Eliminating Technology Risk Blind Spots

Transcription

1 Eliminating Technology Risk Blind Spots Mastering Alignment to Business Outcomes A FINANCIAL SERVICES INDUSTRY PERSPECTIVE

2 Executive Summary At their core, financial services industry (FSI) companies are technology businesses, the success of which hinges on the ability to manage opportunities and threats on each side of the risk coin. But FSI companies face a pressing risk management problem: Most of their technology risk frameworks are decidedly one-sided, focused perhaps not surprisingly on technology rather than the business it supports. An unintended and perhaps more surprising consequence of this is that many of the risks arising from the use of technology are often understated or misstated, if not missing, from operation risk reports, as the business consequences of technology risks are not well understood and are difficult to quantify. To correct this problem, FSI companies need to rethink and revamp their information technology (IT) risk frameworks so that they are aligned with business services. Simply stated, too many technology risk programs focus on IT-specific measures, such as network availability and incident counts; too few focus on business outcomes. Technology measures are absolutely necessary, but not nearly sufficient; metrics and supporting processes should map to business processes so they can be managed and prioritized more effectively from a business risk management perspective. In this white paper, we define the nature of the technology risk management challenge for chief information officers (CIOs), other IT executives, chief risk officers (CROs) and operational risk executives. We also highlight a four-level mapping process that integrates technology risk management with business risk management. 1

3 THE DETAILS ARE NOT THE DETAILS. THEY MAKE THE DESIGN. CHARLES EAMES, U.S. DESIGNER INTRODUCTION: IT FIGURES INTO OPERATIONAL RISK S GRAND DESIGN Technology risk management within many financial services industry companies (FSI) suffers from too much focus on IT applications and components and too little understanding of how those technologies relate to the grand design of the enterprise s business operations. Consider an IT-centric metric, such as 99.9 percent server availability. The metric sounds interesting, perhaps even impressive, and it qualifies as a necessary measure. However, this detail lacks context. It is not sufficient on its own, from an operational risk management perspective. That s because this IT-centric measure brings up a higher-level question: What are the potential business consequences of the 0.1 percent of the time the server is unavailable? A similar challenge could be raised when looking at metrics such as, Ninety-nine percent of our systems are patched within 10 days. This begs the question: What is the sensitivity of the data and/or business consequences of service failure of the systems running on the other 1 percent? Answering these questions is not easy, but has become increasingly necessary, not only to establish a transparent and understandable link between technology risks and business objectives, but also to do so from a regulatory compliance standpoint. Operational risk reporting rules require a comprehensive, detailed assessment of operational risks, including risks arising from the utilization of technology. As a result, the development of stronger links and clarity between apparent IT-centric risks and the highest level of operational risks is not a nice-to-have, but a must-have. Without question, this is not easy to achieve. But aligning technology risk management and operational risk management is certainly possible, via a solution we have devised that can be implemented anywhere within IT and applied as deeply or as quickly as desired. The approach is straightforward and generally requires organizations to work through four levels of maturity: Level 1 (IT component level Initial): Analysis of technology risks at application and infrastructure levels (focus on specific IT incidents and problems) Level 2 (Application level Integrated): Consolidation of technology risks at an application level (to understand the impact of specific technology risks on key business applications) Level 3 (Business service level Aligned): Association of applications with the business processes that they support (increasing visibility of business impact of technology risks arising) Level 4 (Optimized): Full transparency of business risks associated with the use of technology, fully integrated with operational risk reporting (metrics that provide an end-to-end view and focus on the business consequences of technology risks arising) Understanding and addressing the issues at each level is important and necessary. Neglecting or skipping any of them creates potentially serious problems, including wasting risk remediation efforts on noncritical activities; hampering the flow of important IT risk information to regulatory-mandated operational risk reports; and, perhaps most important, depriving IT, the risk function and the organization itself of potentially critical information about operational risks. 2

