|
INTRODUCTION
Lack of effective internal controls in the financial sector has had catastrophic effects in the past – Nick Leeson, a high performing trader, managed to bring down Barings - one of Britain's oldest and most respected banks - by cleverly covering up trading losses, until they reached an unsustainable £850M. Barings collapsed, and was subsequently purchased by ING for £1. Events like the Barings example have led to regulators demanding better business governance across the financial sector. As the Capital Markets are ever more reliant on IT systems, these regulations apply as much to IT as the business.
To date, most IT compliance efforts have focused on the data – the most obvious place to start. However, infrastructure failures have the capacity to take a bank out of the market for significant periods of time, generating huge potential losses. The IT blackouts that appear in the papers are only the tip of the iceberg – as the agility required of the IT department is often achieved at the cost of stability and many near-misses occur every day unreported. How long can it be before a catastrophic failure of a major bank occurs due to poor IT infrastructure governance? A world class IT organisation needs to be better than even the regulators require – and good IT governance doesn't have to tie the IT department up in red tape. Judicious application of IT best practices, frameworks and methodologies can help achieve this, if based on an accurate picture of the IT environment, at which point regulatory compliance becomes a happy side effect.
The following research findings were the result of a survey of the top ten global investment banks conducted by Expand Consulting on behalf of Tideway Systems, in order to gain a clearer understanding of their priorities and the real impact that today's focus on compliance has, without the hype.
CURRENT IT GOVERNANCE PRACTICES
Today a firm's IT infrastructure, both at the software or application level – such as front office trading – and at the internal network and data centre level, is a derivation or evolution that reflects not only technology advances such as grids replacing compute servers, but also reflects years of M&A activity. In addition there is now a strong move towards ‘merging' traditional siloed business lines such as Fixed Income Interest Rate and Credit lines of business.
The main drivers for gaining a deep understanding of a bank's infrastructure are currently for cross charging services back to the business or cost reduction programs, such as data centre consolidation. Expand's research indicated that compliance requirements came below total cost of ownership (TCO) and crosscharging projects as drivers for capture of IT infrastructure data. However, regulations now compel IT organizations to have a much more detailed and real-time handle on the application, data base, hardware and network infrastructure layers or fabric, and the dependencies between them than ever before.
Most IT organisations at some point in time map out their infrastructure and hold that system map in something like Visio and/or Excel. They may also create a database of the application structure or an inventory of assets, as well as using various technology specific domain managers. Most firms researched by Expand have not gone as far as implementing something along the lines of the IT Infrastructure Library's configuration management database (CMDB) to capture the data, with only 20% of firms polled actively engaged in a CMDB project. This suggests it is still early days for company-wide IT configuration management projects, in spite of compliance pressures.
Any attempt to capture the infrastructure fabric and superstructure dependencies usually occurs to support a particular project, such as the implementation of a new front office trading system or a new intra-day risk reporting process that might require a grid or compute farm. However the data captured in these exercises, which typically take a minimum of 3 months, whilst useful, is only a snap-shot in time. This is not only costly in terms of either external consultancies or internal FTEs, but the data derived by these initiatives is out of date virtually as soon as it is mapped.
|
