Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


The Top 10 Must-Haves for Better IT Governance

Dec 29, 2015

Information technology can be a financial institution's greatest advantage. Not only does technology serve as a catalyst for improved business performance, but when leveraged, it can also enhance customer service and help differentiate the organization.

Because IT is integral to most banking activities, it requires constant management, particularly if the goal is to also realize its competitive benefits. Chief among those benefits are the increased availability and use of IT systems to yield smoother operations. That, of course, translates into a greater ability to service customers and meet their needs.

Stronger governance also leads to a clearer understanding of IT costs and impact on product pricing. Likewise, strategically aligning IT with enterprise-wide objectives and goals ensures that the technology will be available when needed to meet or support product and service offerings.

And, of course, improved risk management practices are yet another important benefit of sound IT management.

With a dynamic, consistent commitment to IT management, a financial institution can position itself for greater success. Here are the top 10 action items for achieving optimum IT governance.

1. Develop a strategic plan for IT. Without a well-conceived plan, an institution has no clear direction or real destination in mind, which can add up to unplanned expenditures and unforeseen operational risks. The challenge, then, is to appropriately allocate time and resources to those IT activities that are aligned with the organization's business strategy and to avoid putting the institution at risk. An IT strategic plan should focus on a three- to five-year horizon and consider key industry issues, customer needs, and user requirements, along with new opportunities to improve the business and business processes.

2. Assign IT accountability. Key to the success of IT governance is the assignment of a management level individual who is responsible for all IT oversight. Among the duties are the administration of policy development and management, operations, information security, and business continuity planning, to name a few. This individual should also have sufficient IT knowledge to execute and maintain the institution's technology plan.

3. Establish an IT committee. An IT committee plays an important leadership role in an organization's technology management and performance. One of its key responsibilities is to provide the board with ongoing reviews of IT projects and updates on significant activities. This information lets the board make knowledgeable decisions without the need to be involved in day-to-day IT operations.

4. Ensure board involvement. An institution's board of directors must take the lead in IT governance. To do so, board members need to be engaged in technology oversight, reviewing and approving all IT plans and policies to ensure strategic alignment. The board should also be involved in the annual IT audit plan, ensuring audit independence and the necessary GLBA risk assessment. Involvement in the institution's business continuity plan, as well as reviewing its critical vendor selection process, is also required of the board.

5. Assess the environment regularly. Conducting an independent evaluation and audit of the IT environment on a regular basis is crucial for identifying, measuring, controlling, and monitoring technology so as to avoid risks. The scope of the evaluation should be driven by the results of an IT risk assessment and should include a review of both policies and practices.

6. Conduct internal and external vulnerability assessments. An institution must thoroughly identify potential threats to the confidentiality, integrity, and availability of its information. Such vulnerabilities can be internal or external and can include both human and technical threats to the infrastructure. Conducting a comprehensive assessment can help to detect any weaknesses in systems, management, and processes.

7. Test backups and disaster recovery plans. Having controls in place to mitigate risk and having response programs to address potential disasters are merely half of the equation. An institution must also test its processes and plans to ensure they are viable when applied and reliable when needed.

8. Ensure management involvement. An institution's leaders share in the responsibility for successful IT governance. Risk is present across all business lines; therefore, across-the-board management involvement must also be required. Management must be responsible for enforcing internal controls and policies in all areas and for communicating business needs in support of prudent IT investments.

9. Manage vendors and other outsourced relationships. Safeguarding customer information becomes all the more significant when relying on vendor-provided IT systems, products, or services. An institution must develop and maintain comprehensive practices to govern vendor relationships. This starts with a formalized vendor selection process and includes due diligence in selecting providers and maintenance of a welldeveloped vendor management program. For all critical vendors, an institution should also conduct a thorough annual review, documenting and summarizing results for the board.

10. Strive for operational excellence. An institution should monitor the effectiveness of its IT functions by establishing benchmarks and metrics for performance. These can include service level goals, objectives for system availability and response times, error rates, and problem reports. An organization may also wish to implement a quality assurance program to further document control processes and measure IT performance.

Start Maximizing Technology’s Benefits

Effective IT governance has the ability to transform a financial institution. Putting strong leadership behind these ten practices will position an institution for greater success.


Robert D. Cedergren, CPA, CGMA, CITP, CISM, CISA, CGEIT
Partner In Charge, Risk Advisory Services
View Profile