4 LEVEL 4 OPTIMIZED Business-Value Centric All elements of Levels 1-3 maturity retained IT risk management (ITRM) fully integrated with enterprise operational risk management (ORM) IT metrics fully integrated with other operational metrics for full transparency of risk IT risk management mitigation efforts and investments fully integrated with enterprise operational risk efforts IT and operational risk management proactively incorporate emerging technology risks into the risk management equation Focus: Protecting and enhancing the value of the business LEVEL 3 MANAGED/ QUANTITATIVE Business-Service Centric Aligned All elements of Level 1 and 2 maturity retained ITRM framework defined primarily by business-specific risks vs. IT risks Key business and IT metrics calibrated to business risk tolerance Business outcomes directly mapped to underlying IT systems, processes, services and architecture elements Key IT metrics expressed in terms of business outcomes Risk mitigation efforts against IT risks can be substantiated by predicted improvements in business outcomes Focus: Management of business risks/outcomes via the management of IT controls and processes LEVEL 2 DEFINED/ INTEGRATED IT-Application Centric All elements of Level 1 maturity retained IT process, service, application and service catalogs developed and mapped to business processes Increased risk in IT processes is linked to increased risk in related business processes IT risk reporting focuses on both IT processes and potential impacts to business IT risk tolerance and IT risk mitigation efforts are refined and informed by potential impact to business outcomes MATURITY OF ITRM FUNCTION Focus: Management of IT-specific risks with a clear understanding of business process impacts LEVEL 1 INITIAL/ STRUCTURED IT-Component Centric ITRM governance and oversight defined Defined ITRM process model deployed Critical IT processes and risks defined Controls inventoried and assessed Metrics captured and targets defined Risk tolerance defined at the IT process and IT component level Consistent and detailed reporting on metrics, risks and remediation items performed Focus: Management of IT-specific risks, metrics and controls Currently, a significant number of FSI technology risk management capabilities reside at what we define as Level 1 or Level 2. When these capabilities mature to Level 3 and Level 4, IT and operational risk managers gain more precise insights they can leverage to design and prioritize mitigation strategies that focus on those risks that are most important to the business. Unfortunately, in an industry segment that prides itself on the ability to take well-managed risks, businesses at Level 3 or Level 4 are very much isolated exceptions and not the norm. The mapping process can be difficult, but it is achievable. The art resides in applying the steps that allow maturation through the levels, given the unique environment of each FSI company. Despite the difficulty of this challenge, there is both a will (in the form of regulatory compliance requirements) and a way forward. On the following page, we illustrate that way forward by examining the problem in greater detail, describing the benefits of tackling the challenge with a real-world example and laying out the ways that leading IT functions in FSI organizations create better alignment between technology risk and operational risk frameworks. 3

5 THE FOUR-LEVEL PAYOFF: MORE CONTROL, FEWER CONTROLS Whether or not IT executives and professionals acknowledge it, every FSI company is a technology business. Every important business service is enabled by technology. By failing to link technology risks clearly to operational risks, FSI companies incorrectly prioritize, mismanage or neglect crucial operational risks. Although this problem is acute in the FSI, the general alignment of IT and initiatives with corporate strategy remains a pervasive challenge across all industries. Of note, aligning IT initiatives with business goals ranked as the top CIO challenge for 2014, according to CIO magazine. 1 These statistics may frustrate many IT and risk executives, given the investments many FSI organizations have made in technology controls over the past decade. Despite all of that work, the alignment of technology risk management and operational risk management remains a major challenge due to several factors, including: Complex and fragmented IT infrastructures following decades-long merger and acquisition (M&A) activity The accumulation of layers upon layers of technology plaque over time Duplicative, fragmented, overlapping solutions built in through line-of-business, product or departmental silos The accelerating pace of change, the prevalence of outsourcing and the explosive adoption of emerging and disruptive technologies, such as cloud, mobile, big data and social Rising technology investment conducted outside the IT function There is good news, however. With the right framework, practices and focus, the mapping of technology risk to operational risk is quite achievable, and holds the promise not only of managing risk more effectively but also of creating greater IT and business alignment. Signs of Misalignment The following signs suggest that the alignment between technology risk management and operational risk management needs improvement: Technology risk reporting is performed for reporting s sake or seen as a compliance exercise. There are overwhelming amounts of technology risk data, but underwhelming amounts of technology risk information. Technology risk metrics are expressed solely in IT terms (e.g., server or network availability, number of incidents). There is lack of business support for critical technology investments focused on risk management or control. There is confusion about which IT investments should be prioritized over others. IT infrastructure leaks are plugged rather than investing in more strategic, comprehensive improvements. There is a widening wedge between IT and the business. To illustrate, consider an operational risk related to online payment transactions. We describe this risk according to the four-level approach defined earlier. When a company measures and manages technology risk at the technology component level Level 1 (Initial) in our model without recognizing higher-level links to the applications, systems and processes, real business risk may be overstated or understated. At this level of maturity, IT may drop everything when that server goes down to fix the problem and maintain an impressive, but IT-centric, performance measure of 99.9 percent server availability. However, IT remains in the dark as to how and even if this intense effort relates to the company s most important operational risks. 1 CIO magazine 2014 State of the CIO Survey Results: For more specific IT trend information, see 4

