IBM Global Technology Services Thought Leadership White Paper July 2013 Leading financial institutions are transforming the way they manage IT risk Resiliency, security and agility are all being reconsidered
2 Leading financial institutions are transforming the way they manage IT risk Executive summary It is no longer sufficient to only have a plan to keep IT up and running. That plan has to be integrated with a bank s business needs. It must include the ability to effectively manage a crisis when an event occurs, and it must have inherent flexibility to adapt as threat landscapes and regulatory requirements change over time. Mobile devices, cloud computing and social networks are all part of the new financial ecosystem and must be protected. At the same time, increasing demands to reduce costs and find skilled resources to manage and analyze this environment puts pressure on virtually all businesses especially financial institutions. IT vulnerabilities jeopardize not only a bank s operations, but also its reputation and bottom line. Infrastructure failures, security breaches and events resulting in loss, corruption and inaccessibility of data can significantly impact a bank s reputation. Amid the ever-increasing threat environment, it is no wonder why many banks are finding it more difficult to manage information technology (IT) risks effectively. Unfortunately, they are also paying high costs for their challenges. The IBM Security Services Cyber Security Intelligence Index, which detailed analysis of security events for 3,700 clients across 130 countries during 2012, lists the finance industry among the most attacked industries. 1 The costly consequences of mismanaging IT resiliency and security threats are why executives in the banking industry are far more likely than their counterparts in other industries to make IT issues a part of their overall reputational risk-management strategy. Customer satisfaction Brand reputation Compliance 91 percent 92 percent of banks draw strong connections between IT risks, customer satisfaction and brand reputation. 2 of banking industry executives say that IT issues are part of the organization s overall reputational risk-management strategy. 3 87 percent of banking executives say that IT failures have severe consequences for compliance. 4 Now more than ever, IT must be reliable, predictable, available and security-rich to support a bank s critical business processes and key initiatives. Identifying risks associated with the use of IT requires the adoption of a broader, more holistic view of IT risks and services throughout the enterprise and even beyond. Such a view cannot be adequately conceived via a traditional approach that emphasizes only the physical and natural threats of IT service delivery. This paper details the problems that are inherent in the traditional approach to IT risk management for banks. It underscores the need to broaden the spectrum of risks to encompass IT threats to a bank s strategic business objectives. It also outlines steps for implementing a more holistic, structured approach to IT risk management. This approach can enable banks to assign resources across the enterprise, continually monitor IT risks using meaningful metrics and communicate their IT risk-management programs to stakeholders. Ultimately, this proactive methodology can facilitate a faster, more appropriate and more cost-effective response to IT risks enabling banks to improve service delivery to clients, business performance and resiliency. It can also help them better manage business objectives and regulatory requirements to better safeguard their bottom line and reputations.
IBM Global Technology Services 3 (Our) operational systems and networks have been, and will continue to be, vulnerable to an increasing risk of continually evolving cyber security or other technological risks, which could result in the disclosure of confidential client or customer information, damage to (our) reputation, additional costs to (us), regulatory penalties and financial losses. Failure to maintain the value of the brand could harm (our) global competitive advantage, results of operations and strategy. Bank executive (large global bank) Problems with the traditional approach to managing IT risk Many business leaders in banking lack confidence in their organization s ability to effectively identify and manage IT risk. Consider, for example, the following findings from two different IBM studies: More than half of chief information officers (CIOs) expressed concerns about risk management and compliance. 5 Nearly a third of senior executives said they do not have a formal risk-management function in place. 6 Why is there such a lack of confidence in IT risk management among bankers? We have found that banks continue to analyze risks through a very narrow lens that focuses on the financial impact of IT service delivery. This traditional approach begins by identifying conventional threats such as fires, floods, power failures, vandalism, terrorism and security failures based on the potential impact that these threats could have on business avail- recoverability and security. Then the approach prioritizes ability, the management of those threats according to the potential business costs, losses and operational effects. However, threats that fall outside of the conventional realm such as cyber-warfare, hactivism, vandalism-led attacks and advanced persistent threats are easily overlooked. If a bank cannot identify these additional threats or accurately determine their likelihood, it cannot assess its true vulnerability to them. In addition, although the act of quantifying and qualifying these factors may provide useful information for risk analysis, it does not accommodate management s need to align IT risk management decisions with business objectives. For example, if a key priority is to maintain continuous system availability, IT-risk management decisions must encompass, at the very least,
