| Booklet:
Management Section: Roles and Responsibilities Subsection: IT Responsibilities and Functions |
|||||||||||||||||||||||||||
| |
|||||||||||||||||||||||||||
Action
Summary 
RISK
MANAGEMENT FUNCTIONS
A financial institution should ensure an adequate risk management structure
exists within the organization. Some institutions have a separate risk
management department that is responsible for overseeing the areas of
information security, business continuity planning, audit, insurance and
compliance. Regardless of the particular structure used, the institution
should ensure that lines of authority are established for enforcing and
monitoring controls. These risk management functions should play a key
role in measuring, monitoring, and controlling risk.
Information Security
The board is responsible for overseeing and approving the development,
implementation, and maintenance of a comprehensive, written information
security program, as required by the Gramm-Leach-Bliley Act (GLBA). GLBA
is discussed in more detail on page 30 of this booklet. The information
security program should include appropriate administrative, technical,
and physical safeguards based on the size, complexity, nature, and scope
of the institution’s operations. The board may delegate information
security monitoring to an independent audit function and information security
management to an independent information security officer. Ideally, the
institution should separate information security program management and
monitoring from the daily security duties required in IT operations. The
senior information security officer should be an organization-wide risk
manager rather than a production resource devoted to IT operations. To
ensure independence, the information security officer should report directly
to the board or senior management rather than through the IT department.
The IT department needs personnel with daily responsibility for implementing
the corporate security policy, but they should not have the ability to
change policy and grant exceptions. The IT Handbook’s “Information
Security Booklet” has additional information on this topic.
Business Continuity
Similar to information security, business continuity planning should be
a corporate-wide strategy. Business continuity planners should assess
business continuity across all lines of business. The business continuity
function often resides in the risk management organizational structure.
The IT department should have personnel responsible for developing and
maintaining the department’s business continuity plans. The IT Handbook’s
“Business Continuity Planning Booklet” has additional information
on this topic.
IT Audit
Senior management and the board should ensure cooperation between management
and IT audit. It should also ensure timely and accurate response to audit
concerns and exceptions. The IT audit area should report directly to the
board of directors or a designated committee of the board comprised of
outside directors. The board is responsible for overseeing the audit department’s
performance and compensation. Audit’s key role is to review risk
within each of the departments. Audit should verify that management has
implemented effective control processes. Audit should have no role in
implementing controls and should not have primary responsibility for enforcing
policy.
Management should have processes in place to monitor and enforce policy
compliance. Audit should verify those processes function effectively and
report to the board. The board, in turn, should ensure auditors have the
necessary expertise and that audit coverage is adequate, timely, and independent.
IT audit coverage should include system development and acquisition projects.
See the IT Handbook’s “Audit Booklet” for additional
discussion of this topic.
Compliance
Senior management should ensure the involvement of regulatory compliance
staff whenever a new system or application affects compliance with regulations.
New implementations or application changes can cause noncompliance through
inaccurate interest rate calculations, inadequate or inaccurate disclosures,
weak security controls over the storage or transmission of customer information,
and poor customer verification procedures. The compliance function should
review any new system or significant change for regulatory compliance.
PROJECT
MANAGEMENT
Project management is the application of knowledge, skills, tools, and
techniques to various activities to meet the requirements of organizational
projects.
IT management typically has two broad responsibilities. They should control
the delivery of technology operations and services to the various lines
of business. They should also oversee technology-related changes to operational
and business processes. Project management addresses the latter responsibility.
An effective project management process is a key factor in a well-managed
IT operation.
The operational complexity of the financial institution dictates the formality
of project management practices. Generally, project management consists
of initiating, planning, executing, controlling, and closing projects.
Management uses project management techniques to control projects for
systems acquisition and development, as well as other activities including
systems conversions, product enhancements, infrastructure upgrades, and
system maintenance. A financial institution’s ability to manage
projects drives its ability to adapt to changes in its business requirements
and satisfy its strategic objectives.
Project teams should balance resource investments of time, money, and
expertise with the project priority, risk, and requirements. Management
should monitor projects closely to control costs and assure adherence
to standards and specifications. A project management system should employ
well-defined and proven techniques for managing projects at all stages.
Controlling a large number of projects requires monitoring systems that
include the following elements:
|
|
Target completion dates – Management should establish target completion dates for each task or phase of the project. Management determines a final project completion date by carefully identifying and assessing all critical tasks. Identification of realistic target dates for tasks or phases results in improved project control. |
|
|
Project status updates – Management should compare actual completion dates with planned targeted dates. While project managers may have to revise target dates, management should measure progress against original targets to better assess time and potential cost overruns. If development cost overruns become substantial, management may need to re-evaluate the justification for the project or seek additional approval to continue funding it. |
Critical success factors for project management include:
|
|
Experienced and skilled project managers; |
|
|
Accepted and standardized project management practices; |
|
|
Senior management support for a disciplined project management process; |
|
|
Stakeholders and IT staff collaboration to establish project requirements and share in the responsibilities for each phase of the project; |
|
|
Tracking and measuring project performance against requirements; |
|
|
Defining and monitoring an organization-wide project risk assessment methodology; and |
|
|
Transition in ownership from implementation teams to the operational teams is a well-managed process with sufficient testing and training. |
The IT Handbook’s “Development and Acquisition Booklet” has additional information on this topic.
