Analysis
Information technology risks in financial services
What board members need to know — and do
Boards’ risk-related responsibilities at financial services companies have intensified, with governance of Information Technology (IT) risk becoming increasingly critical. Yet IT risk may be the one risk that the typical financial services board member may be least prepared to oversee. After all, few directors are chosen for their expertise in IT, and many think of IT risk somewhat narrowly—that is, in terms of cyber-attacks and system availability—when in fact IT risks permeate the company.
The board and IT risk
IT risk-related challenges in financial services will grow in number and importance in the years ahead. This paper highlights select IT risks for boards of financial institutions to consider, and suggests strategies they can employ to better oversee them.
Technology is the great enabler, but it also presents pervasive, potentially high-impact risk. Cyber risk in the form of data theft, compromised accounts, destroyed files, or disabled or degraded systems is “top-of-mind” these days. However, that is not the only IT risk that the board and management should be concerned about.
Financial institutions face risk from misalignment between business and IT strategies, management decisions that increase the cost and complexity of the IT environment, and insufficient or mismatched talent. Financial companies’ technology may become obsolete, disrupted, or uncompetitive, with legacy systems hindering agility. Mergers and acquisitions can hopelessly complicate the organization’s IT environment—a fact that many management teams fail to budget for and address. Meanwhile, technology-driven startups and disruptive financial technology (“FinTech”) solutions are challenging the business models and processes at the core of many institutions, making swiftness of response a requirement for ongoing relevance and viability.
Technology risk holds strategic, financial, operational, regulatory, and reputational implications. To address this, board members need not become experts in IT, but they do need to understand the IT landscape well enough to oversee and challenge management.
Questions for the board to pose:
- What is our organization’s IT strategy, particularly as it relates to supporting our businesses, offerings, customers, and other stakeholders?
- In general, do we as an organization want to be an innovator in IT-enabled financial services or to take the more conservative route and be late adopters? What do we need in place to manage the risks inherent in either strategy?
- How do we monitor the marketplace for developments that could pose opportunities or risks for our business?
- What investments are required to remediate and update our legacy IT environment?
Recommendations
IT Risk Management
Results of our 2016 EMEA IT Risk Management Survey for Financial Services