Shadow IT a Risk to Operational Resilience of Financial Institutions
- By Henry Umney, CEO, ClusterSeven
UK regulators are focused on building the Operational Resilience of the UK financial system as a whole, and the individual firms within it. A joint discussion paper issued jointly by the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) last year, describes a resilient financial system as one that can ‘absorb shocks rather than contribute to them.’
This requires an understanding of operational risk and recovery capabilities that go well beyond the traditional interpretation of these functions – and demands a focus on preserving the continuity of the provision of critical economic functions, both to an institution’s clients and to the UK economy as a whole.
There are numerous factors that can impact the Operational Resilience of financial institutions and while organisations well understand its fundamentals, Shadow IT is a risk factor that they haven’t addressed. In fact, there is a growing interest in Shadow IT from regulators and auditors in how such applications are managed, controlled and documented.
Pros and cons of Shadow IT
Today, there is an abundance of Shadow IT – i.e. non-IT supported applications such as databases, development environments, business intelligence and management information systems and spreadsheet-based processes – that are user-created and fall outside of the controlled enterprise IT estate. These applications and processes form a significant part of financial institutions’ ‘business-as- usual’. They underpin business and operational processes, that are part of investment portfolios and modelling, for example. These enterprise-standard applications are more often than not the ‘go to’ applications for users seeking to address a business challenge in the fastest time.
While providing enormous business flexibility, Shadow IT applications can pose a significant operational, regulatory or reputational risk to the business. For example, an uncontrolled spreadsheet might provide calculations that feed into multiple models. An unrecognised change to that spreadsheet could have a significant impact on the models it feeds, and so the wider business, its services and its reputation. Worse, there would likely be no visibility of this change, so identifying and remediating it would take time, extending the scale of business and market impact that the Operational Resilience initiative is designed to address.
Mitigating Shadow IT risk
While as yet, the UK regulators haven’t defined or scheduled any regulation relating to Operational Resilience, there’s no doubt that it’s on the horizon. Informal discussions with the regulators allude to this. Financial institutions need to build a framework for Shadow IT risk management. This will enable them to understand their Shadow IT landscape and the critical business services and processes these applications support, define the risk they pose to the institution’s operations, determine the potential financial, operational, regulatory and reputational impact of errors and establish governance processes for change.
The most effective approach to this end is automation. It will enable financial institutions to systemise, formalise and operationalise processes for monitoring and managing Shadow IT applications in exactly the same way as enterprise IT systems.