IT Governance Regulatory Perspective P.K.Patel AGM, MoF
Agenda What is IT Governance? Aspects of IT Governance What banks should consider before implementing these aspects? What banks should do for implementation of these aspects? Gopalakrishna committee recommendation on IT Governance Findings from Banks
What is IT Governance?
IT Governance IT is now at the core of most organizations ability to execute strategy. IT governance is the process by which decisions are made around IT investments. How decisions are made, who makes the decision, who is held accountable, and how the results of decisions are measured and monitored are all parts of IT governance IT governance can not exist in isolation but must be a subset of enterprise governance.
IT Governance The structure, oversight and management processes which ensure the delivery of the expected benefits of IT in a controlled way to help enhance the long term sustainable success of the enterprise. IT Governance focuses specifically on information technology systems, their performance and risk management.
IT Governance- Need? Value/ cost, Aligning IT with business, Security, Keeping IT running, Managing complexity, Regulatory compliant- Organizations require a structured approach for managing these and other challenges. This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid unexpected outcomes.
IT Governance
What does IT Governance Cover? It s delivery of value to the business and mitigation of IT risk. The first is driven by strategic alignment of IT with the business and the second is driven by embedding accountability into the enterprises. Both needs to be supported by adequate resources and measured to ensure that the results are obtained. This leads to the five main focus areas for IT Governance. Two of them are outcomes: value delivery and risk management. Three of them are drivers: strategic alignment, resource management and performance management. IT Governance is a continuous life- cycle. It s is a process, using resources necessary to execute responsibilities.
IT Governance Organizational Structure IT governance stakeholders include- Board of directors IT strategy committees CEOs Business executives CIOs IT steering committee Chief Risk officer Risk committees IT line management IT Organizational Structure- IT Technology, IT Development, IT Operation, IT Assurance
Policies and Procedures Board approved policies- Hardware and network architecture, Hardware and software procurement strategy, standards, outsourcing, IT department organizational structure, number of IT expertise, change process Operational procedures especially for data centre Annual review Conversion of long range IT strategy to short-range plans regularly Enterprise information model Enterprise data dictionary CIO- key business player, owner of IT functions
IT Governance
Strategic Alignment Ensuring that IT strategy is aligned with the business strategy and that distributed IT strategies are consistent and integrated IT alignment is a journey not a destination.
IT Strategic Alignment When formulating an IT strategy, a bank must consider- Business Objectives and competitive environment Current and future technologies: Costs, risks and benefits Capability of the IT organization and technology to deliver current and future level of services Operating cost of current IT : whether this provide sufficient value to the business Regulatory and compliance environment
Contd. With respect to IT Strategic Alignment, Banks need to ensure the following: Up to date business strategy IT development projects have business case IT budget priorities portfolio of IT- related investment programme IT strategy committee review the management about IT related investments IT steering committee composed of executives from business and IT management Performance of IT management is monitored Comprehensive and ongoing due diligence and oversight process is established for managing the bank s outsourced activities
Value delivery Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing cost and proving the intrinsic value of IT. It is important not only to focus on measurements based on value realisation (i.e., financial measures), but also to take into account the enterprise s performance in creating value. Fit for purpose and meeting business requirements, flexibility to adopt future requirements, throughput and response times, ease of use, resiliency and security, integrity, accuracy and confidentiality of information
Banks should consider. Board and senior management are briefed about the value that IT delivers to business in respect of customer service, cost, speed of delivery, quality, ROI and value-add to business etc Reporting and tracking of major IT projects Current rate of failure of IT projects Costs involved in managing incidents (network outage and system downtime) Level of end-user and customer satisfaction with the quality of IT service
With respect to value delivery, banks need to ensure that IT investment programmes are managed to ensure are aligned with business strategy and objectives IT controls to minimize IT related vulnerabilities, increase efficiency, use resources optimally and increase the effectiveness of IT processes Proper MIS Project management and quality assurance Evaluation of IT internal control failures and weaknesses Project level steering committees Independent assurance on the achievement of IT objectives and the containment of IT risks is conducted regularly Prioritize IT initiatives and assign ownership for IT enabled business opportunities Periodical review of all non-performing or irrelevant IT projects in the banks
Risk Management Requires risk awareness by senior corporate officers, a clear understanding of the enterprise s appetite for risk, understanding of compliance requirement, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities in the organisation.
