Risky Business: The Modern IT Battle Plan
Businesses today are in a constant state of transformation. Driven by the newest technologies and latest trends, business leaders are endlessly seeking improvement through change. While the financial services industry has traditionally been insulated from rapid change due to stricter regulations and greater underlying risk, more institutions than ever before are beginning to embrace the competitive advantages of leading technology trends like unified communications, virtualization and BYOD.
While this has created new business efficiencies and cost savings, it’s also created a new type of risk for the financial services industry – technology risk. Applications and network infrastructure have become vital to operations, causing employees, customers and trading partners to depend on a new line of business-critical systems and networks. When they fail, it can have a catastrophic effect on the business, and even the economy.
As a result, too much is dependent on these systems for financial IT leaders to be caught unprepared – they need to meet these new risks head on. Only through a thorough understanding of the vulnerabilities in their underlying networks and systems can they minimize failures and loss of service. There are five key areas of common technology risk that all financial services organizations need to address:
1. System Failure:An obvious area of technology risk is the risk that the system will fail. When systems and networks go down, it affects both the internal workflow of employees and their ability to services customers. To mitigate this risk, companies need to build in resiliency and diversity. This is normally done by building high availability into a single system and having a fallback system or capacity capable of restoring service. For data services, this could be a spare router or a virtual machine where software can be quickly activated. For voice services, this could include number re-routing or using a public telephone network. The key is to inspect the end-to-end network flow and identify all critical components and interdependencies when planning for potential failures.
2. Inefficiencies throughout the Process: If there is no clear process outlined for things like service management, there is potential to lose efficiencies and waste valuable time across the organization. In addition, processes for service management should conform to ITIL standards, which are proven best practices in the industry for incident, capacity and change management. Key areas to address for these three types of process management include:
- Incident management should include appropriate escalation and post-incident reviews to manage underlying root causes and improve future response times.
- Capacity management should include a thorough evaluation of capacity usage and trends to help with network planning and prevent overloads.
- Change management should include scheduling, implementation, testing and restoration planning.
Beyond establishing best practices for these processes, savvy IT leaders should also continually refine their processes to benefit from ongoing learning to gain even greater efficiencies.
3. Security Risks: Financial IT leaders are no strangers to security risk. Security is highly developed in banking and is a significant area of ongoing investment. However, because consumers and businesses are using new technologies and communicating across more channels than ever before (internet, phone, email, IM, etc.), it’s important to conduct individual risk management and threat assessments for each channel on an ongoing basis. This will ensure that each channel is protected from threats with the latest infrastructure, intrusion detection/prevention systems and management controls.
4. Technology Becoming Obsolete:The risk of becoming obsolete is probably the most overlooked category of technology risk. Manufacturers normally limit the support life for their equipment through a series of events:
- End-of-sale: When the item is no longer available for purchase.
- End-of-support: When the equipment is no longer receiving software updates.
- End-of-life: When the equipment is no longer serviced by the manufacturer.
As equipment moves through these stages, the risk from continued usage increases due to a lack of ability to properly service the hardware. It’s important that organizations are tracking the end-of-life cycle for their equipment and building in suitable replacement plans before it becomes obsolete.
5. Planning for the Unexpected: Business continuity and disaster recovery plans are vital to restoring service during disruptions and helping mitigate the risk of small-scale outages or even the complete loss of a data center. While most financial institutions have some recovery plan in place, proper planning should cover a number of key factors:
- Identify critical business applications and areas of resilience and vulnerability
- Ensure data centers are separated enough to avoid duplication – the risk of simultaneous failure from a single incident
- Define potential failure events and create planned responses for how the infrastructure should be adapted
- Test the performance and latency between data centers to ensure it can support normal business processes
The emergence of new technology and changing financial services requirements will continue to force IT leaders to evolve best practices for managing technology risk. To be clear, it will never be possible to remove risk completely. But by evaluating these underlying risks at regular intervals and mitigating with current best practices, financial services companies can minimize these risks and will be prepared to quickly recover when something happens.
Marc Carletti is Executive Vice President of Global Banking & Financial Markets (GB&FM) at BT Global Services, a world leader in interlinking the largest secure financial services community with the highest-quality service. Marc manages the major global accounts in BT’s financial services customer portfolio and is responsible for GB&FM’s overall business strategy and the partnerships with BT Advise, a business that delivers consulting, systems integration and managed services around the world. He joined BT in 2010 from Management & Advisory Services Ltd (mas LTD), where he was an Associated Partner.