Information technology risks in financial services
What board members need to know—and do
Boards’ risk-related responsibilities at financial services companies have intensified, with governance of Information Technology (IT) risk becoming increasingly critical. However, IT risk may be the one risk that the typical financial services board member may be least prepared to oversee.
The board and IT risk
IT risk-related challenges in financial services will grow in number and importance in the years ahead. This paper highlights select IT risks for boards of financial institutions to consider, and suggests strategies they can employ to better oversee them.
Technology is the great enabler, but it also presents pervasive, potentially high-impact risk. Cyber risk in the form of data theft, compromised accounts, destroyed files, or disabled or degraded systems is “top-of-mind” these days. However, that is not the only IT risk that the board and management should be concerned about.
Financial institutions face risk from misalignment between business and IT strategies, management decisions that increase the cost and complexity of the IT environment, and insufficient or mismatched talent. Financial companies’ technology may become obsolete, disrupted, or uncompetitive, with legacy systems hindering agility. Mergers and acquisitions can hopelessly complicate the organization’s IT environment—a fact that many management teams fail to budget for and address. Meanwhile, technology-driven startups and disruptive financial technology (“FinTech”) solutions are challenging the business models and processes at the core of many institutions, making swiftness of response a requirement for ongoing relevance and viability.
Technology risk holds strategic, financial, operational, regulatory, and reputational implications. To address this, board members need not become experts in IT, but they do need to understand the IT landscape well enough to oversee and challenge management.
To address technology risks, board members need not become experts in IT, but they do need to understand the IT landscape well enough to oversee and challenge management.
Top risks in information technology
To oversee IT risk, boards must understand the risks technology poses to the institution, and have questions for management that drive a real understanding of the risk landscape and set clear direction and expectations.
Some of the most significant risks in technology in financial services include:
- Strategic risk of IT
- Cyber security and incident response risk
- IT resiliency and continuity risk
- Technology vendor and third-party risk
- Data management risk
- IT program execution risk
- Technology operations risk
- Risk of ineffective risk management
This publication serves as a primer for board members on each of these risks and can be used to drive more meaningful conversations with key stakeholders on IT risk.
Questions for the board to pose:
What is our organization’s IT strategy, particularly as it relates to supporting our businesses, offerings, customers, and other stakeholders?
In general, do we as an organization want to be an innovator in IT-enabled financial services or to take the more conservative route and be late adopters? What do we need in place to manage the risks inherent in either strategy?
How do we monitor the marketplace for developments that could pose opportunities or risks for our business?
What investments are required to remediate and update our legacy IT environment?