Banks should consider Banks position- risk appetite and tolerance levels Maintain a list of IT risks Implement and document risk framework to assess, mitigate approach and analysis cost against benefits Document measures adopted to contain IT risks Reporting system related to IT risks Actual or potential conflicts between operational functions and IT functions
With respect to IT risk management, banks need to ensure that Assessment of IT risks and suitably mitigation Bank-wide risk management policy Risk management process for e-banking activities All risks related to suppliers are considered- relationship management, escrow and second sourcing Appropriate incident response plans Operational risk- assessed and relevant controls are implemented Adherence to customer privacy requirement Legislative, regulatory and contractual requirements on the use of systems and softwares where IPR, copyrights and on the use of proprietary software products are applicable
Contd. Information Security Policy Comprehensive and centralized change control system for project or application Project management framework and approach Use of IT control framework- COBIT, ITIL, ISO 27001 etc Inter-dependencies between risk elements are considered in the risk assessment process IT outsourcing ( Due diligence, monitoring vendor performance, managing SLAs)
IT Resource Management Is about the optimal investment in, and the proper management of, critical IT resources: application, information, infrastructure and people. Key issues relate to the optimisation of Knowledge and infrastructure.
Banks should consider Current practices followed for managing IT assets IT assets: under-utilised or over- utilised Current short-term and long-term IT strategy in view of the expected business growth Outsourcing strategy IT expertise pool
With respect to IT resource management, banks need to ensure that Board is aware of IT resource, infrastructure and investment Policies and procedures for information systems monitoring facilities Record management- responsibilities and authorities of individuals Requirement for trained resources Procedures to assess the integration and interoperability of complex IT processes Responsibilities, relationships, authorities and performance criteria of project team members and stakeholders Procurement practices
Performance measurement Tracks and monitors strategy implementation, project completion, process performance and service delivery, using, for example, IT balance scorecrds.
Banks should consider Identifying and quantifying IT costs and benefits, ROI, NPV, IRR and payback method Overcoming limitations of measuring unquantifiable values Assess current performance measurement metrics, current MIS, process to evaluate performance of contractors and outsourced service providers, service level agreements Assess ROI trends, practices followed by industry competitors and the bank s performance status in comparison
With respect to IT performance management, banks need to ensure that IT projects- appropriate strategic and cost and reward analysis on a periodic basis Standard template for making return versus risk balance IT balance scorecard, maturity level Periodic assessment of IT budget deviations Periodic review and update of IS policies and procedures
IT Balanced Scorecard It is a concept for measuring a company s activities in terms of its vision and strategies, to give a comprehensive view of the performance of a business. It measures financial perspective, customer perspective, business process perspective, Learning and growth perspective Business contribution, User orientation, Operational excellence, Future orientation
IT Governance- Maturity model 0- Non existent 1- Initial or adhoc 2- Repeatable but intuitive 3- Defined process 4- Managed and measurable 5- Optimized
Gopalkrishna committee recommendation
IT Governance i. Banks to have a Board approved documented IT strategy/plan ii. A comprehensive IT policy to be framed and reviewed annually. Board Level Strategy Committee Minimum of TWO Directors one of them to be an independent Director All members of the committee to be technically competent At least one member with substantial expertise in managing technology Thrust of the Working group is on a top down approach to IT Governance
IT Governance iii. Position of Chief Information Officer (CIO) to be created CIO to act as owner of IT function Help in alignment of business and technology iv. Creation of IT Steering Committee Representations from IT, HR, Legal, business functions Committee to help bank in implementing IT strategy To assess the transparency, accountability, effectiveness of the IT Governance structure in banks v. Stress on training and skill development for effective IT implementation in banks Periodic assessment of training requirements Ensure availability of competent human resources Supporting Organizational structure to be commensurate with the size of the bank, scale of business activities.
