Chapter 1 : Information Technology Governance - ଆରବିଆଇ - Reserve Bank of India
Chapter 1 : Information Technology Governance
Introduction : Corporate Governance constitutes the accountability framework of a bank. IT Governance is an integral part of it. It involves leadership support, organizational structure and processes to ensure that a bank’s IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management. The role of IT Governance cannot be over emphasized. According to Richard Nolan and F. Warren McFarlane of Harvard Business School, “Lack of Board oversight for IT activities is dangerous; it puts the firm at risk in the same way that failing to audit its books would”. Access to reliable information has become an indispensable component of conducting business, indeed, in a growing number of banks, information is business. With IT increasingly being intrinsic and pervasive, attention must be paid to IT Governance, with an increased focus on how strongly a bank relies on IT and just how critical IT is for the execution of the business strategy, since:
In a 2009 survey, the Information Technology Governance Institute (ITGI) found a positive statistical correlation between advancement of IT Governance practices and IT outcomes. The survey indicated that better IT Governance practices led to improved IT outcomes. For example, the frequency with which IT was included on the Board's agenda, or an increased alignment between business and IT, resulted in IT-enabled investments to create value within the enterprise and or increase the degree to which IT performed against expectations. IT has enabled banks to plan, deliver, manage and integrate products, in line with customers' needs through a range of products and services that are available to both retail and corporate customers. These include emergence of technologies such as sweep-in or sweep-out facilities, channel financing, straight through processing, multi-channel banking, mobile banking, Real Time Gross Settlement (RTGS), National Electronic Fund Transfer system (NEFT) and cheque truncation solutions, etc. Today, almost every commercial bank branch is at some stage of technology adoption: total branch automation or core banking solution (CBS), or alternate delivery channels such as internet banking, mobile banking, phone banking and ATMs. In view of the large branch network, CBS is being implemented across banks in a phased manner. According to RBI’s report on “Trend and Progress of Banking in India 2009-10”, there was a significant rise in the percentage of branches of public sector banks implementing CBS from 79.4 percent in end-March 2009, to 90 percent by end-March 2010. Further, 97.8 percent of the PSB branches were computerized by end-March 2010. The growth in ATMs for all scheduled commercial banks was observed to be 37.8 percent in 2009-10. The number of ATMs for all Scheduled Commercial Banks, at the end of March 2010, stood at 60,153. Challenges Though increased use of IT has enhanced a bank's business opportunities, it has resulted in newer challenges. One of them being the need to integrate independent applications developed on varied technology platforms for services and enabling IT trust among stakeholders. Challenges faced while aligning bank’s IT practices with regulatory directives across jurisdictions and industry frameworks, and meeting growing business needs, are: a) Retaining IT human resources, training and IT service costs provided by vendors is one. Then, inflexibility of applications requiring changes, insufficient business process re-engineering, organisational structure of IT not in line with business needs, act as impediments in implementing effective IT Governance b) Inadequate Senior Management and Board awareness on IT use and governance c) Lack of ownership of IT Governance policies and procedures due to inadequate support or direction from stakeholders d) Use of IT for committing frauds such as Phishing, SQL Injection, database and server hacking, network attacks, Denial of Service attack, web page defacing, Cross Site scripting, card cloning, etc. that result in financial and reputational loss e) Risks arising from money laundering through electronic channels and its countering are a challenging task for banking system. This risk is compounded, as customers use alternate delivery channels. f) Legal and reputational loss due to compromise of customers' and credit-card holders' accounts g) With shorter life-cycle of technology products, banks are required to consider cost of replacing investments made in hardware and software vis-à-vis their expected benefits h) Risks arising out of outsourcing requiring suitable mitigating actions A. GUIDANCE FOR BANKS a) Roles and Responsibilities and Organizational Framework: Well-defined roles and responsibilities of Board and Senior Management are critical, while implementing IT Governance. Clearly-defined roles enable effective project control. People, when they are aware of others' expectations from them, are able to complete work on time, within budget and to the expected level of quality. IT Governance Stakeholders include:
