ABA Banking Journal - July 2008 - (Page 44)
Tech topics way. And so, I get them thinking about defining their challenges as a first step. Really, operational risk management— which is people, process, and IT related risks—also refers, broadly, to defining (and mitigating) anything that could negatively impact your business or keep you from achieving your defined business and revenue objectives. Knowledge is power, then, as the saying goes. What always amazes me are the stories I hear about firms that, due to M&A, aren’t sure what they actually have in terms of IT assets. Talk about an unknown exposure… PROCTOR Yes, you see operations in all different states out there. Many banks are highly organized. They have an IT risk management and security policy and they use it. And best-practice banks know what servers they have and where, what desktop units they have, and understand who in the bank uses those assets and have them locked down pretty well. Still, there are banks that aren’t at that level of sophistication yet or are temporarily disorganized after a major change to their operations. Then you have organizations that just have to rethink how they operate. I had a client—a bank close to a billion dollars in assets—recently ask us to help determine what servers and other IT assets they had and what, exactly, they were being used to do. The bank had no idea. Now, there are tools out there to map environments and handle the forensics and I knew we could do the work he wanted, but I did tell him that I was surprised that he didn’t know that information already. I’m sure that comment alone got him thinking. PROCTOR I think it did. All we can ask for is improvement. But I will say this: many banks spend too much time on what I consider to be low value-added controls. Often I joke, it’s like rearranging deck chairs on the Titanic. The industry tends to create a lot of reports and check the low-value controls too much. The spirit of effective risk management is there, but maybe some of that scrutiny is misplaced. Certainly, the scrutiny will be misplaced if we don’t start with the right context in the first place. So then, you’re advocating that a bank review its operational profile? PROCTOR Yes. If you think about the discipline in terms of a bank’s strategic vision and what their operations actually look like [as compared to the vision], managing risk can be anything from “I might not have the right technology,” to “Gee, in analyzing this area of the business it’s obvious that I’m not collecting the right information about a customer, which could come back to haunt me,” to “When I look at what skill sets are required to do the work I need for the outcomes I said I want, it’s pretty clear I don’t have the right people at this time; I need to hire differently. I’m vulnerable now.” Good risk management begins with risk assessment, which is about linking relevant details to an accurate snapshot of an organization. You create awareness by looking at the big picture and looking at how the parts relate to the whole. Then, and only then, do you figure out what insurance you need, or what sort of internal controls or information security plan you need and so on. Walk me through your process of transitioning clients from “silver bullets” to strategic thinking. PROCTOR If you, as a client, are trying to go through a risk assessment plan, I start with something I call the seven-lever approach to change management: people, business process, organization, technology, customers, markets, and products and services. When you start to drill down into these categories, identifying the stakeholders in each area, chances are, you are going to think of something in each that needs to be addressed and from there you can get specific in your planning. There’s a stakeholder involved, there’s some project that needs to get scoped out and funded. Zeroing in on IT specifically, sometimes, your evaluation will show that there’s technology that isn’t being used to its fullest potential (all those unused features for instance) or applications that need to be added. Sometimes the applications don’t have to change but the business process surrounding the technology does. Typically, some weakness or flaw has to be compensated for in some way. Would you say this works well because it gets a client to break things down step by step? PROCTOR Yes. I find that walking clients through this seven-lever evaluation is a good, systematic way to begin identifying risk exposures. You start to look at them individually and see how they are interrelated. By the way, this sort of driverbased exercise is also a good first step in figuring out what sort of IT systems need to be used by an organization. It will help your technology planning become relevant and support your strategic business. That makes sense. In your presentation, you had some fun with the notion that many IT decisions are made for the wrong reasons. What are your concerns? PROCTOR My biggest concern is helping a bank avoid being stuck with a system that won’t grow with it or doesn’t serve its agenda. When it comes to spending big bucks on technology, it’s amazing how little thought goes into it. I remember having a slide where I gave examples such as, the CFO attended a conference in Mexico or vendor X flew the head of Retail to Orlando for a weekend and the decision was made. Five years later, everyone hates the results. And those sorts of scenarios happen more often then you’d think, even in this era. That’s why I think the profiling process is so important. It’s also important to look at business and technology trends and gauge where you want to go strategically. To do that you need to start from a clear assessment of where you stand initially. Not who has the best pitch and who promises something blue sky that a bank isn’t even sure it wants or, more to the point, that it isn’t sure it can’t get with existing equipment or by humbler means. So ask the tough questions: 44 JULY 2008/ABA BANKING JOURNAL Subscribe at www.ababj.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.