4 Leading financial institutions are transforming the way they manage IT risk the people, processes and technologies required to meet this objective on a day-to-day basis. The failure to align IT-risk management with business objectives is a significant limitation of the traditional approach. It is also not consistent with the International Organization for Standardization s (ISO s) 31000 standard, which emphasizes risk management as a strategic discipline, as opposed to a compliance-based function, for making risk-adjusted decisions. Moreover, because the traditional approach does not establish a link with a bank s enterprise objectives and strategic business initiatives, it has yet to demonstrate the effect of risks on achieving these goals. In financial services, we make money by prudently assuming risks and managing them. So risk management is nothing new to us. What is new is the need for a better understanding of the interactions among different areas of risk. Risks have become more interdependent one risk may lead to something else. 7 The need for a more holistic approach to IT risk management Managing IT risk in a bank is becoming increasingly complex due to diverse IT architectures and platforms, multiple internal and external stakeholders and various service-delivery options deployed. The proliferation of mobile devices in the workplace also requires a much broader approach to IT risk management. As banks try to juggle IT risks, they often are challenged by: Assessing risks and developing a tailored business resilience strategy Analyzing the impact of a business disruption and the costs of downtime Protecting business-critical and customer information from system failures and security breaches Responding with speed and agility to incidents while reducing risk exposure Managing costs during incident responses and downtime Managing compliance with constantly changing governmental and industry regulations associated with business continuity and security Supporting business and IT processes that keep the business running when unexpected disruptive events occur Chief risk officer, First Horizon National Corporation
IBM Global Technology Services 5 To more appropriately identify the business risks associated with the use of IT, banks need to optimize risk management at an enterprise level by taking a broader view of IT risks that goes beyond traditional standards and aligns IT with the strategic direction of the business. Specifically, they need an approach that can realize the following business benefits: Instead, KRIs are required to help alert the organization about emerging risks well before the risk actually occurs. This allows companies to capture opportunities or reduce a potentially negative impact, which can help achieve their business objectives. KRIs must also alert the organization early enough to provide time to react and take appropriate measures to counter the risk. Reduced financial and reputational exposure by facilitating advanced assessment, incorporating preparation and incident response, decreasing the financial and business impact of incidents and planning a more realistic strategy to help better manage compliance and regulatory requirements Enhanced performance by increasing the flexibility and agility of IT services to support better response to risks and security-rich events and by facilitating reduced operating costs through the more consistent deployment of IT risk policies and procedures Improved competitive advantage by more carefully aligning business resiliency processes and infrastructure to the needs of organizations and helping banks make calculated responses to risks that competitors may lack the insight to make Although KPI and KRI metrics are different, they are related. KPIs are used to track business performance. KRIs warn businesses of impending change. Because business entities are interdependent, if a supplying entity is not capable of providing a service, the receiving or dependent entity is at risk. These are capability risks that could potentially prevent the dependent entity from achieving its performance targets and should be managed through KRIs. IT Risk Spectrum By tying classic risk techniques directly to strategic business initiatives, banks can more easily document key performance indicators (KPIs) and key risk indicators (KRIs) and prioritize risks based on their impact or on their contribution to strategic goals. Additionally, they can more efficiently implement balanced risk-management plans, employ clearer communication plans and continually monitor risk indicators. Agility and appropriateness Respond in a timely manner with the correct new or modified IT service in support of changes in business requirements Scalability and performance Maintain acceptable performance based on business needs and appropriately accommodate changes in business service volume Security and data protection Provide the appropriate access controls while protecting the business information and resources Accuracy and timeliness Provide accurate data, to the right people, at the right time, to make informed business decisions Availability and recoverability Keep systems running and, if necessary, recover from interruptions in line with business expectations The importance of stronger metrics Increasingly, banks are using KPIs to help track and manage risks. However, KPIs are not suited for this purpose because they are typically based on historical performance data.