b) Organisation Structure: i). Expertise at the Board Level: IT Strategy Committees should have some form of participation at the Board level. This is to ensure that as part of the Corporate Governance initiatives, IT Governance is also addressed, so as to advice on strategic direction on IT and to review IT investments on Board's behalf. ii). Qualified and Independent IT Strategy Committee: A qualified and an independent IT Strategy Committee should be set up with a minimum of two directors as members, one of whom should be an independent director. IT Strategy Committee members should be technically competent. At least one member should have substantial IT expertise in managing technology. (Explanation1: Technically herein will mean the ability to understand and evaluate technology systems. Explanation 2: A member will be considered to have “substantial IT expertise” if he has a minimum of seven years of experience in managing IT systems and/or leading/guiding technology initiatives/projects. Such a member should also have an understanding of banking processes at a broader level and of the impact of IT on such processes. If not, then the member should be trained on these aspects.) iii). Chairman of an IT Strategy Committee shall be an independent director. Also, the CIO should be a part of this committee, who should be present at Board meetings to help IT strategy align with business goals. The IT Strategy Committee should meet at appropriate frequency as and when needed (at least four times in a year) and not more than four months should elapse between two meetings. iv). Powers of IT Strategy Committee: It is recommended that the committee should have following powers:
c) Recommended Roles and Responsibilities: Board of Directors/ IT Strategy Committee: Some of the roles and responsibilities include:
Risk Management Committee:
Executive Management Level (CEO, CIO, Business Executive): i) IT strategy:
ii) Value Delivery:
iii) IT Risk Management:
iv) IT Resource Management:
v) Performance Management
Chief Risk Officer (CRO):
Business Unit Level: IT Steering Committee: An IT Steering Committee needs to be created with representatives from the IT, HR, legal and business sectors. Its role is to assist the Executive Management in implementing IT strategy that has been approved by the Board. It includes prioritization of IT-enabled investment, reviewing the status of projects (including, resource conflict), monitoring service levels and improvements, IT service delivery and projects. The committee should focus on implementation. Its functions inter-alia include:
IT Line Management: IT line managers, reporting to senior IT management, supervise resources and activities of a specific IT function, department, or subsidiary. They usually co-ordinate services between data processing areas and user departments. Some IT functions that often rely on line managers, include data centre operations, network services, application development, systems administration, telecommunications and customer support. Front-line managers co-ordinate daily activities, monitor current status, ensure adherence to established schedules and enforce corporate policies and controls. Business Unit Management: This unit consists of bank managers in business lines, who also have IT responsibilities:
Specific roles of IT Line Management and Business Unit Management, with respect to technology, may vary depending upon the bank’s approach to risk management and policy enforcement – either a centralized or a decentralized strategy.
d) IT Organizational Structure: The IT organizational structure should be commensurate with the size, scale and nature of business activities carried out by the bank and the underlying support provided by information systems for the business functions. The broad areas or functions that can be considered for IT organizational structure will include technology and development, IT operations, IT assurance and supplier and resource management, each of which may be headed by suitably experienced and trained senior officials (preferably not less than the rank of AGM). Illustrative functions of the various divisions may include:
Critical Components of IT Governance Framework: IT Governance has two aspects: value add to business through use of technology and mitigating IT risks. The first is driven by strategic alignment of IT with Business. The second is driven by embedding accountability in the bank. Both focus areas require support through adequate resources and measurement to ensure that results are delivered. One of the well-known international frameworks in achieving effective control over IT and related risks is the “Control Objectives for Information Technology” (COBIT) that is issued by ITGI. The framework provides five focus areas for IT Governance. Value delivery and IT risk management are outcomes, while the remaining three are drivers: strategic alignment, IT resource management and performance measurement. IT Governance is a continuous life-cycle. It's a process in which IT strategy drives the processes, using resources necessary to execute responsibilities. Focus Areas for IT Governance: IT Governance entails number of activities for the Board and Senior Management, such as becoming aware of role and impact of IT on a bank: assigning responsibilities, defining constraints within which to operate, measuring performance, managing risk and obtaining assurance. Recommendations, Actions on IT Governance practices: Before adopting these, banks are required to evaluate their nature and scope of activities and the current level of leverage of IT and related controls. 1. Policies and Procedures: (a) The bank needs to have IT-related strategy and policies that covers areas such as:
