Risk management is very critical to the functioning of banks. There are therefore several regulations and ordinances, such as Basel II and III, PCI-DSS and SOX to name a few, that address the enterprise risks that banks face on an ongoing basis. In addition, there are pre-built frameworks that can be deployed on several industry-leading risk and compliance platforms, including SAP, Archer and Oracle. But, what about IT infrastructure? How can banks ensure that risks to their IT infrastructure are contained and addressed?
Recently, companies learnt how vulnerable their data centers were, thanks to Hurricane Sandy. Flooding and power outages caused by the super-storm forced several New York data centers operated by Datagram, Peer1, etc. to shut down. And this was not an isolated incident — in August 2003, a blackout in Manhattan, NYC, crippled around 320 data centers and affected over 1000 companies, 240 of which were financial institutions. Such incidents do not happen often, but when they do, they can bring an unprepared organization to its knees.
Banks can manage IT risks and compliance in the following ways:
- Stress-testing: Financial institutions must perform extensive calculations (stress testing) using statistical models, to assess their IT infrastructure risks. The stress testing utilizes a significant amount of computational resources, and takes into account extreme conditions, often to breaking point, in order to test the system and observe the results
- Operational Risks: Banks must adopt a comprehensive DR plan and execution to identify and manage operational services better. They can mitigate risks by implementing and managing Intrusion Detection and Prevention systems, Data Loss prevention, Unified threat management, Security devices management etc.
- Leveraging Cloud: Cloud computing has tremendous potential in managing IT infrastructure risk. Again, to give you an example with respect to Hurricane Sandy, a financial asset management business in Manhattan saw its servers going down as the flood waters from New York Harbor rose. But their Connecticut-based IT service provider had prepared them for such an event, and spun up a virtual version of the business's entire infrastructure in the cloud. This gave the asset management firm's customers uninterrupted access to services, even through the storm.
- Outsourcing risk and compliance: Service delivery models related to outsourcing risks and compliance have evolved over time. While Multi-tenancy and flex-delivery models are generating interest with the banks to get non-linearity and cost savings, a strong partner can provide the financial institutions with a robust system that has necessary controls and policies in place to ensure that the bank is compliant with the necessary frameworks.
The regulatory and compliance environment is becoming more complex by the day, demanding significant effort and focus from banks. As banks grow global and expand across national boundaries, the types and number of risks they are exposed to increases. Hence it is necessary that financial institutions have an IT Risk Management strategy in place, to align with the overall Enterprise Risk Management strategy.