6 Level 2 (Integrated) maturity brings to shape a broader perspective by considering the implications of risk at the application or system level. Very often, these applications or systems are risk-ranked for purposes such as business continuity management, but this still does not fully address which technology risks link to operational risks. At this level, the IT function might tie infrastructure availability to the availability and performance of applications that rely on that infrastructure: To what degree is the application available? How many security incidents have affected the application? In our online payments example, IT might know which applications or systems are most critical, but they also might miss key system interdependencies or weak links in the ecosystem. The majority of FSI IT functions, even those that believe they have mature technology risk management in place, tend to be at Level 2 maturity. Level 3 (Aligned) maturity incorporates a more collective perspective in which IT looks beyond the application level to understand how these applications and systems tie in to the rest of the organization and its key business processes. At this level, IT recognizes and understands which applications and systems support business services online payment transactions in our scenario. This is critical because most business services require multiple systems to complete the business transaction. Understanding the end-to-end value chain equips IT with the clarity necessary to prioritize how it responds to incidents and how it designs resiliency into its architecture to mitigate risk. This critical mapping too often is overlooked or incomplete. The awareness of business services achieved at Level 3 maturity ultimately enables Level 4 (Optimized) maturity, in which technology risks are being addressed both reactively and proactively in a way that aligns with operational risk priorities. At this level, a common language is established between IT, business and risk organizations, and relevant risk information flows naturally between IT, risk and business functions to ensure that risk management priorities are adjusting in response to business changes. In our example, metrics are not focused on individual components and availability, but on the number of online payments completed successfully. A planned outage, when no transactions are being processed through a payment gateway, has no business consequence. This awareness ensures technology risk management activities remain keenly focused on what truly matters to the business. At this level of maturity, IT functions can exercise more control while relying on fewer controls. ALIGNMENT IN PRACTICE The negative consequences of technology and business risk misalignment are high, but this doesn t mean the problem is easy to spot. Many FSI IT functions with the best risk management intentions experience the problem, even as they invest large amounts of time, energy and resources in the development and maintenance of technology risk frameworks and functions. This was the case at a top 10 global bank that spent significant time identifying, managing and massaging its technology risk factors. The vast majority of this work and the measures it produced focused on incidents: How many incidents occurred? What was their duration? How long did it take IT to recover from the incidents? Over time, the IT function effectively reduced the number and duration of incidents. The CIO Three Types of Misalignment 1. Complete disconnection: In these cases, the technology risk approach exists without any meaningful links to an enterprise risk framework. The risk appetite and risk language used in the enterprise risk framework are absent from the technology risk framework. 2. Misalignment: In these cases, attempts to map technology risks to business risks have been made, but they are off the mark. For example, the links may reflect lack of context and prioritization (e.g., treating technology risks that underpin an employee application with the same urgency as the technology risks lurking in a proprietary trading system). 3. Technology-heavy measures: In these cases, some technology and business risk alignment exists, but the management of those risks lacks precision because it remains too technology-focused. Measures of rootcause technology risk predominate over business measures, and this imprecision clouds risk decisionmaking and slows technology funding decisions. 5