(b) IT strategy and policy needs to be approved by the Board (c) Detailed operational procedures may be formulated in relevant areas including for data centre operations (d) A bank needs to follow a structured approach for the long-range planning process considering factors such as organizational model and changes to it, geographical distribution, technological evolution, costs, legal and regulatory requirements, requirements of third-parties or market, planning horizon, business process re-engineering, staffing, in- or outsourcing, etc. (e) There needs to be an annual review of IT strategy and policies taking into account the changes to the organization’s business plans and IT environment (f) Long-range IT strategy needs to be converted to short-range plans regularly, for achievability (g) The short-range plan,inter-alia, may cover the following: plan for initiatives specified in the long-range plan or initiatives that support the long-range plans, System wise transition strategy, Responsibility and plan for achievement (h) Banks need to establish and maintain an enterprise information model to enable applications development and decision-supporting activities, consistent with IT strategy. The model should facilitate optimal creation, use and sharing of information by a business, in a way that it maintains integrity, and is flexible, functional, cost-effective, timely, secure and resilient to failure (i) There is also a need to maintain an “enterprise data dictionary” that incorporates the organization’s data syntax rules. This should enable the sharing of data among applications and systems, promote a common understanding of data among IT and business users and preventing incompatible data elements from being created (j) Banks need to establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g. public, confidential, or top secret) of enterprise data. This scheme should include details of data ownership; definition of appropriate security levels and protection controls; and a brief description of data retention and destruction requirements (criticality and sensitivity). It should be used as a basis for applying controls such as access controls, archiving or encryption. Banks also need to define and implement procedures to ensure integrity and consistency of data stored in electronic form (read: databases, warehouses and archives). More details are indicated in the “Chapter: Information security”. (k) There is a need for a CIO in banks. He has to be the key business player and a part of the executive decision-making function. His key role would be to be the owner of IT functions: enabling business and technology alignment. The CIO is required to be at a level equivalent to that of the Chief General Manager (CGM) or General Manager (GM), having credible operational experience or proven leadership and awareness and knowledge of IT or having related IT experience2. IT Strategic Alignment This addresses the key question–whether a bank’s technology investment is aligned to its strategic business objectives, enabling the formation of capabilities necessary to deliver business value. IT strategy provides banks the opportunity to:
When formulating an IT strategy, a bank must consider:
As IT gets more critical for a bank’s survival in addition to enabling growth, IT Strategy Committees need to broaden their scope beyond offering advice on strategy, to other areas like IT risks, value and performance. Challenges in IT Strategy:
With Respect to IT Strategic Alignment, Banks Need to, inter-alia, ensure the following: a) Banks should have an up-to-date business strategy that sets out a clear direction for IT that is in accordance with the business objectives b) Major IT development projects need to be aligned with business strategy, having a business case c) IT investments need to be suitably balanced between maintaining the infrastructure that support the bank's “as is” operations, and the infrastructure that transforms the operations and enables the business to grow and compete in new areas d) IT budget reflects priorities established by the portfolio of IT-related investment programmes and includes ongoing costs of maintaining the infrastructure e) Board's IT Strategy Committee reviews and advises the management about IT-related investments f) IT Steering Committee (or equivalent) composed of executives from business and IT management have responsibility to: determining prioritization of IT-related investment; track status of projects; resolve resource conflict; monitor service levels and service improvements g) IT Steering Committee should assess if the IT Governance structure fosters accountability, is effective and transparent, has well-defined objectives, actions and unambiguous responsibilities for each level in the organisation structure h) Performance of IT management is monitored i) Comprehensive and ongoing due diligence and oversight process is established for managing the bank's outsourcing relationships and other third-party dependencies supporting e-banking (Also see “IT Outsourcing” in report) 3. Value Delivery The basic principles of IT value delivery are on time and within budget delivery of IT projects, with appropriate quality, which achieves benefits that were promised. Often, Senior Management and Boards fear to start major IT investments because of the size of investment and the uncertainty of outcome. For effective IT value delivery to be achieved, both actual costs and Return on Investment (ROI) need to be managed. The value that IT adds to a business is a function of the degree to which the IT organisation is aligned with the business objectives and how far it meets expectations. The business should set expectations relative to IT deliverables:
