CORPORATE LANDMINES: TECHNOLOGY GOVERNANCE AND CONTROLS
Cecilia Harvey, Tech Women Today
Technology governance and controls has become the burning issue for corporate boards, C-suite executives, and regulators. Without the appropriate governance and controls, technology can the corporate landmine that leads to client attrition, regulatory censure and poor financial results.
Last April millions of TSB customers lost access to their money following a planned transfer of more than a million accounts to a new computer platform. TSB revealed that last year’s massive IT failure cost the bank £330m, while 80,000 customers switched their account to a competitor. Meanwhile Facebook has been accused by Rana Foroohar at the Financial Times of putting growth ahead of governance for too long. Fake news, privacy concerns and data breaches saw Facebook stock decline over 25% over the course of 2018. March 2018 saw shares in Facebook drop from $172.56 to 161.95 in a day as a result of the Cambridge Analytica data scandal. The stock then declined 20% in July after disappointing second-quarter results, removing $200 billion from the market value.
And what about banks? The Financial Conduct Authority (FCA), believes banks are ‘overly confident’ about their ability to manage their IT systems, despite overwhelming evidence that the number of technology failures is growing rapidly. Megan Butler, executive director of supervision at the Financial Conduct Authority said that firms had reported a 138 per cent rise in outages in the year to October, yet most still felt that they were on top of their IT problems. “This level of confidence simply isn’t supported by the data we’ve collected” she said.
Traditionally for technology the primary success metrics centre on delivery and costs: Are we delivering technology projects on time? Are we delivering within our budget? The focus needs to shift to “how” are we delivering technology: Are we implementing technology in the right way? Are we ensuring the right controls exist? How are we ensuring that we continue to optimise these controls?
Technology teams should not be blamed. There is often senior management pressure on technology teams to reduce costs, cut staff, outsource to low cost vendors and reduce delivery timelines. Often technology teams are reprimanded for requesting an increase in budget or for asking for more time and resources to complete complex projects that have client impact. This pressure to deliver faster and cheaper can have dire consequences, as we have already seen.
Furthermore, traditional “tick box” change management and programme management is detrimental to organisations. Technology is a dynamic industry that requires more agile methods of delivering change, rather than the often bureaucratic and costly traditional programme management that is unable to keep up with the speed and changing priorities that come with technological change.
Going forward, regulators will continue to ensure that senior executives are accountable for technology governance and controls. Formal written attestations will continue to be a tool used by regulators to hold management personally accountable for ensuring compliance with regulatory standards and the presence of adequate controls. The individual can be subject to investigation and be personally liable (e.g. bonus claw-back, fines) for non-compliance. As a result, senior executives should commission independent assessments of their technology landscape in order to proactively uncover potential landmines.
Technology governance and controls will continue to be a priority for regulators, with key areas of focus being (a) use of third party vendors, (b) system resilience and scalability, and (3) data governance. Furthermore, the number of C-suite level roles focused on technology controls and governance will continue to increase. In order to be effective these roles (a) think strategically about how the technology architecture and control framework must evolve in order to address existing gaps and future regulatory and control requirements, (b) remain business focused and not bureaucratic bottlenecks that hinder progress and business growth, (c ) embed the culture and conduct that helps the organisation manage performance based on “how” we deliver and not only “what” we deliver.