IT Governance vi. Monitoring of IT function s performance Timely delivery, adherence to budget Appropriate value/benefits vii. Banks to maintain Enterprise data Dictionary Dictionary to have organization s data syntax rules Facilitate data sharing amongst applications Common understanding of data amongst IT users Prevention of incompatibility viii. Project management approach to implementation and management of IT projects ix. Bank wide risk management policy or operational risk policy to include IT risks reviewed annually Key Focus of IT Governance strategic alignment, value delivery, risk, resource and performance management
IT Governance x. IT function to support robust MIS in banks xi. Implementation of well known IT control frameworks such as COBIT xii. Collaborative effort with IDRBT for sharing of information, discussing issues and challenges. A forum of CIOs and senior IT officials to share experiences Good IT Governance for robust IT systems, IT risk management, MIS and deriving value from IT
Study
IT Governance in Banks Role of board- Establish/Direct/Guide/Review/Question Strategy and Alignment- i) Does the bank have a clear IT strategy? ii) If so, how is it aligned to the business strategy? iii) Whether suitable IT organisation and appropriate resources are ensured in consonance with the IT strategy?
IT Policy issues i) Does the bank have a clear vision on the course of development of applications outsourcing/in-house? ii) Do documented outsourcing and in-house development policies exist in the bank? If not, what action has been taken to lay down these policies? iii) Has the IT security policy been established? Whether the bank has subscribed itself to IT standards such as ISO17799? iv) Does the bank follow a standard IT process governance framework such as Control Objectives for Information and related Technology (COBIT)? v) Whether the charter of the IS Audit function in the bank is exhaustive and the same is carried-out purposefully? vi) Is there a system in place to ensure compliance to legal and regulatory prescriptions and guidelines on e-banking, etc.?
IT investments i) Is the proposal in line with the approved IT strategy? ii) How does the proposal map to the business goal (short/medium/long term)? iii) Is it supported by a detailed project analysis? iv) If a new delivery channel is proposed, whether it is directed towards a niche segment or across the board? Determine the gaps in servicing any segment, check for new opportunities and provide suitable direction. v) Is there a possibility of the new delivery channel negatively impacting an existing channel? If so, whether it is justified by the need for, say, retaining market competitiveness? vi) Whether the proposal conforms to the bank's outsourcing/in-house development policy?
Contd. vii) Whether the surplus capabilities, if any, of the existing IT infrastructure can, instead, be utilised? viii) Is the proposed technological solution state-of- the-art? ix) Whether scalability (i.e., expandable option) is ensured, where appropriate, to take care of higher level of transactions in future? x) Whether redundancy, where appropriate, is ensured to enable uninterrupted supply?
Contd xi) How will the proposed solution integrate with the existing enterprise-wide IT enviornment? Whether open/generic standards are proposed to facilitate inter-operability? xii) Whether the bank has/expects to have reasonable pool of expertise to manage the proposed solution? Proposals for imparting expertise details. xiii) If regulatory approval is required for the proposal, whether it has been taken/being taken?
Value Delivery i) Review the performance of the projects both cost and time overruns to be looked into. ii) Direct establishment of metrics for evaluation and assess the results. For eg., cost/transaction to be worked-out across services delivered over different channels. Utilisation of cost effective channels vis-à-vis the other channels by the customers should be examined and guidance for improving the performance to be provided, where appropriate. iii) Check the market share of the various IT-based services offered and provide suitable direction. iv) Analyse the impact of IT-based services on the bank's bottom line and reputation and suggest the future course of action. v) Determine the RoI and review the same against the projection for suitable action. Other positive results like retention of customers, addition of more customers, etc., should also be kept in view in the assessment.
Management of IT Resources i) Determine whether IT resources are managed efficiently by seizing the opportunities offered by up-to-date technologies. ii) Whether the IT resources are/will be able to support the present and future business needs efficiently and effectively? iii) Is the bank committed to training and educating the staff on the operation and management of relevant technologies? iv) Review the change management policies and procedures.
Risk Management i) Review the provisions for DRP/BCP for their adequacy and coverage. Whether the relevant procedures are reviewed and updated, simulated tests being carried-out, etc. ii) Review the implementation of the IT security policy by the bank whether detailed instructions and procedural guidelines are in place, whether suitable organisational structure has been established to implement the policy, steps taken for imbibing the enterprise-wide security consciousness, etc. iii) Set the direction for devising the metrics on the subject and review the same e.g., number of outages in service caused by security attacks / denial of service, number of customer complaints received on non-availability of/deficient service, etc. iv) Verify compliance to regulatory prescriptions.
Performance Management i) Establish the relevant metrics/benchmarks and review them e.g., the instances and durations of downtime during the review period, number and nature of customer complaints received, utilisation level of network bandwidth/ system capacity, etc. ii) Review the performance of third party vendors vis-à-vis the SLA.
Thank You