To manage expectations of the management, IT and business should use a common language for value, which translates business and IT terminology and is factual. Therefore, technology should be aligned to provide value, so that it supports bank by delivering on time, with appropriate functionality and intended benefits. Alignment of technology to business also provides value by delivering infrastructure that enable the bank to grow by improving customer satisfaction, assuring customer retention, breaking into new markets, increasing overall revenue and driving competitive strategies. a) Capacity to deliver is dependent on:
b) The Board of Directors and bank's Senior Management should consider following aspects before adopting recommendations given in this section:
i) IT-enabled investment programmes and other IT assets and services are managed to ascertain that they deliver the greatest possible value in supporting the bank's strategy and objectives:
ii) Effective IT controls are in place to minimize IT related vulnerabilities, increase efficiency, use resources optimally and increase the effectiveness of IT processes iii) IT function supports robust and comprehensive Management Information System in respect of various business functions as per the needs of the business that facilitate decision making by management iv) Project management and quality assurance steps should be implemented to ensure systems are delivered on time, to cost and with the necessary level of functionality v) IT internal control failures and weaknesses and their actual and potential impact need to be evaluated and management takes suitable actions in respect of such control failures or weaknesses vi) Project-level steering committees needs to be created for taking responsibility for execution of the project plan, achievement of outcomes and project completion. The various responsibilities include reviewing progress against the project plan, reviewing and approving changes to project resource allocation, time lines, objectives, costs, keeping the project scope under control and approving changes to the business case, acting on escalated project issues and resolving conflicts between stakeholder groups and assisting in evaluation of project risks, and project risk management approaches vii) Independent assurance on the achievement of IT objectives and the containment of IT risks is conducted regularly viii) IT Steering Committee or any of its sub committees involving the CIO and senior business managers prioritize IT initiatives and assign ownership for IT-enabled business opportunities ix) Periodical review of all non-performing or irrelevant IT projects in the bank, if any, and taking suitable actions 4. IT Risk Management a) Effective risk management begins with a clear understanding of the bank’s risk appetite and identifying high-level risk exposures. b) Having defined risk appetite and identified risk exposure, strategies for managing risk can be set and responsibilities clarified. Dependent on the type of risk, project and its significance to the business, Board and Senior Management may choose to take up any of the three actions:
c) At a basic level, risk should at least be analysed, even if there is no immediate action to be taken, the awareness of risk will influence strategic decisions. An IT control framework defines stakeholders and relevant controls for effective Enterprise Risk Management. The “risk register”, usually in form of a table, is a tool that assists in risk management. It is also called a “risk log”. It usually is used when planning for the future that includes project, organizational, or financial plans. Risk management uses risk registers to identify, analyse and manage risks in a clear and concise manner. Risk register contains information on each identified risk and planned responses are recorded in the event the risk materializes, as well as a summary of what actions should be taken before hand to reduce the impact. Risks are ranked in order of likelihood, or of their impact and record the analysis and evaluation of risks that have been identified. The register or the log may be created for a new project or investment. d) Banks should consider following aspects before adopting recommendations given in this section:
