Accounting for technology risk

The survey indicates that banks are addressing technology risks in similar ways. They’re prioritizing being able to trust their data. Many have made considerable progress with data management, governance, and technology, and plan to continue investing in these areas for at least the next couple of years.

This should give us all confidence. The banking industry is highly interdependent, with the largest banks critical parts of national infrastructures. Banks need to speak the same language and operate in similar ways to avoid creating ripple-effect problems.
 

And banks face proliferating risks, not least of all new technologies such as cryptocurrency and AI that are radically changing the dynamics and landscape of the industry.

Yet only 64% of bank execs surveyed agreed that accelerated digital innovation is driving the need to improve tech risk management and resilience. This figure is far lower than it should be. When banks digitize and transform, the way data flows changes, as does the way people interact with technology and data. All of this necessitates a shift in how risk is assessed and managed.

At the same time, only 45% agreed that effective tech risk management requires IT, risk, and cybersecurity functions to work well together. I’ve seen firsthand—both in my days in banking and in my work with ServiceNow customers—the incredible benefits that accrue when you break down cross-departmental silos and adopt processes and tools that enable collaboration and democratization of information.

I would urge bank executives to reconsider their positions in these areas. From my vantage point, executives must get ahead of what is coming from regulatory bodies and focus on maturing fundamental risk management capabilities. This means acting in these areas:

• Organization and culture: Embrace strong risk identification and management across the enterprise so that everyone considers themselves a risk officer. Shared stewardship engenders a better risk posture and helps employees feel more engaged and empowered.
• Process and integration: Take a consistent approach to risk, everywhere. Use integration to codify risk frameworks and simplify adoption. These practices also make it easier to scale and extend frameworks as needed.
• Governance: Ensure technology risk is a board-level conversation, not left solely to the CIO to manage, and that it is integrated with your broader business-risk view. Explore how new approaches to data sharing and internal reporting can support these efforts.
• Data: Speaking of data and reporting, it’s key to identify sources of truth for your risk positions and build trust in them. It’s hard to have strategic, effective conversations about technology risk if you don’t have common interfaces for accessing vital data.
• A single risk platform: Underneath those interfaces, there should be a unified platform that can host policies, risks, and controls, and aggregate enterprisewide data sources to enable real-time intelligent views of the risk and resilience of your organization.

Risk has always been a central driver of change in the banking industry. Yet in this moment of transformative technological change, technology risk is not being addressed as assertively as it must be for the industry to stay ahead of threats and regulatory requirements.

However, as our research shows, even though there is substantial work that individual banks must do, the banking community as a whole must be tightly aligned to ensure the system remains resilient and trusted by the public.