OTHER
IT FUNCTIONS AND SUPPORT ROLES
Human Resources
The goal of human resources is to hire and maintain a competent and motivated
workforce. An organization should have an effective IT human resources
management plan that meets the requirements for IT and the business lines
it supports. IT management should integrate its management of human resources
with technology planning to ensure optimum development and availability
of IT skills.
Components
of an effective IT human resources management process include compensation
planning, performance reviews, participation in industry forums, knowledge
transfer mechanisms (e.g., rotational assignments), training, and mentoring.
The board should define and enforce incentive programs for IT management,
similar to those available for other senior management of the organization,
to reward managers who meet IT performance goals.
The company should have programs in place to ensure its staff has the
expertise necessary to perform its job and achieve company goals and objectives.
A company may need to look externally to find necessary expertise for
specialized areas.
Management should develop training programs for all new technology standards
and products before their deployment in the organization. Institutions
may employ a certification program to ensure the staff maintains the necessary
expertise to support the business.
The board and senior management should also consider appropriate succession
and transition strategies for key managers and personnel. Some strategies
include the use of employment contracts, professional development plans,
and contingency plans for interim staffing of key management. Management
should mitigate the risk by backing up key positions, cross-training additional
personnel, and selecting customized insurance products targeting key employees.
The ultimate objective is to provide for a smooth transition in the event
of turnover in vital IT management or operations functions.
MIS and Reporting
The IT department often provides an important support role for the institution’s
management information systems. A management information system (MIS)
is a process that provides the information necessary to manage an organization
effectively. Accurate and timely MIS reports are an essential component
of prudent and reasonable business decisions. Many levels of management
view and use MIS, which should support the institution's longer-term,
strategic goals and objectives. IT management typically sets policies,
procedures, and controls to govern database management and report creation
to help ensure the effectiveness and usefulness of the organization’s
MIS.
Management should design its MIS to:
|
|
Facilitate the management of the business; |
|
|
Provide management with an adequate decision support system by providing information that is timely, accurate, consistent, complete, and relevant; |
|
|
Deliver complex material throughout the institution; |
|
|
Support the organization's strategic goals and direction; |
|
|
Ensure the integrity and availability of data; |
|
|
Provide an objective system for recording and aggregating information; |
|
|
Reduce expenses related to labor-intensive manual activities; and |
|
|
Enhance communication among employees. |
MIS
supplies decision makers with facts, supports and enhances the overall
decision-making process and enhances job performance throughout an institution.
At the most senior levels, MIS provides the data and information to help
the board and management make strategic decisions. At other levels, MIS
allows management to monitor the institution's activities and distribute
information to other employees, customers, and members of management.
Advances in technology have increased the volume of information available
to management and directors for planning and decision-making. Technology
increases the potential for inaccurate reporting and flawed decision making.
Because report generation systems can rely on manual data entry or extract
data from many different financial and transaction systems, management
should establish appropriate control procedures to ensure information
is correct and relevant. Since management information systems can originate
from multiple equipment platforms and systems, the controls should ensure
all information systems have sufficient and appropriate controls to maintain
the integrity of the information and the processing environment.
Sound fundamental principles for MIS review include proper internal controls,
operating procedures, safeguards, and audit coverage. These principles
are explained throughout this booklet.
To function effectively, as a feedback tool for management and staff,
MIS should be useable. The five elements of information technology processing
activities that create useable MIS are timeliness, accuracy, consistency,
completeness, and relevance. Compromise of any of these elements hinders
the usefulness of MIS.
|
|
Timeliness - To facilitate prompt decision-making, an institution's MIS should be capable of providing and distributing current information to appropriate users. Developers should design IT systems to expedite the availability of reports. The system should support quick data collection, prompt editing and correction, and meaningful summaries of results. |
|
|
Accuracy - A sound system of automated and manual internal controls should exist. All information should receive appropriate editing, balancing, and internal control checks. The board should ensure a comprehensive internal and external audit program exists to ensure the adequacy of internal controls. |
|
|
Consistency - To be reliable, data should be processed and compiled consistently and uniformly. Variations in data collection and reporting methods can distort information and trend analysis. In addition, management should establish sound procedures to allow for system changes. These procedures should be well defined, documented, and communicated to appropriate employees. Management should also establish an effective monitoring system. |
|
|
Completeness - Decision makers need complete information in a summarized form. Management should design reports to eliminate clutter and voluminous detail to avoid information overload. |
|
|
Relevance - Information that is inappropriate, unnecessary, or too detailed for effective decision-making has no value. MIS should be relevant to support its use to management. The relevance and level of detail provided through MIS directly correlates to what the board, executive management, departmental or area mid-level managers, etc., need to perform their jobs. |