6 Leading financial institutions are transforming the way they manage IT risk Introducing the IBM IT Risk Spectrum To answer the need for a more structured and holistic approach to IT risk management, IBM has developed the IT Risk Spectrum, which is designed to provide a prescriptive view of bank operations and an understanding of how IT risks affect specific business goals. This structured and holistic approach groups a variety of IT risks into five logical categories. Each risk category is associated with specific business goals to help determine the impact that the current state of IT service delivery and mitigation prioritization can have on the business goals. Thus, the IBM IT Risk Spectrum helps banks to determine how much these risks might affect business. It also helps them improve the alignment of IT to their business needs and, therefore, use IT to help achieve strategic goals. IT Risk Spectrum Agility and appropriateness Scalability and performance Security and data protection Accuracy and timeliness Availability and recovery Examples of risks and benefits A North American banking group did not have IT infrastructure and development agility. As a result, it was unable to provide innovative offerings to help the business stay ahead of competition. Benefit: The bank tried to improve its IT infrastructure and development agility. It was able to use this agility to develop innovative online and mobile cash back deals on a nationwide scale. This helped customers to save on retail purchases based on previous spending patterns. An Association of Southeast Asian Nations (ASEAN) bank faced difficulties in managing the IT infrastructure that supported a variety of banking channels available to its customers. This resulted in the bank s inability to increase its service levels and competitiveness. Benefit: The bank consolidated the supporting IT infrastructure to boost performance and reduce operational costs. A North American bank faced a cyber attack that breached the bank's network and accessed the data of credit-card holders. Risk: The bank failed to identify security vulnerabilities resulting in fraud, loss of customer confidence and regulatory scrutiny. A North American trading firm s new trading software submitted erroneous orders in stocks listed in the New York Stock Exchange. Risk: The erroneous orders caused sudden swings in stock prices and surging trading volume. The firm faced huge costs to rectify the glitch, and its stock price lost 75 percent of its value in two days. A European bank implemented application updates as part of a software upgrade. The bank failed to factor in complex systems and interdependencies. Risk: The bank faced a systems outage for multiple days and unacceptable delays to account updates, which resulted in widespread media coverage and a damaged brand reputation. Critical components of the core business of a bank must also be reviewed to help determine their linkage with the IT Risk Spectrum and identify the better metric to monitor. IBM applies its Component Business Model 8 to decompose a bank in such a way as to render the components reviewable and to allow for both dependency and parallel analysis. This framework is comprised of six domains to cover virtually all components both internal and external that are necessary to help enable business operations. They include: People: The human resources with assigned roles and responsibilities who compose the bank, as well as the processes required to maintain their skills through training and communications Processes: How the bank conducts its core business (through business-process modeling in an open-process framework) and maintains its technology through IT strategy and governance, business continuity, backup and recovery, and service management, among others Technology: Equipment and tools that support the bank s business processes, such as servers, storage systems, networks, databases, applications and telephony Suppliers: Businesses and entities that provide the critical materials, services and information necessary to allow the bank to operate and conduct business Infrastructure: Components under the control of the bank that help enable operations such as physical security, electrical systems, water and cooling Exostructure : Critical components of the ecosystem, outside the control of the bank, such as power supply, water supply, roads, transportation, food supply, communications and governance
IBM Global Technology Services 7 Underestimating the cost of reputational risk greatly exceeds the cost of protection. Proaction is preferable to reaction. 9 Finance director, U.S. bank The IBM method: Three steps to facilitate a proactive IT risk culture IBM has established a condensed risk management method based on ISO 31000, which, when applied to the IT domain, can provide a risk architecture designed for enhanced compliance management that can more easily interface with virtually any enterprise-wide risk management program. Our methodology broadens our traditional thoughts on IT risk beyond facilities, natural phenomena and server failure to include the abilities of IT services to be more available, security-rich, scalable, agile and accurate in proportion to the business need. Act Suppliers Infrastructure Availability and recoverability Security and data protection Exostructure Ascertain Scalability and performance The IBM approach to managing IT risk to your core business Agility and appropriateness Technology and timeliness Accuracy Processes People Assess The methodology includes three structured phases: ascertain, assess and act.