e) In respect to IT risk management, banks should inter-alia consider the following: i. IT management needs to assess IT risks and suitably mitigate them ii. Bank-wide risk management policy, in which operational risk policy includes IT-related risks, is in place. The Risk Management Committee periodically reviews and updates the same (at least annually) iii. Bank’s risk management processes for its e-banking activities are integrated into its overall risk management approach. A process should be in place to have effective management oversight over the risks associated with e-banking activities, including specific accountability, policies and controls to manage these iv. All risks related to suppliers are considered. Risk mitigation measures such as proactive relationship management, escrow and second sourcing v. Appropriate incident response plans which include communication strategies ensuring business continuity, control reputation risk and limit liability associated with disruptions in their IT-enabled services, including those originating from outsourced systems and operations. (Details indicated in chapters relating to “Information Security” and “IT Operations”.) vi. Operational risk inherent in all material products, activities, processes and systems, are assessed and relevant controls are implemented and monitored vii. Appropriate measures are implemented to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services, including foreign jurisdictions where the bank operates viii. Appropriate procedures are implemented to comply with legislative, regulatory and contractual requirements on the use of systems and software where IPR, copyrights and on the use of proprietary software products are applicable ix. Information security policy is in place and requirements indicated in the chapter on information security are considered x. Comprehensive and centralized change control system is implemented at levels (project or application), so that changes are appropriately reviewed and approved xi Appropriate programme and project management framework is implemented for the management of all IT projects that ensures the correct prioritisation and co-ordination xii. For managing project risks, a consistent and formally-defined programme and project management approach needs to be applied to IT projects that enable stakeholder participation and monitoring of project risks and progress. Additionally, for major projects, formal project risk assessment needs to be carried out and managed on an ongoing basis xiii. Components of well-known IT control frameworks such as COBIT and ITIL as applicable to each bank's technology environment may be implemented providing a standardised set of terms and definitions that are commonly interpreted by stakeholders, allowing them to bridge the gap with respect to control requirements, technical issues and business risks, and communicate a level of control xix. Inter-dependencies between risk elements are considered in the risk assessment process, as threats and vulnerabilities have the potential to compromise interconnected and interdependent systems and processes xv. An appropriate Business Continuity Management Framework is implemented and tested as per requirements in the chapter on BCM framework. xvi. A process is implemented to evaluate vendors, who provide outsourced services, including comprehensive due diligence procedures, monitoring vendor performance and managing service-level agreements. (Details provided in “IT Outsourcing” chapter.) 5. IT Resource Management A key to successful IT performance is optimal investment, use and allocation of IT resources: people, applications, technology, facilities and data, in servicing the bank's needs. Additionally, the biggest challenge in recent years has been to know where and how to outsource, and then to know how to manage the outsourced services in a way that delivers the values promised at an acceptable price. IT assets are complex to manage and continually change due to the nature of technology and changing business requirements. Effective management of hardware life-cycles, software licences, service contracts and permanent and contracted human resources is a critical success factor. It is critical not only for optimising the IT cost base, but also for managing changes, minimising service incidents and assuring a reliable service quality. Out of the IT assets, human resources represent the biggest part of the cost base. It is most likely to increase on a unit basis. It is essential to identify skill sets requirements through delineation of job roles and responsibilities and an assessment of required core competencies in the workforce. An effective recruitment, retention and training programme is necessary, to ensure that a bank has the skills to utilise IT effectively, so as to achieve the stated objectives. Ability to balance the cost of infrastructure assets with the quality of service (including those provided by outsourced external service providers) is critical to successful value delivery.Project Management a) Programme and project management framework (for IT and non-IT related projects which are critical to a bank), is an important component of resource management. Its framework ensures a project's correct prioritisation and co-ordination. It includes a master plan, assignment of resources, definition of deliverables, approval by users, a phased approach to delivery, a formal test plan, testing and post-implementation review (after installation) to ensure project risk management and value delivery to the business. b) Project Management is achieved by:
c) Project Management can be measured by:
For resource management, banks need to have operational plans and budgets that specifically identify IT components and implement processes for capacity planning. Banks need to consider the following aspects before adopting the recommendations.
