CEO Today Magazine August 2019 Edition

29 www.ceotodaymagazine.com ALL REGULATIONS LEAD TO THE SENIOR MANAGER & CERTIFICATION REGIME and processes underpinning business processes, alongside any regulatory or accounting reports. As an illustration, the current Operational Resilience (OpRes) initiative of the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) demands that Boards need to be responsible for the resilience of their business. This in turn ensures that collectively, the entire financial system is resilient. OpRes describes a resilient financial system as one that can ‘absorb shocks rather than contribute to them.’ Financial institutions need to have procedures in place to manage the processes and technology that underpin their critical business processes. While organisations typically have these in place, they now also need to be able to provide reporting and full auditability to auditors and regulators. Moreover, they need to be able to identify and resolve any gaps that may put them in breach of OpRes (and so SMCR). Shadow IT adds complexity and threatens SMCR compliance The focus of regulatory bodies is squarely on business services and impact tolerances of financial institutions, from operational and financial standpoints. With a wide variety of enterprise IT systems deployed for all manner of business processes, technology plays a crucial role in enabling operations and reducing risk. This reliance can also threaten the resilience of financial institutions and indeed SMCR compliance for the C-suite. The infamous TSB computer systems meltdown in April last year is a case in point when 1.9 million customers were locked out of their account for weeks and cost the CEO his job. Today, the financial cost to the bank is recorded as being £330 million. Shadow IT – IT implemented and managed by business users rather than corporate IT – is in widespread use, and is likely not on the radar of senior executives. It adds another layer of complexity to SMCR and other regulatory compliance initiatives. Due to the easy access to IT infrastructure (often through cloud computing), Shadow IT often features powerful, easy- to-use databases, development environments and visualisation tools that business users can use to independently design and develop their own processes and applications, without the aid and knowledge of the corporate IT team. A key application of Shadow IT in financial institutions is modelling, where the speed and flexibility of Shadow IT are well suited to rapid product development, portfolio management or business management, for example. While regulators are non-prescriptive and agnostic to the systems and type of IT adopted, they do demand that due consideration and scrutiny is given to their use. There are a range of regulations and standards that are relevant to modelling, including SS3/18, IFRS 9 and IFRS 17, all of which impact OpRes for example, and, ultimately SMCR. While Shadow IT offers flexibility to users, these models typically aren’t implemented, documented or tested against a company’s standard IT policies and therefore may contain errors that lead to poor business decisions, as well as breaches of these regulations. For example, if changes to models aren’t documented or audited, or there is no clarity about model ownership, authority and responsibility; then ultimately there will be a direct impact on SMCR compliance. The fine art of balancing flexibility and transparency Financial institutions must balance the flexibility and agility that business-owned processes and applications allow, against the corporate and regulatory need for control and transparency. To ensure operational resilience and efficiency, financial institutions need to understand and document how Shadow IT, as well as corporate IT, features in their critical business processes, and how they are managed. Companies need to adopt a comprehensive and unified approach to enterprise IT, and Shadow IT management. Without this approach, senior executives and the C-suite are risking non-compliance of several regulations of course – as well as the SMCR, which makes the fall out very personal. The SMCR is almost like a ‘catch all’. About the author Henry Umney is CEO of ClusterSeven. He joined the company in 2006 and for over 10 years was responsible for the commercial operations of ClusterSeven, overseeing globally all Sales and Client activity as well as Partner engagements. In July 2017, he was appointed CEO and is strongly positioned to take the business forward. He brings over 20 years’ experience and expertise from the financial service and technology sectors. Prior to ClusterSeven, he held the position of Sales Director in Microgen, London and various sales management positions in AFA Systems and ICAP, both in the UK and Asia. Henry Umney is CEO of ClusterSeven. He joined the company in 2006 and for over 10 years was responsible for the commercial operations of ClusterSeven, overseeing globally all Sales and Client activity as well as Partner engagements. In July 2017, he was appointed CEO and is strongly positioned to take the business forward. He brings over 20 years’experience and expertise from the financial service and technology sectors. Prior to ClusterSeven, he held the position of Sales Director in Microgen, London and various sales management positions in AFA Systems and ICAP, both in the UK and Asia.