8 Leading financial institutions are transforming the way they manage IT risk Phase 1: Ascertain the purpose and scope, with clear roles and responsibilities An IT risk management program should include the activities necessary to continually identify, assess and respond to threats and their relative risks to the business. Without identified goals and clearly defined roles and responsibilities, the subsequent management processes are in jeopardy. Setting both scope and roles early in the process of establishing the program helps to facilitate your team s buy-in to the process and to the subsequent requests for mitigation actions from confirmed identified IT risk owners. Stages 1 Purpose Ascertain the purpose and scope, with clear roles and responsibilities Description Establish a bank s goals for the IT risk-management program Significance Determines strategic banking business imperatives Defines IT-risk management objectives Identifies internal and external stressors Phase 2: Assess the IT risk and prioritize treatment options With the business goals set, the IT risk areas are defined relative to the strategic business initiatives. This entails aligning the IT services directly to their support of business goals. A critical element of establishing holistic risk management for business resilience is the ability to assess a wide range of risks in a balanced way to build an overall picture of the threats and opportunities the organization faces. By using the IT Risk Spectrum and analyzing the IT services that are needed across the entire enterprise to support the business initiatives, banks can more easily identify which IT services they need most to achieve their business goals. Clearly, understanding the relationship of IT services that support business initiatives is a critical aspect of risk assessment. 2 Scope 3 Roles and responsibilities Scale the areas of IT risk to manage more effectively based on relevance to strategic banking initiatives Define areas of responsibilities involving required stakeholders Defines acceptable risk levels to the banking business as a result of the use of IT services Prioritizes the IT Risk Spectrum and IT service areas to include in the assessment activities Establishes IT risk responsibilities Identifies appropriate roles throughout the organization Defines member roles and responsibilities and facilitates buy-in from stakeholders
IBM Global Technology Services 9 Stages 1 Identify 2 Measure and prioritize 3 Treat Assess the IT risk and prioritize treatment options Description Significance Help identify IT risk to strategic banking business initiatives by analyzing cause and business impact Measure KPIs and KRIs, and prioritize IT risks by consequences and probability Create balanced treatment options Identifies a bank s strategic initiatives against which to manage and exploit IT capabilities Conducts an IT service all capabilities analysis to identify measurable IT risk and performance metrics Determines more meaningful key IT performance indicators using the IT Risk Spectrum Quantifies IT risk to the banking business based on the current IT performance capabilities Helps identify the potential impact to business strategic goals should the IT risk materialize Helps identify controls to assist with monitoring changes that may impede success Defines and prioritizes more appropriate IT service risk treatment and roadmap Helps identify controls to apply In this phase, the IT risk management plan is implemented by assigning the various resources across the organization with the responsibility and accountability to act. The risk owners establish and manage IT risk to help provide alignment with business objectives and to help increase involvement throughout the organization at practically all levels: C-level management, business lines, IT professionals, board members and employees. Stages 1 Implement Description Act to manage IT risk Assign resources in the organization with responsibility and accountability to act Significance Helps identify persons in virtually all areas within scope to establish and better manage IT risk Helps ensure alignment with business objectives Enables increased awareness across the organization Phase 3: Act to manage IT risk Now that the KPIs and KRIs have been documented and prioritized against business strategic goals, the challenge becomes one of implementing balanced treatment plans, continually monitoring the risk indicators and communicating to the stakeholders. 2 Monitor 3 Communicate Continually monitor IT risks based on IT metrics meaningful to the bank Help ensure all stakeholders are aware, educated, and able to use the IT risk program Helps monitor changes and events that may stress the bank Continually reviews to help ensure sustained alignment with business objectives Helps enable a tailored response accordingly Establishes training and awareness programs for practically all level of employees Helps ensure stakeholders understand roles Reports regularly to levels involved with the program Helps support integration of IT risk management with broader governance, risk and compliance activities Helps to emphasize that IT risk management is part of everyone s job and to develop a risk-aware and proactive risk culture