For IT resource management, banks should, inter-alia, consider the following: i) That the Board is appropriately aware of IT resources and infrastructure to meet strategic business objectives: banks are aware that a process is in place to record resources available and potentially available ii) Policies and procedures for information systems monitoring facilitate, consistent and effective reporting and review of logging, monitoring and reporting of system events iii) Responsibilities and authorities of individuals, accountable for creating and managing records, are identified throughout for records management iv) Requirement for trained resources, with the requisite skill sets for the IT function, is understood and assessed. A periodic assessment of the training requirements for human resources is made to ensure that sufficient, competent and capable human resources are available v) Information on IT investments is available to the Board and Senior Management vi) Procedures to assess the integration and interoperability of complex IT processes (such as problem, change and configuration management) exists before committing additional investments vii) Responsibilities, relationships, authorities and performance criteria of project team members and stakeholders are stated viii) Bank's procurement practices is used to plan and manage the procurement of products and services required for project 6. Performance Measurement a) IT performance management aims at:
b) Balanced scorecards translate strategy into action, to achieve goals within a performance measurement system that goes beyond conventional accounting, measuring relationships and knowledge-based assets necessary to compete in the information age such as: customer focus, process efficiency and an ability to learn and grow. The scorecard consists of financial, customer, internal and learning perspectives. An example of a balanced scorecard is one that uses metrics such as customer satisfaction feedback, IT performance parameters (server and network downtime) or capacity utilisation. By using the scorecard, beyond the short-term financial measures as indicators of the company’s performance management, it also takes into account intangible items such as level of customer satisfaction, streamlining of internal functions and the creation of operational efficiencies and development of staff skills. This unique and more holistic view of business operations contributes to linking long-term strategic objectives with short-term actions. c) Use of an IT balanced scorecard (IT BSC) is one of the means that can be considered by banks to aid the Board and Senior Management to achieve alignment of IT and business strategies. The objectives are to establish a vehicle for management reporting to the Board, to foster consensus among key stakeholders about IT’s strategic aims, to demonstrate the effectiveness and add value by use of technology, and to communicate IT’s performance, risks and capabilities. The schema of IT Balanced Scorecard is shown below. d) IT Governance maturity model is another tool to ascertain the level of maturity of a bank's IT Governance. Levels include:
e) A bank may consider the following aspects before adopting recommendations:
f) In respect to the IT performance management, the considerations for a bank are the following:
B. INDUSTRY LEVEL RECOMMENDATIONS (a) A forum in India– akin to the “Financial Services Technology Consortium” (FSTC) in the US, under the aegis of IDRBT, can work collaboratively to solve shared problems and challenges, as well as pioneer new technologies that benefits banks. Through the FSTC, more than 100 of the top North American financial services and technology firms, academic institutions and government agencies come together to discuss and research technology issues. FSTC Standing Committees sponsor collaborative research projects, technology development pilots, proof-of-concept tests and more. Some of the benefits may include updation regarding current developments and trends, promoting standards, networking on shared technical challenges, discussing the legal and regulatory dimension of complex technical issues facing the banking industry, conducting studies affecting industry as a whole and voicing and resolving any problems or issues faced by banks, while dealing with vendors, in a collective manner. (b) An exclusive forum for CIO and senior bank IT officials, under the aegis of IDRBT or IBA, can be encouraged to enable sharing of experiences, best practices and discussion of issues of contemporary relevance for the benefit of the industry as a whole. The regulator can also be part of the meeting as observer. KEY RECOMMENDATIONS 1. Banks needs to formulate Board-approved IT plan document, which is long-term in nature and provides the IT road map. Additionally, IT policy needs to be framed for regular management of IT function. Detailed documentation in terms of procedures, guidelines and authorizations need to exist and be implemented. There needs to be an annual review of IT strategy or plans and policies taking into account changes to the organization’s business plans and IT environment. 2. There is a need for creation of exclusive Board-level IT Strategy Committee, which shall have a minimum of two directors as members. Out of these two members, one should be an independent director. Members of IT Strategy Committee shall be technically competent. At least one member shall have substantial IT expertise in managing technology. 3. Risk Management Committee of a Board needs to promote development of IT-related enterprise risk management expertise and help managers align risk responses with an entity’s risk tolerances and develop appropriate controls. 