Operational integrity enhancement
Managing data protection and operational soundness
In the past, regulators have not exerted much influence over a company’s information systems—as long as those systems operated within reasonable standards of safety, soundness, and security. However, that traditional approach to IT regulation is starting to change. In today’s increasingly digital and data-driven world, information systems and data play a crucial role—and not just in business. In fact, many of our society’s fundamental pillars would be completely inoperable without reliable information systems that do what they’re supposed to do.
Operational integrity: Having systems, processes, and people that do what they are supposed to do—effectively, accurately, reliably, and securely—with the resilience to withstand threats and bounce back quickly from problems, no matter how severe.
The large and growing potential for widespread damage from information system problems is prompting regulators in major industries to establish increasingly strict requirements and detailed guidance on how companies manage their IT systems and data. Regulators are particularly concerned about problems that could:
- Prevent critical markets and infrastructure from functioning properly
- Threaten the health and survival of entities that are essential to our financial system and way of life
- Compromise customer data and put citizens at risk
The direct supervisory oversight of system integrity, security, and resilience within a business is a major departure from regulators’ traditional arms-length approaches to operational and IT risk management. It imposes rigorous testing and supervisory processes to help ensure that companies are following appropriate processes and procedures; that they can identify and mitigate risks in a timely manner; and that they have sufficient controls in place to ensure a high level of system integrity, security, and resilience.
Emerging regulations and regulatory guidance related to operational integrity cover each step of the information system life cycle:
- Development: Ensuring a system is properly designed to do what it is supposed to do, with supporting documentation as evidence.
- Pre-production testing: Making sure the system functions as designed, in accordance with applicable rules and regulations.
- Implementation: Rolling out the system using a robust change management framework that helps ensure people use it correctly.
- Operation and monitoring: Monitoring the system to ensure it’s operating correctly and doing what it should. Also, monitoring for a wide range of risks and threats, from data breaches and cyberattacks to system capacity and the impact the system is having on external markets and societal infrastructure.
- Governance: Having effective internal governance over systemically critical systems, using a formal governance framework that clearly defines roles and responsibilities and helps ensure the proper procedures and processes are being followed.
- Remediation: Having a clearly defined path and process for escalating problems to a management level where timely remediation can occur. Also, having clear processes and procedures for handling critical risks, such as how to notify customers in the event of a data breach.
- Effectiveness testing: Ensuring that the system is operating effectively and doing what it’s supposed to do while complying with applicable rules and regulations.
Major improvement opportunities
Although every industry is somewhat different when it comes to operational integrity, many of the requirements and challenges they face are fundamentally the same. Here are some important improvement opportunities that companies in all industries can use to help satisfy the demands for more robust operational integrity:
- Top-down and bottom-up risk management
- Business ownership of IT risks
- Coordinated solutions to uncoordinated requirements
- Better documentation of functional requirements to support testing
- Processes and tools to protect customer information and deal with breaches
- Solutions that address the issue of third-party risk
- Develop and document a risk assessment process
- Culture shift
Ready. Set. Go.
Companies wrestling with the challenge of operational integrity face complexity from all angles, including conflicting and redundant guidance and requirements from a variety of regulators. To develop workable solutions, companies must reconcile and rationalize all of that diverse guidance into a unified vision and approach. Rigorous testing is also key.
Unfortunately, most companies won’t get serious about operational integrity until regulators start formalizing requirements and dishing out fines. And by then it might be too late. Problems related to operational integrity already pose a very real threat to company reputations and well-being—and may even threaten a company’s survival. Also, operational integrity is critical to the health and integrity of our financial markets—and our society as a whole.
Operational integrity is a challenge that needs to be addressed immediately. And now is the time to get started.
To learn more about industry-specific regulatory guidance, read our breakdowns of the banking, securities, insurance, and energy industries.
- Operational integrity enhancement—Banking Industry
- Operational integrity enhancement—Securities Industry
- Operational integrity enhancement—Insurance Industry
- Operational integrity enhancement—Energy Industry