Before the end of this year, banks and other financial institutions are required to start periodical internal audits in order to remove the weaknesses in their IT services/systems and possible threats to security of information.

They will also have to make outsourcing of IT business more transparent and introduce an accountability system to fix responsibility in case the outsourcing has not been done in compliance with the required rules.

These are just two of the many requirements banks and FIs will fulfill, under the State Bank of Pakistan’s framework of IT risk management and governance.

“IT-outsourcing is potentially vulnerable to breaches of cyber security. And lack of IT-specific audit makes it difficult to fix underlying reasons for any IT-related shortcomings,” admits an official of one of the five large local banks.

But whether banks can really comply with all the SBP instructions on IT governance by December is too difficult to answer.


Bankers say implementing two key elements of IT risk management and governance framework is very important but equally difficult


“Taking such steps like, appointing an IT committee (under the board of directors) with an independent expert as member or nominating steering committees on IT (under the bank’s senior management), is not difficult.

But complying with SBP instructions on IT outsourcing and proper training of IT staff needs a higher degree of professionalism on the part of senior management,” he adds.

Senior bankers complain that finding people that are competent in IT studies and are also financially literate to some extent is very difficult. This has been at the root of many IT woes of banks.

Institutions such Pakistan Software Houses Association (P@sha) and Pakistan Software Export Board (PSEB) can help banks in this regard. But setting strategic directions and mapping their IT requirements in detail is a must. Without that, we cannot recommend the right kind of IT experts for them, officials of the PSEB say.

“Despite accelerated spread of the use of IT in banking industry during this decade, it is hard to find primary data on the state of banks’ IT spending and IT workforce,” one of these officials lamented while talking to this writer.

“Some banks and financial institutions spend more on their IT infrastructure and IT-related employees while others don’t spend much. It varies and depends (upon so many factors including time-specific or business-bound requirements and approaches),” according to a local credit rating agency official.

The IT risk management and governance makes it mandatory for banks to design IT policies, keeping in view their business requirements and devise systems to align both IT and business strategies.

Head of a foreign bank told this writer that according to a study conducted in 2015, banks’ reliance on fintech were more in the area of promoting lending business and less in deposit mobilisation. “Once we fully comply with the SBP recommendations, such issues will be sorted out.”

Security of banking information being transmitted and received in the cyber space is of utmost importance. “Often a small mistake on the part of a bank’s IT employee leads to a situation where we either have to suspend a particular IT service for some time or risk compounding of the problem,” concedes head of IT department of a mid-tier bank.

“I had to hire a fresh university graduate for developing software for human resource department after we failed in attracting an experienced hand. The gentleman who is also pursuing his post-graduation is a habitual absentee but we have to put up with him. We have no choice.”

These and similar issues keep the regular IT staff of banks on their toes. They complain of long working hours with not much financial compensation. And above all, “when it comes to explaining to our non-IT bosses why resolution of a certain problem is taking more than usual time, we go nuts. They are senior executives but they don’t know the basics of IT”.

IT risk management services in banking industry are relatively new to many local banks. But that is something banks cannot avoid. While IT itself had made the job of risk management simpler and cost-effective, the growing use of IT in banking industry does carry its own risks, the most important being protection of timely access to streams of both structured and unstructured customer information.

Bankers say implementing two key elements of IT risk management and governance framework is very important but equally difficult. First is the ‘identification and prioritisation of information assets’ and second, the ‘risk management process’.

IT officials of banks and financial institutions complain that there is no uniform way of prioritising information assets. “We (in IT departments of banks) have to rely on our own instincts or comply with the top management’s instructions, that keep changing from time to time,” points out a deputy head of IT department of a mid-tier bank.

“IT risk management practices also don’t remain uniform and every new boss of the IT department, in consultation with the bank’s senior management, amends the risk management process developed by his team with much hard work.”

Senior bankers say banking and financial sector’s risk management operations vary, depending upon the size and category of banks and financial institutions.

Besides, a particular set of information is prioritised in a certain context. But the risks arising from the use of IT remain more or less the same.

Published in Dawn, Economic & Business, March 27th, 2017

Opinion

Editorial

Judiciary’s SOS
Updated 28 Mar, 2024

Judiciary’s SOS

The ball is now in CJP Isa’s court, and he will feel pressure to take action.
Data protection
28 Mar, 2024

Data protection

WHAT do we want? Data protection laws. When do we want them? Immediately. Without delay, if we are to prevent ...
Selling humans
28 Mar, 2024

Selling humans

HUMAN traders feed off economic distress; they peddle promises of a better life to the impoverished who, mired in...
New terror wave
Updated 27 Mar, 2024

New terror wave

The time has come for decisive government action against militancy.
Development costs
27 Mar, 2024

Development costs

A HEFTY escalation of 30pc in the cost of ongoing federal development schemes is one of the many decisions where the...
Aitchison controversy
Updated 27 Mar, 2024

Aitchison controversy

It is hoped that higher authorities realise that politics and nepotism have no place in schools.