Managing technology related operational risk through IT governance

1
Managing technology related operational risk
through IT governance

• Oceania CACS 2003
• Crooks, Lies IT Governance
• Bob McKinnon

www.commbank.com.au
2
IT is a critical enabler of your business
strategy but it is inherently risky
Nature of risk
Potential consequence of risk

• Non-compliance with policies or regulations
• Duplication of systems
  
  
  
  
• Unauthorised disclosure, usage and destruction of
  information and systems
• Systems do not operate as intended
• Systems are unstable and/or fail
• Lack of shared values
• Failure to exploit shifts in technology
• Spend too much on IT

• Infrastructure is not adaptable or does not
  leverage scale
• Unreliable and out of date information
• Systems lack necessary controls
• Inappropriate solutions
• Brand or reputation damage
• Inconsistent IT capabilities across the business
• ITT investments are not aligned to strategy
• Economic loss of failed projects

• Architectural
• Operational
• Management

• Financial

3
Like all risks IT risks must be managed

• IT risk management is a systematic process for
  managing IT exposure and controlling activities
  with the intent of providing an efficient
  pre-loss plan that will minimise the adverse
  impact that risk will have on earnings, cash
  flows, goodwill, brand image, and shareholder
  equity
• META Group

4
The CBA risk management approach
Corporate Business Strategy
Almost all management activities within IT have a
risk management objective.
Governing all IT activities so that the IT
Systems and Services Portfolio aligns with and
supports the Corporate Business Strategy in a way
that minimises the risk of it being compromised
so managing IT risk is something we do everyday
in almost everything we do
IT Systems and Services Portfolio
5
Three key building blocks to governance
Sourcing model
Strategy model
Management model
6
The role of IT strategy in risk management?
Corporate Business Strategy
Corporate Business Strategy

• The business environment changes continuously
• Financial services sector
• Business needs
• Available technology
• IT strategy enables the Bank to identify the
  consequential changes required in the IT
  portfolio to minimise risk

IT strategy
IT Systems and Services Portfolio
IT Systems and Services Portfolio
7
How do we approach strategic planning?
Identify and Prioritise Capabilities
Examples of High Priority Capabilities
High Priority
Higher
Medium Priority
Highest Priority

• Unique customer identifier
• Multi-channel front-end platforms

Capability Implementation Approaches
Risk (strategic, financial operational)
Medium Priority
Lower Priority
Lower
High Priority
Capability Implementation Principles

• Each customer will have a single unique
  identifier stored in a single repository

Higher
Lower
Intermediate
Gap (between the current and desired capabilities)
8
What are the benefits of strategic planning?

• Risk is reduced through
• Common understanding and agreement of our IT
  journey eg needs, gaps, approached, priorities
  and roadmap
• Improved communication and transparency
• Framework for assessing on-going impact of change

Common understanding of the journey reduces risk
9
The role of Sourcing Strategy in risk management?

• Current arrangements
• 1997 single source preferred provider contract
  with EDSA
• Services-based vs. technology-based
• 2000 re-sourced telecommunications to TCNZA
• Not all Colonial services transitioned

• IT sourcing strategy enables the Bank to
  identify the changes to sourcing required in
  order to introduce the identified capabilities
  into the portfolio
• It also reduces supply risk through
• Considering supply market changes available
  technology, suppliers or services
• Applying the sourcing lessons learnt from history

10
How do we approach strategic IT sourcing?
Management of supply risk

• Some services must be done in-house e.g.
  architecture, policy
• Use competitive, existing supply markets
• Match supplier capabilities and supplier risk
  horizons
• Maintain flexibility

Business drivers
Needs analysis
Decision criteria
Current situation
Sourcing options
Strategy and roadmap
Environ-mental scan
11
What are the benefits of having a sourcing
strategy?

• Common understanding of
• demand for IT services
• changing nature of the services market
• Common understanding of options available to
  satisfy demand and their implications for the
  portfolio and risk
• Framework for decision-making and risk
  management
• what do we do in-house
• what do we source externally
• how do we source it
• from whom

Understanding and satisfying demand reduces risk
12
Why is an IT management model important?
because execution is risky!
13
A holistic approach to IT management reduces risk

• Some guiding principles
• CBA is a single enterprise SO manage
  infrastructure and govern IT at an enterprise
  level
• Business strategy is executed through lines of
  business SO define requirements and implement
  solutions at a business level

Decision-making accountabilities
14
What are the other benefits of a clearly
articulated management model?

• Turns strategy into reality
• Shared values across the IT community
• Clarity of roles and responsibilities
• Clarity of decision making authorities
• Transparency and understanding
• Better management of skills and competencies
• Working together better

Making it happen together
15
Governing IT to reduce risk is multi-dimensional
Common understanding of the journey
Understanding and satisfying demand
Making it happen together
16

• Oceania CACS 2003
• Crooks, Lies IT Governance