| Booklet:
Management Section: IT Risk Management Process Subsection: Planning IT Operations and Investment |
|||||||||||||||||||||||||||
| |
|||||||||||||||||||||||||||
Action
Summary 
Planning
involves preparing for future activities by defining goals and the strategies
used to achieve them. Information technology is an integral part of financial
institution operations. Therefore, financial institutions should integrate
IT resources and investments into the overall business planning process.
Major investments in IT resources have long-term implications on both
the delivery and performance of the institution’s products and services.
Independent data centers also should plan effectively, so they can provide
quality and cost effective service to client financial institutions. Institution
management should monitor any changes in the current strategies and plans
of independent data centers that provide services.
Plans may vary significantly depending on the size and structure of the
organization. Every organization should strive to achieve a planning process
that constantly adjusts for new risks or opportunities and maximizes the
value of IT to the organization. Management should always document plans,
however a written plan does not guarantee an effective planning process.
Management should measure specific plans by whether they meet the organization's
business needs. For all plans, the examiner should evaluate the process
as well as the written product. A sound plan requires the board of directors,
senior management, and user involvement in the planning process. The board
of directors should review and approve the plan. Senior management participates
in formulating and implementing the plan. The individual departments and
functional areas identify specific business needs and, ultimately, implement
the plans.
STRATEGIC
IT PLANNING
Strategic IT planning focuses on a three to five year horizon and helps
ensure the institution’s technology plans are consistent or aligned
with its business plans. If effective, strategic IT planning can ensure
delivery of IT services that balance cost and efficiency while enabling
the business units to meet the competitive demands of the marketplace.
Strategic planning should address long-term goals and the allocation of
IT resources to achieve them. Tactical plans outline specific steps and
timetables to achieve the strategic goals. These should include hardware
and software architecture, end-user computing resources, and any processing
done by outside vendors. The strategic plan should address the budget,
periodic board reporting, and the status of risk management controls.
The board of directors and management should consider a number of factors
when planning the institution’s use of technology, including:
|
|
Marketplace conditions; |
|
|
Customer demographics; |
|
|
Organizational growth targets; |
|
|
Technology standards; |
|
|
Regulatory requirements (e.g., privacy, security, consumer disclosures); |
|
|
Cost containment; |
|
|
Process improvement and efficiency gains; |
|
|
Customer service and technology performance quality; |
|
|
Outsourcing vs. in-house expertise; |
|
|
Optimal infrastructure for the future; and |
|
|
Ability to adopt and integrate new technology. |
All
of these factors should also align with the organization’s business
plans. Well-implemented technology plans provide the capability to deliver
business value in terms of market share, earnings, and capital growth
to the organization. The information technology steering committee’s
cross-functional membership makes it well suited for balancing or aligning
the organization’s IT investment with its strategic and operational
objectives. In fact, effective steering committees will constantly work
to align the organization’s information technology, both strategically
and operationally with its business units. Typically, institutions that
are better at keeping IT aligned with changing business goals and objectives
are positioned to compete more effectively.
Some institutions will spend too aggressively on technology that business
lines cannot fully utilize. Also, IT departments or business units can
over invest in specific technology that provides inadequate enterprise-wide
value, introduces new incompatibilities, or produces unnecessary excess
capacity.
On the other hand, institutions can spend too conservatively and delay
investments in infrastructure or new products that business lines need
to compete and maintain market share and profits. In addition, business
units without a full understanding of the available technology can fail
to update processes and products or to achieve productivity gains or increased
revenues. The lack of knowledge may also result in increased security
risks. To create the appropriate balance, institutions should link strategic
and operational plans between IT and the business units.
The four key factors of IT planning that management should address are:
|
|
Strong senior management participation - Executive management should understand and support the IT strategic plan and established priorities. |
|
|
Role of IT - The institution needs to clarify IT’s role and whether the current IT planning process enables personnel to work towards achieving enterprise-wide goals and objectives. |
|
|
Impact of IT - The steering committee should understand the relationship between the IT infrastructure and applications and the business strategic and operating plans. The IT infrastructure should directly support the goals and objectives of these plans. |
|
|
Accurate scorecard on past performance - The steering committee should monitor past IT projects and initiatives after implementation to determine if the institution realized the anticipated costs and benefits. The scorecard should be based upon a set of objective measures. |
The board should oversee management’s efforts to create and maintain an alignment between IT and corporate-wide strategies by:
|
|
Confirming IT strategic plans are aligned with the business strategy; |
|
|
Determining that IT performance supports the planned strategy; |
|
|
Ensuring the IT department is delivering on time, within budget, and to specification; |
|
|
Directing IT strategy to balance investments between systems that support current operations, and systems that transform operations and enable business lines to grow and compete in new areas; and |
|
|
Focusing
IT resource decisions on specific objectives such as entry into new
markets, enhanced competitive position, revenue growth, improved customer
satisfaction, or customer retention. |
OPERATIONAL
IT PLANNING
Operational plans should flow logically from the strategic plan. Management
should review and revise them at least annually. Operational planning
focuses on short-term actions and incorporates the annual budget process.
