Community Banks carry an ongoing burden of compliance for information technology (IT). Examiners expect the bank to undergo annual IT audits, penetration tests, policy reviews, and complete comprehensive technology plans, risk assessments and cybersecurity self-assessments all while trying to do the real work of banking in the community.
Why do regulators expect this level of paperwork? What is the purpose of all those self-assessments and evaluations, and who, ultimately, is responsible for getting them done? The answer lies in the realm of IT Governance. In this article, we’ll explore:
- What is IT Governance?
- Why is it important?
- Who is responsible?
- How do you implement your own IT Governance Program?
IT Governance: What It Is — What It Isn’t
IT Governance is not about the day-to-day management, procurement, installation and running of IT systems. It’s not about keeping the lights on and the wheels turning. Instead, IT Governance can be defined as the processes that ensure the effective, efficient, and safe use of IT to enable an organization to achieve its goals. The key word here is “goals.” Not IT goals, but the business goals of the bank which IT is serving.
What are the primary business goals of your community bank? At a high level, almost all have the same goals: to provide quality, competitive, profitable, timely, confidential, (add your own adjective here) banking services to businesses and individuals within your community. A bank’s business goal is not to provide technological services, but to provide banking services. IT’s role is to serve those goals through efficiency, innovation, cost reduction, competitive advantage, security and marketing, to name a few.
The purpose of IT Governance is two-fold:
- Ensure that IT generates business value for the bank; and
- Ensure that controls are in place to best mitigate the risk posed by technology.
Who Is Responsible for IT Governance?
The easy answer is “everybody”, but the best answer is “whoever sets the business goals for the bank.” Those who set the goals determine the course of governance in all aspects of the business. Ultimately, the Board of Directors has responsibility. The Board sets in place policies, procedures, values, and long-term planning to meet the mission of the organization and the requirements of all stakeholders. Senior Management implements the directives of the Board and makes sure that policies and procedures apply to everyone. Governance is very much a top-down implementation, but ultimately everyone in the organization has responsibilities to see it operate effectively.
How to Implement an IT Governance Program
The thought of implementing your own program may be overwhelming, but fortunately, you don’t have to start from scratch. There are a lot of thoughtful organizations who have put together IT Governance Frameworks. These are sets of tools, policies, standards and processes that can help in implementing a systematic approach to IT Governance. Common frameworks include COBIT, ITIL, COSO, CMMI and FAIR. These frameworks differ somewhat in emphasis and utility, but each offers guidelines for setting up and following an IT Governance program.
Example: COBIT
COBIT stands for Control Objectives for Information and Related Technologies and is published by ISACA (Information Systems Audit and Control Association). COBIT is based on five principles that define the scope of the framework, and four domains that define the cycle of processes for maintaining the framework. COBIT also includes tools for evaluating an organization’s maturity level in governance.
COBIT’s Five Principles
- Meeting Stakeholders Needs: Identify all stakeholders affected by IT and how IT provides business value and security. Include all internal as well as external stakeholders.
- Covering the Enterprise End-to-End: The framework should be inclusive of everyone within the organization: top to bottom, all assets, no exceptions.
- Applying a Single Integrated Framework: Set the rules and stick to them.
- Enabling a Holistic Approach: This principle recognizes that there are a lot of interacting parts of an organization and this framework helps to manage that complexity.
- Separating IT Governance from IT Management:
- IT Governance: Ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; sets direction through prioritization and decision-making; and monitors performance and compliance against agreed-on direction and objectives.
- IT Management: Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
COBIT’s Four Domains
COBIT’s four domains are where the functional meat of your IT Governance program lies. The domains should be treated as a set of recurring, cyclical tasks that are continually revisited to ensure that IT is aligned with changing goals and ever more concerning security threats:
- Align, Plan and Organize: The first step is to take a detailed look at your existing IT systems and infrastructure and make sure that they align with your business goals and risk threshold.
- Build, Acquire and Implement: The implementation and maintenance of IT should be guided by the informed, intelligent review conducted in the first domain.
- Deliver, Service and Support: Track IT support and delivery and gather data on the type, frequency and severity of support issues.
- Monitor, Evaluate and Assess: Continually monitor the status of IT systems, evaluate in terms of business and security goals, assess risk, and adjust as needed.
The full COBIT framework dives down to a very detailed level. It’s worth the effort to review the varied frameworks and adopt one that appears to best match your bank’s internal and regulatory requirements.
What to Keep In Mind When Developing an IT Governance Program
Whichever model you chose, or if you chose to design your own, remember these important points:
- IT Governance is not IT Management.
- IT Governance is the process that ensures the effective, efficient, and safe use of IT to enable an organization to achieve its goals.
- IT Governance is top-down and is initiated by the Board and Senior Management — but everyone in the organization has some level of responsibility.
- IT Governance Frameworks provide the guidance to implement your own governance program.
- Governance is a cyclical process that requires ongoing evaluation, monitoring, and review.
Mike Gilmore is the Chief Compliance Officer of RESULTS Technology and a Certified Information Systems Auditor (CISA) with more than 30 years of experience in the banking industry. RESULTS Technology provides IT services to community banks across the Midwest. In his role as CCO, Mike provides compliance and risk assessments, audit and exam support and policy documentation. He can be reached at mgilmore@resultstechnology.com.