SUCCESS CASES
Banking and Financial Services Industry
AN INNOVATIVE FRAMEWORK FOR THE MANAGEMENT OF IT RISK IN BANKING
Risk management in banking markets is a complex issue, with banks involved in multi-level risk governance. The outbreak of digital information has, in fact, made it much more difficult to protect information assets and align the systems with the related business processes.
THE CONTEXT
It is not coincidence that in response to a widely shared need, Bank of Italy Circular No. 263 has led the banks towards the adoption of a unified IT risk analysis framework, which allows IT risks to be integrated with those of Security.
Specifically, circular no. 263 requires banks to adopt an IT risk governance model. This model, approved by the Supervisory Board with strategic supervision function, defines the methodology for the analysis and measurement of IT Risks, as well as the Bank’s risk propensity and the most appropriate management methods where risk levels exceeding the permitted inclination are found.
THE CLIENT
The client is one of the largest banking groups in Europe, among the top five in the Retail Banking segment in Italy, with over 900 offices spread across the country and a wide range of online banking services.
CLIENT NEEDS:
- Difficulty in coordinating compliance activities, in particular the practices associated with the various reference regulatory frameworks and company policies;
- Need to improve compliance management, standardizing processes and adhering to regulatory standards for all internal Business Ownership;
- Provide an aggregate risk management model, based on a platform that allows an integrated risk view on multiple layers;
- Integration in the model of the defined monitoring points and relative metrics already in use in the bank;
ESC 2 APPROACH
Based on the findings, the analysts of ESC 2 have worked following a methodological approach based on a holistic vision of Risk Management.
In this sense, the team worked following a design model based on the following objectives:
- Construction of a synoptic framework of risks regarding the Service Initials, Functional Blocks and Processes (IT and Business), computed on the best practices for Risk Management (Cobit IT Risk, ISO 27005), maintaining the overall view proposed by ABI -LAB;
- Re-using the data already collected (e.g. in the projects) and optimizing the methods of field assessment;
- Changing the operational risk management model, establishing a univocal criterion for the assessment and calculation of risk;
For the implementation of the solution within the client, the ESC 2 team proposed the Infosync solution, solving the client’s problems on all 3 aspects. Infosync is the response of the ESC 2 team to the needs of the Compliance, Risk Management and Security functions since it engineers and automates the collection, analysis and evaluation of information aimed at estimating IT risks, assessing their sustainability and opportunities, depending on the business to be protected and the legal, compliance and reputational impact, to reduce the measured exposure.
With the adoption of Infosync , in fact, the client has had a powerful and integrated framework for risk management at multiple levels. The unified platform allowed a more rapid scenario analysis, a real-time modeling, reconnecting the characteristic risks to the related assets, processes and infrastructural layers. Furthermore, the Internal Audit processes for the first lines of management were managed to normalize, manage and implement the various treatment plans.
THE PLUS OF INFOSYNC
One of the main strengths, that have made Infosync the most suitable solution for the client, is certainly found in the methodology, written in relation to the best practices, international standards of the sector and the binding regulations of reference.
An innovative methodological approach that allowed the customer to pursue the following objectives:
- to create a unified and integrated view of all IT risk components;
- to convey information among the functions responsible for managing IT risk in an effective, timely and exhaustive manner, encouraging mutual collaboration;
- to assign to the risk an adequate value in the decisional and strategic processes for the evolution of the technological service infrastructure;
- to support the processes of compliance with internal and external laws and regulations.
VALUE FOR THE CLIENT
After a half-year of adaptation, deployment, gradual assessment of assets and modeling of risk scenarios, the client has successfully completed the annual compliance reporting, going well beyond the initial expectations of management regarding compliance with company policies and related regulatory requirements.
ACHIEVED RESULTS
- Compliance with the Bank of Italy directive regarding Circular 263 Cap VIII, containing the new prudential supervision provisions for banks;
- Standardization of the model of computation and risk assessment
- Evaluation and measurability of results over time;
- Automation of the risk calculation model, based on the incidence of historical and potential incidents.
- Operational models based on the outcomes of the field assessment regarding projects, operations, security and incident management;
- Reduction of complexity in audits to internal interlocutors;
- Identification of standard treatment measures (Cobit5, ISO 27001, Privacy Statement);