Technology risk

Technology risk can arise from maintenance contracts for existing IT infrastructure
and application software through to complete outsourcing of projects or the whole IT
service. The risks involved in this type of business are operational. The issues most
firms face in managing technology risks can be illustrated by considering the various
risk factors through a series of structured ‘control questions’. This technique was
advocated above.
So often, a firm, particularly in the trading/investment banking/securities businesses,
has a spaghetti soup of systems, some old some very new with the resultant
problem of old and new technologies which both need to be supported to make
the business run smoothly. Many trading divisions have their own dedicated IT
professionals who perform Rapid Application Development (RAD) to keep up with the
traders. This increases operational risk as some firms then have poorly documented
systems and rely on a few key IT personnel. The traders in many firms will still prefer
their spreadsheets for their flexibility and speed. Such reliance will lead to increased
operational risk as spreadsheets are rarely secure and can easily be corrupted. In
addition, only the author really understands his or her spreadsheet.
Many firms have multiple IT projects being carried out at the same time and this
inevitably leads to problems such as:
Ù Lack of security requirements developed and agreed before IT development
commences
Ù Lack of capacity planning and resource utilization
Many of the project failures on risk management projects I have observed before I
was called in to rescue the projects have been due to issues such as:
Ù Scope creep
Ù Poor design not complying with best practice
Ù Poor performance of the risk engine compared to spreadsheet models
Ù Lack of early deliverables
Ù No agreement on the acceptance criteria
Ù Lack of suitable testing carried out for new systems
Ù No change control implemented and
Ù Business process owners resisted the changes required to use the new system.
In addition to the specific problems of working in a trading environment the firm
will be exposed across all business areas to general technology risk. The operational
risk manager should assess general technology risks by reviewing a firm’s compliance
with the typical technology controls. Such controls would be designed to protect the
IT facility against: human error (operations, maintenance, users, programmers); data
theft; voice equipment failure; other failures (media, central computer equipment,
purchased software, undetected and ancillary equipment); to minimize exposure to
fire, heat, water, smoke, corrosive fumes. Protection against these risk factors can
be divided into three types:
Ω Physical protection
Ω Functional protection
Ω Data protection