10 Leading financial institutions are transforming the way they manage IT risk Why IBM? IBM provides IT risk management services to banking clients who need to more proactively identify, understand, manage and respond to operational risks and business disruptions. We can help you maintain near-continuous business operations, allowing you to better protect your brand, support growth for your bottom line and remain a trusted provider to your customers. Using industry standards, such as the ISO and ISACA, IBM resiliency specialists can become familiar with your environment and help tailor the resilience framework to your unique needs. We can also review the respective collateral to be used for the IT risk assessment and provide a roadmap for remediation and improvement. Additionally, by choosing IBM, you can gain peace of mind from knowing that we are a trusted and analyst-recognized business continuity and resiliency leader with over 50 years of experience. More than 9,000 disaster recovery clients rely on our expertise, because we can provide 100 percent recovery for clients who have declared a disaster. 10 And our robust business continuity and resiliency infrastructure includes over 160 resiliency centers across 70 countries; 1,800 highly skilled professionals; and fourmillion square feet of disaster recovery floor space. 11 With these capabilities, backed by our time-tested intellectual property, tools and methodology, we are ready to help deliver industry-leading support for your evolving risk-management needs. A global bank improves risk management with help from IBM The need: The bank s existing IT recovery solution was limited and lacked full integration with business requirements. It needed an experienced consultant to help build a corporate disaster recovery solution to facilitate more accurate analyses of business requirements and define and support critical business processes. The solution: IBM Global Services Integrated Technology Services helped the bank document its existing risk management processes and roles. Through a business recovery plan consultancy, IBM also helped the bank develop a corporate and departmental continuity plan to coordinate disaster recovery activities across a designated set of critical business functions. The benefits: Clearer delineation of responsibilities between IT and business groups Standardized process definitions that allow for commonality and transparency across major business lines and IT More accurate workflow to help ensure the right participants are involved in the process Virtually all risk-management activities are accounted for and gaps identified in the current state analysis are closed
IBM Global Technology Services 11 Are you prepared for the changing threat landscape? Business continuity and resiliency are critical requirements of a modern bank, but they are not always well understood. To properly prepare, banks should regularly evaluate their plan by using an objective, focused approach to update and strengthen it. We invite you to take the IBM Business Continuity Index test, which helps you to identify where improvements can be made and provides information and guidance on the next steps to consider when developing a robust risk management strategy for your business. 12 The IBM Continuous Operations Risk Evaluation (CORE) Workshop uses a series of tools, risk models and interviews to evaluate your current plan. 13 Contact your IBM representative to learn how a CORE Workshop can provide clear guidance to help you fortify your risk posture. For more information To learn more about IBM s services that help you address IT risk, please contact your IBM representative, or visit the following website: ibm.com/services/continuity Additionally, IBM Global Financing can help you acquire the IT solutions that your business needs in the most cost-effective and strategic way possible. We ll partner with credit-qualified clients to customize an IT financing solution to suit your business goals, enable effective cash management, and improve your total cost of ownership. IBM Global Financing is your smartest choice to fund critical IT investments and propel your business forward. For more information, visit: ibm.com/financing
Copyright IBM Corporation 2013 IBM Corporation IBM Global Services Route 100 Somers, NY 10589 Produced in the United States of America July 2013 IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. 8 Component Business Model: ibm.com/software/industry/banking/framework/ 9 IBM, Six keys to effective reputational and IT risk management: Implications of the 2013 IBM Global Reputational Risk and IT Study, March 2013. 10 Based on previous IBM client engagements; statistics current as of 2013. 11 Statistics current as of 2013. 12 IBM Business Continuity Index test: http://www.ibmbusinesscontinuityindex.com/ 13 IBM Continuous Operations Risk Evaluation (CORE): ibm.com/common/ssi/cgi-bin/ssialias?subtype=fy&infotype=pm&appname= GTSE_BU_BU_USEN&htmlfid=BUF03017USEN&attachment= BUF03017USEN.PDF The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. 1 IBM, IBM Security Services Cyber Security Intelligence Index, March 2013. 2 IBM, Reputational risk and IT in the banking industry: Findings from the 2012 IBM Global Reputational Risk and IT Study, October 2012. 3 Ibid. 4 Ibid. 5 IBM, The essential CIO insights from the global chief information officer study, May 2011. 6 IBM, Key trends driving global business resilience and risk: Findings from the 2011 IBM Global Business Resilience and Risk Study, September 2011. 7 Ibid. Please Recycle BKW03016-USEN-00