Following some longstanding Federal Financial Institutions Examination Council guidance, examiners are making sure banks have technology plans and that these plans meet the regulations. As a result, banks are taking a hit from examiners at a rate that rivals door dings in an outlet mall parking lot.
If some recent conversations I’ve had are any indication, about 70% of banks don’t have a strategic technology plan that will pass muster in their next regulatory exam. According to the FFIEC IT Examination Handbook (positively riveting reading, by the way), institutions should have a strategic information technology plan that focuses on a three to five year horizon and helps ensure alignment with their business plans, including delivery of IT services, balanced cost and efficiency, and meeting the competitive demands of the marketplace.
Unfortunately, the tech plans of many institutions are little more than project lists, a collection of IT projects that chief technology officers want done in the next year or so. They rarely include projects that overly benefit the lines of business. They frequently carry over items year after year. They are basically a garden variety assortment of infrastructure projects, server upgrades and desktop refreshes.
The strategic plans of many banks fail to mention infrastructure upgrades among the corporate goals. They don’t include line of business plans. They probably do discuss technology as a strategic enabler, a competitive differentiator, a necessity for mobile and Internet channels. But the technology plan often doesn’t include these factors. And that, my friends, is a disconnect – a problem with real consequences.
Although technology planning has been in the guidebook for years, examiners have had their hands full with pesky little things like the financial meltdown and the rise of cybercrime. But they’ve finally started to take a more strategic and risk based approach to exams, and that’s where the tech plan can work against the bank.
Here are 5 Gonzo Tips to help banks move beyond designer shelf-ware and develop tech plans that actually work.
1. Good tech plans are pragmatic and easy to understand. A tech plan captures the debate and agreement between IT and business stakeholders. It is understandable by all. Sure, it will include some techy talk – after all, it is a tech plan. But it should be as much about enabling the business as the complex systems that support it.
2. Good tech plans are living documents. A tech plan is not meant to gather dust, cobwebs or serve as a prop to hold up other stuff in the bookcase. It doesn’t have to be a massive work of art or fiction. A tech plan isn’t a regurgitation of last year’s plan although it should acknowledge where the bank is coming from or where it’s been. It collects notes in the margins and the pages are dog-eared.
3. Good tech plans describe accountabilities. The tech plan should set the standard for IT service to the organization and what the lines of business should expect. These service level agreements become something of an internal contract to measure IT’s performance. But it’s not a one-way street. The service standards also discuss how the lines of business interact with IT.
4. Good tech plans are not about all the neato cool stuff. A tech plan should evaluate emerging technologies and see how they can enhance or replace what the institution has today. Some changes will be necessary and justified, especially when they replace what the bank already has and what it has is going away. Others are a natural evolution of technologies that can be planned into the bank’s environment at the next opportune refresh cycle. And some won’t have any business at the bank but might be interesting to research – especially to fend off the other executives that have heard the marketing hype.
For example, whether the bank believes outsourcing or cloud computing are the way of the future, it can’t ignore the momentum and demand they have created. The plan may delve into an emerging trend like cloud computing and evaluate its potential benefit to the bank. What are the opportunities and implication for cost, efficiency, security, risk, obsolescence and other factors? And if a new technology makes sense, how and when should the bank migrate to it and what else needs to change when it does? If it doesn’t make sense, the reasons should be documented so they can be reevaluated as the market changes.
5. Good tech plans consider the impact on the people. While a tech plan is about the technology, it’s also about planning for the team that has to live with it and support it. Planning to acquire or retire technology is easy. Planning for the systems that will change people’s lives and the way they work takes some finesse. Vendors will tell the bank it can get the new system in just a few weeks. The time it takes to prepare the support team and the users will take far longer and require deliberate planning.
A Look in the Mirror: The Risk Based Approach
A thorough tech plan is a combination of self-assessment and forward thinking. Examiners want to see that the bank has taken a hard look in the mirror to see how it’s doing and what needs to be changed. How is the market? How is the bank? Is IT getting the job done? What tech needs to change to get to the next level? If the bank has done a good job assessing itself – the selfie – then the examiners don’t have to.
Is your technology plan strategic – and flexible?
A financial institution’s IT policies, resources and architecture need to be responsive to a highly complex and regulated environment.
Cornerstone Advisors works with your organization to design a flexible IT governance structure that adapts to changing external forces and grows with you.