Management should reference the strategic plans and adjust operational
plans based on changes in the underlying business needs.
Operational planning addresses the near-term support for business operations.
Specifically, operational planning focuses on immediate concerns such
as adequate IT resources, sufficient budget, and appropriate risk identification.
IT Resources
Management should ensure that IT resources are adequate to meet the current
operational needs of the organization. Operational planning should consider
the adequacy of IT resources and the impact of any changes on critical
business processes. Business processes are the integration of people,
technology, and procedures used to accomplish a task or complete a transaction.
Changes in business processes require coordination or alignment with the
available IT resources. IT resources that require management coordination
include:
|
|
Infrastructure - power, telecommunications capacity, network architecture, and facilities. |
|
|
Applications software - includes changes in software used to provide financial services and products, because of competition, market forces, and changing regulations. These changes may require enhancements to, or replacements of, application software for mainframe, midrange, servers and end-user computing systems. |
|
|
Operating software - operating systems, compilers, and utilities designed to enable the equipment and applications software to function effectively. Changes in this area can have a major impact on hardware and software specifications. |
|
|
Hardware - includes mainframes, network servers, personal computers, communications networks, storage devices, and peripherals. Planning should ensure the mainframe, midrange servers and end-user computing equipment have sufficient capacity to meet current needs and future growth. For example, planning may indicate that economically it is impractical to add new mainframe equipment. Rather, it may be appropriate to allow a department to purchase a midrange system to operate independently of the main data center. |
|
|
Personnel - includes issues associated with staff changes, scheduling requirements, training, and compensation. For example, management should consider whether inadequate salaries could cause high employee turnover and create a lack of adequate expertise or, if excessive, salaries could suppress earnings. |
Budgeting
Budgeting is another step in the operational planning process. The board
should assess management's plans and its success in defining and meeting
budgetary goals as one means of evaluating the performance of the data
processing and operations management. The budget is a coordinated financial
plan used to estimate and control the organization's activities. By assessing
future economic developments and conditions, management creates an action
plan and records changes in the balance sheet accounts and profitability
(predicated on implementation of the plan). The budget not only projects
expected results, but also serves as an important check on management.
Management, when considering new technology projects, should look at the
entry costs of the technology and the post implementation support costs.
Increasingly institutions are demanding, and vendors are providing, information
regarding the total cost of ownership (TCO) beyond the initial entry costs.
Technology projects often have undocumented costs including the resources
required to configure, maintain, repair, support, upgrade, and manage
the technology over its lifetime. Readily available TCO models, as well
as historical data, provide management with tools to incorporate these
hidden costs into the selection and budgeting process.
Some financial institutions budget IT as a separate department of the
institution. A financial analysis of an IT department should include a
comparison of the cost-effectiveness of the in-house operation versus
contracting with an outside servicer. It may also include a peer group
comparison of operating costs and ratios with a peer group of institutions.
Depending upon its size and complexity, the institution may or may not
allocate costs to the user departments. Where cost allocation exists,
management should ensure equitable assignment of the costs to each user
department. This is often accomplished by use of a chargeback system that
records usage of resources based upon a performance metric such as Central
Processing Unit cycles. In some instances, a separate subsidiary of the
holding company manages the IT function. Ideally, an IT subsidiary of
a holding company should have a positive affect on consolidated earnings
performance. It can provide essential services at costs below external
providers or individual financial institutions. However, some relationships
may not result in a cost savings. To avoid a preferential arrangement
with an affiliate, the contracts between the holding company or its subsidiary
and the serviced financial institutions should ensure "arms-length"
transactions. Institution management should assess these relationships
to ensure they are fair and equitable to all parties. The IT Handbook’s
“Outsourcing Technology Services Booklet” has additional information
on contract considerations.