Magazine article American Banker

Technology Risk Management Can't Be Compartmentalized

Magazine article American Banker

Technology Risk Management Can't Be Compartmentalized

Article excerpt

Risk management is fundamental to banking and a familiar practice to all experienced bankers. But it generally takes the form of compartmentalized processes. For example, credit risk management concentrates on the loan portfolio and origination process; investment risk management on the securities portfolio, and so forth.

Unfortunately, this approach fails when it comes to technology risk. What's different is that technology permeates the institution's operations, and therefore defies compartmentalization. It enables processes that the bank uses to develop, deliver, and manage its products and its support operations.

So what is the right approach to technology risk management?

Looking at the big picture

A technology risk assessment begins with the bank's strategic plan, recognizing the role that technology plays and the mechanisms that gather, process, and store information. The next step involves evaluating systems, databases, and applications.

At this point it is also necessary to look at the architecture of the bank's systems and networks to determine their connections with internal and external systems. This will reveal access points and other areas where security mechanisms will be needed.

By understanding the role that technology plays in various business functions, senior executives are better able to size up these functions' relative importance. And knowing how information flows through the bank, and where data are entered, transferred, and stored will reveal potential vulnerabilities.

Information classification can help, too. This involves distinguishing classes of data or systems and assigning priorities. A basic system might use three or four categories ranging from "highly confidential" to "public." Each category would get unique treatment; obviously, one would not want to see "highly confidential" and "public" information following the same transmission path or stored on the same computer server with only rudimentary controls. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.