7 considered that a win until he launched an effort to align the function s technology risk framework to the company s operational risk framework and to key business processes. The alignment effort produced some fresh insights as new business-aligned metrics were implemented. The change from focusing solely on IT incidents or metrics to focusing on the success of critical business transactions (e.g., the number of online bill payments and the success rate of those online bill payments) yielded some surprising new insights that ultimately helped propel an expanded IT and business risk alignment effort. By tracking new business-centric metrics, the IT function learned that continuing to focus on the incidents it had monitored, measured and managed so rigorously had a diminishing return on the success of key business transactions. Instead, the IT function s planned maintenance windows, which temporarily shut down certain parts of the IT environment and prevented transactions from taking place, had become the most important factor determining the success of the transactions. While the function s previous hard work had driven down the number of incidents (a very good thing), continuing that focus would have had limited impact on the key business outcome: successful business transactions. Benefits of IT and Business Risk Alignment The IT function immediately began figuring out ways to reduce the number and duration of maintenance windows. This resulted in redesigning architectures and practices around how systems were developed and changes were deployed. That work, and the metrics it produced, quickly had a positive effect on transaction success rates. There were other benefits, as well. The shift opened up more constructive dialogue with business partners about links between a wider range of business and IT services in the company s increasingly aligned approach to IT and business risk management. Getting Started Now that the problem and challenges have been defined, along with the benefits of stronger alignment between IT and the business it serves (see sidebar), how can an FSI organization get started in realizing these advantages? Of note, the benefits identified in our sidebar represent a partial list. Developing a technology risk framework that is aligned with enterprise risk delivers many other positive outcomes, including a more effective use of capital. The general steps required to implement this framework include: Identification of key business services Mapping of IT services to business services Monitoring, measuring and managing the risks this process identifies A better understanding of technology risks Ease of quantifying the business impact of technology risks More effective operational risk management Stronger preventive capabilities Healthier, more practiced collaboration between IT and business Better IT investment decision-making and prioritization Less tactical, reactive approaches to risk and control solutions, enabling a more strategic approach Fewer funding battles over IT investments More effective use of capital Mapping is often the key step. Many FSI companies have defined their fundamental business processes, and many IT functions have documented their own key services; however, the links between these two sets of services, processes and subprocesses are often missing or insufficient. Mapping your IT services to business services requires a comprehensive connect-the-dots exercise. Each business service is supported by a complex, and often interconnected, supply chain of IT services (including databases, networks, platforms and applications). 6

8 When getting started, it is important to keep in mind three qualitative aspects of the work: 1. Readiness and maturity vary: Not every organization can proceed immediately to the highest level of maturity. Some companies will start at square one, while others may already be far down the road. There is no one-size-fits-all approach, but the basic underlying principles are consistent. 2. It may take time: Part of the reason IT and business risk misalignment is so prevalent is that it typically runs deep and has worked its way into IT organizational processes and personal habits. Bottom line, this process requires time, patience and organizational fortitude. 3. Companies can begin anywhere and/or go as deep as they like: Fortunately, this work can be as focused or as ambitious as organizations desire. Some IT functions start with one business process, while others will start with a much larger scope by, say, focusing on the company s top 20 business services. It is important to keep in mind that small successes can help sway skeptics and encourage buy-in for expanding the effort. Once the aligned framework is structured for a single business service or process, it can be applied to additional business services. The initial focus may be on business continuity and/or security. Common areas into which alignment can then be expanded include: Information management Vendor risk management Spreadsheet risk management Model risk management Data governance A misaligned technology risk approach begins and typically ends with the root cause of an IT service. This starting point can be as specific as a testing problem or as broad as IT asset management. The mapping of IT and business risk should begin with a business service and end with IT enablers. Consider IT asset management an IT-centric process that, on its own, has no links to business services. The links exist, of course, and the mapping process will expose and document where they are and which links are most important from a risk management perspective. Fleshing out these links starts with examining a business service or even a business risk, such as the loss of customer data, and asking questions such as: Why is the customer data being lost? The answer may be that devices with important customer data are not secure. If that s the case, which devices contain that data? By starting with business need and working backward to IT enablers, IT functions can identify and quantify the risks more precisely within their realms in business terms. Doing so helps bolster operational risk management. It also helps CIOs get the green light on funding requests. Whereas a general request for a budget increase for general IT asset improvement likely will fall on deaf ears, a funding request to reduce downtime for a bank s critical mobile payment services undoubtedly will be understood more clearly and considered more seriously. 7

