|
Booklet:
Operations Section: Roles and Responsibilities Subsection: |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Action Summary
BOARD
OF DIRECTORS AND SENIOR MANAGEMENT
Senior management and the board of directors are responsible for ensuring
IT operates in a safe, sound, and efficient manner throughout the institution.
Because information systems—whether centralized or distributed—are
tightly interconnected and highly interdependent, failure to adequately
supervise any part of the IT environment can heighten potential risks
for all elements of IT operations and the business as a whole. As a result,
the board and senior management should coordinate IT controls throughout
the institution’s operating environment including all outsourcing
and third-party arrangements.
Although senior management and the board can delegate implementation and
oversight of daily operations to information technology management, they
have final responsibility for safe, sound, controlled, and efficient operations.
Consequently, the board and senior management are responsible for understanding
the risks associated with existing and planned IT operations, determining
the risk tolerance of the institution, and establishing and monitoring
policies for risk management. The board and senior management are also
responsible for strategic technology planning, which is critical to effective
IT governance. The IT Handbook’s “Management Booklet”
addresses the role of senior management and the board.
OPERATIONS MANAGEMENT
One of the primary responsibilities of IT operations management is to
ensure the institution’s current and planned infrastructure is sufficient
to accomplish the strategic plans of senior management and the board.
To accomplish this objective, operations management should ensure the
institution has sufficient personnel (in knowledge, experience, and number),
system capacity and availability, and storage capacity to achieve strategic
objectives. Operations management should select or recommend technology
solutions that can meet strategic requirements with reduced resources
to control capital expenditures and operating costs.
Operations management should implement an organizational structure that
addresses human resources and, where appropriate, multiple operating sites
appropriate for supporting the business activities of the institution.
IT operations, whether centralized or decentralized, should support business
lines and functional operations. Operations should facilitate enterprise
management information systems (MIS), product and service development
and delivery, internal end-user information and process requirements,
data capture, and transaction processing.
Effective IT operations management requires knowledge and understanding
of the institution’s IT environment. Appropriate documentation should
be in place that indicates how these systems support the associated business
processes (enterprise architecture). Management should also have an inventory
of all of the institution’s technology assets, should recognize
interdependencies of these systems and should understand how these systems
support the associated business lines. Additionally, management should
understand the flow of data across and between systems. Adequate documentation
of infrastructure and data flow facilitates risk identification, application
of controls, and ongoing maintenance of information systems.
Effective IT operations management also requires that the institution
establish and support an appropriate control environment. Management should
implement a cost-effective and risk-focused control environment. The control
environment should provide guidance, accountability, and enforceability
while mitigating risk. Management should periodically assess the effectiveness
of the control environment, which may be evaluated through self-assessments
or other means. Management should also regularly test the results of the
assessments through audits or other independent verification.
To ensure uninterrupted product and service delivery, as well as the institution’s
viability, operations management should develop a business continuity
plan (BCP). For additional detailed information on this subject, refer
to the IT Handbook’s “Business Continuity Planning Booklet”.
IT systems should have robustness, resiliency, and capacity sufficient
to accommodate ordinary interruptions to operations and to facilitate
prompt restoration without escalating to more drastic and costly disaster
recovery procedures.
Operations management should ensure the operating environment is physically
and logically secure. Protection of expensive and critical business assets,
especially the information essential to corporate activities and sensitive
customer information, requires management to establish and enforce access
controls to facilities, equipment, applications, systems, and transaction
and customer data.
Sound IT operations management also includes providing adequate staffing
through personnel selection, succession plans, and employee training.
Hiring practices that result in an appropriate number of skilled staff
promote smooth, continuous, and efficient operations. Ongoing training
is vital to maintaining creative, motivated, and knowledgeable employees.
Operations management staff should recognize any limitations of IT operations
staff and be prepared to obtain professional assistance. At times, it
may be more efficient and cost effective to acquire outside expertise
than to hire and train new employees, especially for functions that do
not require full-time personnel.
RISK MANAGEMENT
Technology permeates the operations of the entire institution and therefore
defies compartmentalization. Technology enables the institution to develop,
deliver, and manage its products and services. An effective IT risk management
process should identify, measure, control, and monitor operations risk.
The process begins with identifying risks in the institution’s overall
business strategy. Understanding the role technology plays in enabling
core business operations establishes the framework for understanding and
assessing risks. Accordingly, the risk identification process should begin
with a comprehensive survey of the institution’s technology environment
and inventory its technology assets.
The survey and inventory of the technology environment and assets also
involves assessing the relative importance of systems, databases, and
applications based on their function, the criticality of data they support,
and their importance to core business operations. The inventory clarifies
the enterprise architecture and highlights the relationships between the
institution’s systems, networks, and external systems.