Importance of Compliance for IT Infrastructure
Ineffective internal controls in the financial sector have resulted in catastrophic events, such as when Barings, one of Britain’s oldest and most respected banks, was brought down by a trader cleverly covering up trading losses until they reached an unsustainable £850m. Many businesses, careers and lives were ruined when the bank collapsed and in the end a competitor was able to purchase it for £1.
Events like this have led the regulators to demand better business governance across the financial sector. These regulations apply as much to IT governance as they do to the businesses themselves because of the intrinsic role IT systems play for businesses today. As such, most IT compliance efforts currently focus on data management. However, as infrastructure failures have the capacity to take a bank out of the market for significant periods of time – potentially generating huge losses – they are also a critical area to address.
IT blackouts that appear in the news are only part of the problem as the IT department’s required agility is often achieved at the cost of system stability and many near-misses occur unreported every day. Therefore, one can assume it is only a matter of time before a catastrophic bank failure occurs due to poor IT infrastructure governance.
A world-class IT organisation needs to be thinking beyond the regulators and good IT governance should not tie up the IT department in red tape. Judicious application of IT best practices, frameworks and methodologies can help achieve this when an accurate picture of the IT environment is available. It is at this point regulatory compliance becomes a happy side effect.
A survey conducted by Expand Consulting on behalf of Tideway Systems among 10 of the top global investment banks, provides a clearer understanding of the banks’ priorities and what they see as the real impact of compliance. This article outlines key findings from the study results.
Regulations are now compelling IT organizations to have a much more detailed, real-time view and understanding of the application, database, hardware and network infrastructure layers or fabric, and the dependencies between them. The research showed that 50 per cent of the IT organisations in the banks interviewed were actively involved in Sarbanes-Oxley Act (SOX) projects with IT playing an integral part in addressing the regulator’s requirements.
However, the survey also shows that the main drivers for gaining a deeper understanding of a bank’s infrastructure are to improve cross-charging services or deliver cost reduction programmes, such as data centre consolidation. The results indicate that compliance requirements rank below these as a driver for capture of major IT infrastructure data projects.
Furthermore, most of those surveyed are simply not ready to start implementing best practice frameworks for IT service management, such as that provided by the IT Infrastructure Library (ITIL), which recommends the use of a configuration management database (CMDB) as a starting point to any solid IT governance strategy. In fact, only 20 per cent of those banks polled are actively engaged in a CMDB project, suggesting it is still early days for finding a standard solution.
Today’s investment bank IT infrastructure at the software or application level, such as front office trading, and at the internal network and data centre levels, is a derivation or evolution that reflects technology advances and years of complex M&A activity. Additionally, there is now a strong move towards merging traditional siloed business lines throughout banking organisations. This adds a whole new dimension – or challenge – to IT management and governance.
Most IT organisations currently map out their company-wide infrastructure and hold that system information in a database like Visio and/or Excel. They might also create a database of the application structure or an inventory of assets, as well as using various technologies like specific domain managers to gather and hold the information in addition to the manually imported data. Although traditional asset management tools can also provide some relevant data, they are far from complete when the requirements of the regulations are examined.
Additionally, many data capture projects typically take a minimum of three months to complete and only provide a snapshot in time. As such the data derived by these initiatives is out of date almost as soon as it is mapped. This becomes costly in terms of time and resources spent on external consultancies and/or internal FTEs (full-time equivalents).
But companies are looking at complementary methodologies, frameworks and practices such as ITIL, COBIT and Six Sigma, which are designed to help drive process improvements necessary for meeting regulatory requirements. According to the survey:
What this demonstrates is that no panacea exists for meeting regulatory requirements; rather a combination of practices is currently seen as the best solution.
Ensuring that IT is compliant with the myriad of existing regulations can be seen as either a pure cost creating little value to, or investment for, the business. However, best practice frameworks such as ITIL, COSO/COBIT and Six Sigma improve efficiencies by providing:
Companies need to have the relevant depth of information about the IT environment available to them in order to achieve this level of best practice as a standard. That is best ensured by automating the process of information gathering.
The starting point must be a continuous mapping of the IT systems and their dependencies that are the direct manifestation of the actual trade and transactional flow at the business level. These application, database, hardware and network interdependencies are the life-blood of the organisation. Being able to understand these interdependencies in a real – time environment means having a level of transparency that both enables proof of compliance and, more importantly, mitigates IT risk.
The CIO is beginning to feel the pressure from required legislation already affecting the CEO and CFO. Most CIOs are being directly involved in the regulatory process, even if not currently required by the actual directive or Act. Considering the critical part that IT plays in enabling the global banking business to operate, it is not such a big step to consider the CIO’s role in risk mitigation as being on a par with that of the CFO’s. Even without regulatory pressures, IT organisations need to be prioritising good IT governance because it makes business sense.
More attention needs to be paid to the tools and processes utilised to manage the IT infrastructure in order for the CIO to be able to ensure full continuity management, control and safeguard of IT systems, attest to the complete control of the financial systems, and have adequate risk management systems.
Given that IT is all about using relevant technology for the advancement of the business, it is something of a paradox that IT itself has not been making maximum use of available technologies for improved governance, and associated cost savings from process automation. The technology available today can help companies capitalise on compliance standards to reap true business benefits.