9 IN CLOSING THE NEAR MISSES WILL ADD VALUE A smoother path for funding requests and approvals is just one of the signs that the alignment process is working. One of the most telling signs of alignment success is the things that previously qualified as near misses potentially treacherous events that too often go undetected are spotted and responded to in a way that adds value. Suppose an issue related to the way a particular IT team performs change management winds up striking a relatively unimportant system. Without a business-aligned technology risk framework, that event would barely register, and addressing it would almost certainly fall lower on IT s to-do list. On the other hand, a business-aligned technology risk framework provides visibility into the other systems that the change management-challenged team is responsible for managing. If any of those other systems support critical business processes, the near miss will trigger an immediate response. That type of preventive activity requires the business and technology risk management alignment described in this document. Achieving this alignment requires greater attention to details that extend above and beyond but are connected to IT issues, the management of which should be designed to strengthen operational risk management. When Speaking Business, Say This Not That A recent Economist Intelligence Unit survey found that IT innovation within companies across all industries, including financial services, hinged on the IT function s ability to communicate the benefits of technology by speaking, first and foremost, in terms of solving customer or partner problems. (Source: The Strategic CIO: Risks, Opportunities and Outcomes, The Economist Intelligence Unit, 2013: EMC_Strategic_CIO.pdf.) That sounds straightforward enough, but long-standing communication breakdowns between IT and the business suggest otherwise. IT can fortify communications with the business by rephrasing IT-focused language in business terms: Say This: We have issues threatening to take our online banking system offline. Not That: We have problems with testing and change management in India. Say This: We re losing customer data because our devices are not secure. Not That: We need more funding to improve IT asset management. Say This: We need $5 million to address the issues that caused five major trading interruptions last year. Not That: We need $5 million to change the way we perform software development and testing. By elevating technology risk management to a Level 4 maturity stage, FSI companies achieve: 1. Better overall risk management and better alignment to operational risk management 2. Better IT and business alignment 3. A more nimble IT organization that is better positioned to address the ever-increasing pace of change, the risk-sensitive introduction of emerging technologies and greater support for innovation Effectively, risk management becomes elevated from simple compliance to a critical part of strategy and business enablement. 8

10 ABOUT PROTIVITI Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000 and FORTUNE Global 500 companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. How Protiviti Can Help Protiviti develops thought leadership that is meaningful and directly applicable to our clients. We also seek to make contributions to the industries we serve through active participation in industry groups, and we support research and information-sharing through organizations such as the Open Web Application Security Project (OWASP), Financial Services Information Sharing and Analysis Center (FS-ISAC), Payment Card Industry Security Standards Council (PCI Council), Information Systems Security Association (ISSA), Computer Security Institute (CSI), InfraGard, SANS and ISACA. We are a member of the Shared Assessments Program steering committee, the Board and Advisors Committee for FS-ISAC, and the International Information Integrity Institute (I-4) industry think tank focused on information security. Based on our research and industry participation, it is apparent that there is enormous pressure for financial services IT leaders to transform their organizations to become more nimble and adaptive, yet there is also intense pressure to maintain controls and manage costs. Our blend of consulting expertise and deep industry experience uniquely positions us to design and deliver pragmatic, risk-sensitive solutions in response to these challenges. Ultimately, our goal is to help our customers protect and enhance the value of their enterprises in the face of ever-increasing demands. We have assisted many of the world s largest financial services organizations in areas including, but not limited to: IT strategy and governance Enterprise architecture Risk and compliance Security and privacy Service assurance Operations improvement Data management Technology Contacts Ed Page Jonathan Wyatt ed.page@protiviti.com jonathan.wyatt@protiviti.co.uk 9

11 THE AMERICAS EUROPE/MIDDLE EAST/AFRICA UNITED STATES FRANCE ITALY THE NETHERLANDS Alexandria Atlanta Baltimore Boston Charlotte Chicago Cincinnati Cleveland Dallas Denver Fort Lauderdale Houston ARGENTINA* Buenos Aires Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento CHILE* Santiago Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. Winchester Woodbridge PERU* Lima Paris GERMANY Frankfurt Munich BAHRAIN* Manama KUWAIT* Kuwait City OMAN* Muscat Milan Rome Turin QATAR* Doha Amsterdam UNITED KINGDOM London UNITED ARAB EMIRATES* Abu Dhabi Dubai BRAZIL* Rio de Janeiro São Paulo MEXICO* Mexico City VENEZUELA* Caracas SOUTH AFRICA* Johannesburg CANADA Kitchener-Waterloo Toronto ASIA-PACIFIC AUSTRALIA INDIA* SINGAPORE Brisbane Canberra Melbourne Perth Sydney CHINA Beijing Hong Kong Shanghai Shenzhen Bangalore Mumbai New Delhi INDONESIA** Jakarta JAPAN Osaka Tokyo Singapore SOUTH KOREA Seoul * Protiviti Member Firm ** Protiviti Alliance Member 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet. PRO Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.