze these abstract processes to identify bottlenecks and opportunities for cost reduction.
Centralized Risk and Control Repository: A comprehensive repository of risks and mitigating methodologies is essential to identifying and reducing process management-related risks. This repository should include test cases and defined key-risk indicators to measure the effectiveness of suggested methods and controls.
Self-Assessment Exercise: FIs must perform periodic self-assessments to identify, track and close corrective action plans. These actions also ease internal and external audits by ensuring adherence and preparedness.
Process Orchestration: Orchestration automates processes that are designed in the process repository, from end-to-end, based on human and automated tasks. FIs can monitor, measure and analyze performance of the integrated processes, policies and workflows. Orchestration facilitates continuous process improvement and enables FIs to execute self-assessments and control effectiveness on a daily basis.
Management Information System Reporting: FIs should customize reports based on data collected from process orchestration, risk mitigation and compliance activities to facilitate performance assessment and continuous process improvement.
Meeting Industry Challenges An integrated approach to GRC enables FIs to meet multiple IT challenges across today's dynamic market scenarios, including the complexities of mergers and acquisitions, outsourcing strategies and core banking deployments. In a merger or acquisition, each FI has its own IT systems, culture, human resources and procurement policies. An integrated IT-GRC framework helps to align processes, establish a consolidated governance process and reduce costs. It also facilitates simulation and analysis of critical processes before actual implementation in the merged entity. Further, the IT-GRC framework provides FIs with effective processes to manage IT investments and built-in metrics to measure various parameters - helping FIs to optimize existing systems and forecast future needs based on capacity utilizations.
Many FIs also outsource non-core activities to control costs and free internal resources for other purposes. Outsourcing poses multiple challenges, such as vendor selection, social and political factors, time-zone management and business continuity. An integrated IT-GRC framework provides FIs and their outsourcing partners with pre-built processes to address these areas.
The IT-GRC framework also includes processes on project management, application management, service desk, change management, problem management and incident management to aid in core banking deployments, which involve ongoing customization and require a change in the cultural perspective of a bank.
In today's market, FIs are looking to IT as a business enabler to help address myriad challenges and re-orient their business goals. An integrated approach to GRC provides FIs a comprehensive approach to meet IT, risk management, compliance and business transformation goals and provides the agility to adapt processes for continued success.
G.R. Sivaramakrishnan is managing principal, Oracle Financial Services Software Consulting, Oracle Financial Services Software Ltd.