Digital Transformation Of Banks
The digital transformation is of particular strategic relevance for banks, as almost all internal processes can be digitized to a large extent, which in turn are a prerequisite for a competitive range of products and services. In addition to the industry-independent challenges of a digital transformation, banks also have to meet high regulatory requirements for IT management in order to take account of the industry-specific risk.
The restructuring of IT within the regulatory framework is an essential basis for the successful implementation of the digital transformation agenda of banks. The use of cloud services, agile working with risk tolerance, as well as recruiting and establishing the right skills and culture are some of the building blocks for successful IT restructuring.
Use Of Cloud Services
When using cloud services, there are many aspects to consider that need to be addressed carefully. For example, these are:
- The contractual arrangement with the cloud provider
- Coordination with the responsible supervisory authorities on the risks of (material) outsourcing management
- The complexity of cross-border issues
- The establishment of an effective cloud risk management standard
- A migration strategy and operational implementation such as IT applications and data coming into the cloud as well
- Structuring the software development lifecycle and production deployment in the cloud
An Integrated Risk And Control System As The Basis For Agile Working
Agile working requires core controls that are as preventive and automated as possible and the most complete transparency possible regarding the risk profile of IT assets and the associated processes that lie within and outside the risk tolerance. For this purpose, the Bafin has interpreted and formulated the minimum requirements for risk management and also for outsourcing management in its banking supervisory requirements for IT. An answer to this can be an integrated risk and control system with the following structure:
- Definition of threat situations (“Threats”) and applicable regulatory requirements
- Allocation of the threat situations and requirements to the risk types of the risk taxonomy, which is used company-wide by the bank
- Determination of control objectives in order to get the articulated risk of the regulatory requirements and the threat situation into the risk tolerance
- Application of the control objectives to IT assets, but in the context of the associated (“front-to-back”) process, in order to build on this, to define and implement controls that are as automated and preventive as possible
- Consideration of audit findings or self-identified problems as well as knowledge learned from events (“incidents”) such as IT failures or cyber attacks when defining the specific controls, and
- Provision of management information based on the risk and control inventory in order to determine the framework for agile working and to set up very specific improvement programs and to control them until the implementation is completed.
Establishing The Right Competencies And IT Culture
Establishing the right skills and culture in IT starts with the composition of the team. Since it is about technology, IT should be managed by engineers and the employees should at least mostly have a comparable background.
Agile working as part of the culture is based almost unchanged on the principles of the 2001 Manifesto for Agile software development. While the SCRUM working method has proven helpful for individual teams, the precise application of a specific model such as the Scaled Agile Framework (SaFe) or the Spotify model seems to be less important for the alignment of the “team of teams”. However, it is important to live the values of autonomous work, which lead to high motivation and a short time to market and which are based on trust, transparency, quality and error culture in combination with an effective risk and control system.