Ramzi Musallam of Greatpark Consulting talks about automating technology risk management and the challenges around it.
Technology risk management in financial services is no easy task, particularly as the regulatory and compliance environment is increasingly rigourous. The recent computer problems at RBS will only serve to focus further questions on risks associated with technology change management, operational stability and disaster recovery arrangements. Quite often an organisation’s response to a new regulatory requirement is to add an extra process or function, an ad hoc approach that may address the immediate issue but can lead to overlapping responsibilities, inconsistent processes, and duplicated efforts as well as additional cost. In most cases the administration of the remediation work and subsequent tracking and risk monitoring is performed on spreadsheets. As in any job you need the right tools to get the best result. In this increasingly complex challenge the right tools in technology risk management are out there but it is not always clear which one(s) to use.
Many vendors now have an enterprise governance, risk and compliance (EGRC), or IT governance, risk and compliance (ITGRC) offering. But having looked at many such products I can only conclude that selecting the right one is a complex exercise that requires the right approach. Right now the most used Risk Management, or GRC, tool is Microsoft Excel. The take up of such tools is in its infancy. Marketing departments need to up their game! A KPMG pulse survey published in June suggested that 64 per cent of risk practitioners were entirely reliant on manual processes. Only 16 per cent used automation to give senior managers an up-to-date view on their risk profile.
The collation of data and the analysis of that data to produce meaningful metrics and management dashboards can be automated by using feeds directly from existing systems (such as the CMDB and service desk applications and databases) and the flexible reporting modules inherent in most up-to-date GRC systems can be exploited to help management easily spot trends and understand where their attention is required.
There is no ‘one size fits all’ approach to the measurement of performance and risk. Risk management should be embedded into normal business processes and decision-making. As Luis Custodio, IBM’s chief risk officer, says: “What is really important is to deploy risk management practices and a programme that aligns with the company’s management system and is embedded in the fabric of the business.”