Why banks need to unify technology, risk, and security

In today’s dynamic banking environment, effective management of technology risk is paramount. The rapid adoption of new digital tools and solutions is exposing banks to a battery of technology threats that can bring down their operations.

These growing risks range from cyberattacks and fraud to internal software failures and system misconfigurations—and they have CEOs on alert. According to a survey of 750 global banking executives conducted by ServiceNow and ThoughtLab, seven out of 10 CEOs say technology risk is the biggest danger to their bank. And 64% of CEOs expect technology risk to increase over the next two years.

On top of that, regulators are demanding increased accountability from boards of directors and senior executives. Four out of 10 banks ensure the board and senior management oversee technology risk management. That number is expected to rise in two years’ time.

The need for better technology risk management

Accelerating digital innovation is driving the need to improve risk management and resilience. About a quarter of C-suite executives—and more than a third of chief operating officers—say worries about introducing technology risks are preventing their firms from innovating.

Another 23% of C-suite executives—and 27% of chief information officers—think their innovations create risks because they don’t involve IT, risk, and security teams early enough in the process. Nearly half of executives believe these functions must work well together to successfully manage tech risk.

Internal forces matter just as much as, if not more than, external ones. Hackers and nefarious actors cause only 6% of all failures at major banks, according to The Financial Brand.

Most major incidents result from events that can be controlled from within, such as deficient software, inadequate change processes, deployment issues and human errors. This reality accentuates the need for cross-team collaboration, bringing together experts in technology risks, human risks, process risks, etc.

The impact of siloed teams and data

Although most banks have systems, technologies, and processes to manage risks, the systems often operate as point solutions that amplify silos across people, processes, and data. In fact, siloed data and tools are the top technical challenge risk teams at banks face when seeking to improve technology risk management, according to the ServiceNow/ThoughtLab research.

With disconnected teams and data, it’s a Herculean effort to ensure technology and security teams are properly managing risks throughout the technology life cycle and operating in a compliant manner. This fragmentation often prevents chief risk officers, information security officers and technology leaders from having an accurate and current view of risk levels, control effectiveness and issue remediation.

Even for banks at a high level of risk maturity, 40% believe IT, cybersecurity, and risk executives have only partial visibility across IT infrastructure, security systems and business processes.
 

Communication and coordination for best results

Unifying technology, security, and risk organisations is an important step on the journey to becoming a leader in risk management and resilience—and innovating and growing.

In fact, 62% of leaders in technology risk and resilience plan to ensure IT, risk, and cybersecurity teams work together more closely over the next two years. The right organisation and culture across these teams can create a “defensive triad” that solidifies the connective tissue behind a confident risk posture.

“IT and cybersecurity departments have been isolated in the past, but we have learned that we need to coordinate with other groups,” noted a global head of crisis management, cyber, and technology risk at a top-tier French universal bank. “We might be able to solve technical issues, but not the tactical or strategic ones. We are working to break down the silos.”

IT and cybersecurity teams realise they must work with each other and with a range of decision-makers from the business, including the CEO, senior managers, and operational and financial risk managers. To improve coordination, more than a quarter of leaders have expanded the role of the chief risk officer to include IT risk, a percentage that is expected to grow to 36% in two years.

Intelligent orchestration and monitoring

Integrated risk platforms provide banks with a full view of cyber, technology, enterprise and operational risks, as well as a common set of tools to manage them.

Over the next two years, nearly all leaders in technology risk management—and three-quarters of less mature organisations—will use an integrated risk platform, according to the research. This will be essential for banks as they strive to incorporate technology risk into their overall risk frameworks and take a more holistic risk approach.

When risk, security, and technology teams work together to intelligently orchestrate and monitor processes on one platform, banks can:

• Improve risk posture: Financial institutions can identify and respond to risks fast. Teams can address risks and threats before they become breaches or audit findings. By continuously monitoring technology and security controls, firms can reduce the number of high-priority issues, leading to a strong risk and compliance posture.
• Bolster security: Modernising your security operations can optimise resilience, productivity and costs. This is possible with a rationalised environment that spans all departments.
• Reduce costs: Automation built into every aspect of risk and compliance management can greatly reduce manual efforts and the potential for operational losses due to regulatory fines, audit findings or risk failures.
• Accelerate innovation: With unified technology systems and processes, business leaders and tech leaders can innovate more rapidly across the business while mitigating risk.

Gain more insights in the full research report: Conquering technology risk in banking.

© 2023 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.