Costly Consequences of IT-related Risks

Governance Risk Management and Compliance is one of the core services of EMC Consulting. Speaking with executives all over Asia Pacific & Japan, we hear a consistent message that they need help to re-assess their IT systems in terms of resilience and inter-dependencies.

In the aftermath of an online service outage which reportedly crippled branch, ATM, Internet, and mobile banking services for customers of a large bank in Singapore back in 2010, The Monetary Authority of Singapore instructed the company to set aside an extra $230 million in regulatory capital for operational risk. In addition, the bank invested millions to bring its recovery time to less than 60 minutes.

Lost revenue, churning customers and bad publicity are costly consequences of IT-related outages. On the opposite end of the spectrum, building and maintaining sturdy, highly available and robust IT systems can be cost-prohibitive for some enterprises.

Businesses such as financial institutions expect – and demand – IT departments to operate efficiently and provide products and services that help generate revenue. At the same time, these IT departments are under severe pressure to lower costs and support the growth of new products and services.

Innovation, time-to-market and new channels are critical means of remaining competitive. Meanwhile, the technology landscape continues to shift dramatically. Companies realize they must transform their data centers, implement newer and better information storage and processing systems, push server and desktop virtualization, move to hybrid cloud with self service and automated provisioning, and add access to new mobile devices. These changes are expected to happen while the core applications continue uninterrupted.

Companies are failing to realize that IT and inter-dependencies between systems have become increasingly complex.  As technologies and IT systems change, companies must continuously reassess ever-evolving threats and the rapidly shifting technology landscape. They must also re-examine their operational risk and risk management strategy – especially on the assumptions made on events which are deemed with very low probability of happening, and start building robustness and resilience into their business-aligned highly interdependent IT organizations.

The Monetary Authority of Singapore will soon publish the 4th version of “Technology Risk Management Guidelines” to help mitigate major IT meltdowns. The guidelines stipulate requirements for a high level of robustness and integrity of critical IT infrastructure and systems and also specifies the requirements for financial institutions to implement IT controls to protect customer information from unauthorized access or disclosure. With the recent rash of IT outages happening to financial institutions, it’s not difficult to understand the need for expanded guidance that focuses on both technology enhancements and preventing cyber threats and attacks.

Technology solutions change continuously. What used to be compliant may no longer be. Are your IT systems up for the challenge?

About the Author: Hakon Jacobsen