4. There is a need for the position of a CIO in banks. The CIOs need to be key business players. They need to be a part of the executive decision-making process. Their key role would be as a owner of the IT function and enable business and technology alignment. The CIO is required to be at a level equivalent to Chief General Manager (CGM) or the General Manager (GM), having credible operational experience and proven leadership with awareness or knowledge and/or experience relating to IT. 5. IT Steering Committee needs to be created with representations from IT, HR, legal and business sectors (as appropriate). The committee's role will be to assist the executive management implement IT strategy that has been approved by the Board. Tasks will include prioritization of IT-enabled investment, reviewing status of projects (resolving resource conflict), monitoring service levels and improvements. 6. Organizational structure for IT should be commensurate with size, scale and nature of business, and underlying support provided by information systems for business functions. 7. Key focus areas of IT Governance includes strategic alignment, value delivery, risk management, resource management and performance management. 8. Requirements for trained resources with requisite skill sets for IT function need to be understood and assessed. A periodic assessment of human resources is made to ensure that sufficient, competent and capable human resources are available. 9. Bank’s risk management processes for its e-banking activities need to be integrated into the bank's overall risk management approach. A process should be in place to have an effective management oversight of the risks associated with e-banking, including specific accountability, policies and controls. 10. Banks need to establish and maintain an enterprise information model to enable applications development and decision-supporting activities, consistent with IT strategy. The model should facilitate optimal creation, use and sharing of information by a business, in a way that it maintains integrity, and is flexible, functional, timely, secure and resilient to failure 11. There is also a need to maintain an “enterprise data dictionary” that incorporates the organization’s data syntax rules. This should enable the sharing of data among applications and systems, promote a common understanding of data among IT and business users and preventing incompatible data elements from being created 12. Board needs to be adequately aware of IT resources and infrastructure available to meet required strategic business objectives and that a process is in place to record the resources available and potentially available. 13. IT Steering Committee should assess if the IT Governance structure fosters accountability, is effective and transparent, has well-defined objectives, actions and unambiguous responsibilities for each level. 14. Performance of IT management needs to be monitored, to ensure delivery on time and within budget, with appropriate functionality and intended benefits. 15. Information on IT investments needs to be made available (periodically) to the Board and Senior Management for evaluation 16. Procedures to assess the integration and interoperability of complex IT processes such as problem, change and configuration management need to exist, depending upon the extent of technology leverage in a bank. 17. Appropriate programme and project management framework needs to be implemented for the management of IT projects, which ensures the correct prioritization and co-ordination. 18. For managing project risks, a consistent and formally-defined programme and project management approach should be applied to IT projects that enable stakeholder participation and monitoring of project risks and progress. Additionally, for major projects, formal project risk assessment needs to be carried out and managed on an ongoing basis. 19. IT functions need to support comprehensive Management Information System in respect to business functions as per business needs that provide inputs for effective decision-making on the part of the management. 20. Bank-wide risk management policy, in which operational risk policy includes the IT-related risks, needs to be in place. The Risk Management Committee periodically has to review and update the same (annually). 21. Components of well-known IT control frameworks like COBIT, as applicable to the technology environment of each bank, may be considered for implementation in phased manner, for providing a standardized set of terms and definitions, interpreted by stakeholders. 22. Effective IT control practices avoid breakdowns in internal control and oversight. They increase efficiency by using resources optimally thereby increasing the effectiveness of IT processes. 23. Information on major IT projects, which have a significant impact on the bank’s risk profile and strategy, are reported to appropriate levels of management. It has to be made sure that such information undergoes appropriate strategic and cost-and-reward analysis on a periodic basis. 24. Project-level steering committees need to be created to take responsibility for the execution of project plan, outcome achievement and project completion. 25. IT balanced scorecard may be considered for implementation, with approval from key stakeholders, to measure IT performance along financial dimension and others such as customer satisfaction, process effectiveness and future capability. And there is the need to assess IT management performance based on metrics such as scheduled uptime, service levels, transaction throughput, response times and application availability. 26. Banks may consider assessing its IT maturity level by setting a target as per the IT Governance Maturity Model, designing the action plan and implementing it to reach the target level. 27. There is a need for a forum in India (either independent or under the aegis of IDRBT), similar to the US-based Financial Services Technology Consortium, to work collaboratively to solve shared challenges, as well as pioneer new technologies that benefits all banks. 28. An exclusive forum for CIO and senior IT officials, under the aegis of IDRBT or IBA, can be encouraged to enable sharing of experiences and issues of contemporary relevance for the benefit of the industry. The regulator can also be part of the meeting as observer. |