Beyond keeping the lights on

Without back-office and customer-facing technologies the banking sector would grind to a sudden halt. To discover why technology is the "main fabric" of Abu Dhabi Commercial Bank (ADCB) and the key role of innovation, we speak to Head of IT Operations, Steve Dulvin.

“The IT department needs to think bigger and better than they think they can, it's about breaking barriers to our vision and it's about doing things we thought were never possible”

Headquartered in Abu Dhabi, ADCB is a diversified bank with 45 branches in the UAE supported by 172 ATMs. This diversified institution is active in banking services spanning corporate, retail and commercial banking as well as in the areas of treasury derivatives, infrastructure finance, private banking and wealth management. The vast IT side of the business falls under the remit of Steve Dulvin who has occupied the top IT job at ADCB since April, 2009 after a three-year stint as Head of IT Security and Quality Control at the bank. He describes ADCB as one of the most aggressive banks in the Middle East, which means a race for the IT department to support the business in its goal of gaining a competitive advantage.

After having been Head of IT Security you were then promoted to Head of IT Operations. What were your priorities and challenges when you first took on the role?

Steve Dulvin. Data centre modernisation with cost reduction was my first priority; this involved customising data centre strategies according to business plans, regulatory requirements and rapidly changing technologies in line with business objectives. These projects had to enable ADCB to contain costs while maintaining a competitive edge. Key projects that enabled business growth were projects like consolidation, outsourcing and virtualisation by efficient and optimal utilisation of existing infrastructure and human resources. ADCB is known for being customer centric so this added more challenges for us, and the transformation had to be done with no disruption to customer service and we had to meet a 99.9 percent availability of service. 

IT Heads talk about the 80:20 rule - 80 percent of the job being about 'keeping the lights on' and 20 percent about innovation. How is your job divided and can you tell us about how innovation comes into your role and what you are currently working on?

SD. This is one of the best eras for IT heads and managers because it's about making sure we keep the lights on by maintaining our service levels but also looking at reducing operational costs and I do not believe you can achieve that by reducing your focus on innovation. So to answer your question, innovation and keeping the lights on go hand in hand. Although our main focus would be on running the bank, innovation still plays a very important role in our day-to-day operations. The only difference is that today it's not about it being nice to have but about improving our services with self-funded IT projects. Believe me, the opportunities are plenty but a few years ago IT professionals did not have to think from that perspective, which means today it has opened our minds to a new dimension. Innovation is not just something that should be seen from a senior management perspective - it's a mindset that we need to spread across the organisation. Everybody in an organisation can contribute to innovation. It means the IT department needs to think bigger and better than they think they can, it's about breaking barriers to our vision and it's about doing things we thought were never possible. A recent study from Gartner shows that IT time allocation can be divided with 62 percent on running the business or 'keeping the lights on', 21 percent for growing the business and 17 percent on transformational initiatives (see graphic).

Many CIOs have been forced to do more with less because of the global economic downturn. Being 64.8 percent owned by the Abu Dhabi government, are you insulated from the economic woes? Are IT budgets unaffected?

SD. 'More with less' has been my favourite quote. I do not believe a day passes by where I have not mentioned doing more with less. For sure, the economic crisis has affected almost every organisation in the world, but is it really economic crisis or is it something that we should have done a long time ago? Coming back to your question, yes we are partly owned by the government of Abu Dhabi and ADCB is one of the few organisations that has never stopped and we continue to give the best to our customers with product offerings and benefits. There are always two ways of reacting to this: one is to stand still, during which customers will feel the pinch but for us it's about continuing and maintaining our services to customers and making it a pleasure to bank with ADCB. However, it also does not mean we have an open budget, because all our projects today, including infrastructure enhancements, go through the management executive committee in which our CEO is present. I do not believe there is anything we do with no clear ROI which could be financially driven or to improve customer service. When the business invests in IT it is not looking for the features and functions of a product . What it expects is business outcomes that can be translated into more efficiency, lower costs and revenue growth.

How does technology come into the bank's retail operations? For instance, do you offer mobile banking? If not, are you considering rolling this out?

SD. IT is the main fabric to the business. We consider ourselves a value centre to the business, although a few years ago the concept of having separate strategies for the business and IT existed. Today, we are very much one and the IT strategy can only be part of the business strategy - they can never be separate. Technology plays a big role in ADCB's retail operations for both Islamic Banking and conventional banking. We are one of the most aggressive banks in the UAE and for us in Information Technology it's a race to support the business and continue to deliver new product lines and additional benefits to customers. Yes, we currently do offer SMS-based mobile banking to customers and we are assessing the situation to expand the mobile banking experience for customers, and are looking for solutions that will integrate internet banking into mobile banking with minimum changes to the software, thus providing consistent and seamless user experience. 

Security still comes under your remit, and last year you implemented Guardium's real-time database security and monitoring solution. What were the reasons for rolling this out and how has it made a difference to security?

SD. Almost every study shows that the biggest risk to any organisation is internal. In fact, as we speak we are in the process of implementing bank-wide single sign-on (SSO) with biometric devices to reduce the risk of identity theft. Guardium is only one of those initiatives we took to ensure our customer data is secure and is accessed by authorised personnel, only when required. It also adds value to our change management process during which all activities of administrators are monitored by an independent team to ensure what is said has been done. Apart from Guardium, we also use recording tools for GUI (Graphical User Interface) based changes and provisioning tools to automate changes to our critical systems which is reviewed by the quality control department and tested on the UAT (User Acceptance Testing) environment before they are deployed.

We also have a partnership with Cyveillance who monitor ADCB card numbers online and for phishing sites to minimise risks to our customers by taking down fraudulent sites. The partnership has helped us become one of the first banks in the Middle East to take a more proactive approach to leverage its online presence in social media networking sites such as Twitter, Facebook and MySpace. This service will provide us with valuable brand intelligence, including raw customer feedback, increased security and visibility; it will help us utilise this intelligence in future marketing campaigns and new product development to better serve our customers. We also have a partnership with Symantec who monitor our internal and external network 24/7, which include, ensuring our servers are compliant to ISO standards. In fact, we were one of the first in the world to work with Symantec on outsourcing our internal managed end point service, which helps us give an independent view on our external and internal infrastructure. Security and compliance is key to ADCB, which I am sure you would understand seeing as we are a bank.

What strategies do you have in place to deal with disaster recovery and continuity planning?

SD. Disaster recovery and continuity is a continuous process. It's about keeping planning current and ensuring rehearsals are done, not just from an IT perspective but also with the business users. It's also an investment you make for something you may possibly use or never use, which is expensive for both hardware and software licenses, which again needs to be measured against the probability and frequency based on the kind of disaster. At ADCB we decided to use the disaster recovery environment as much as we can for user acceptance testing and pre-production tests before any new enhancements are made. By doing this, it comes back to doing more with less by not having two separate environments for UAT and disaster recovery. We also have a few dedicated environments for disaster recovery for our critical applications. While I am on this subject, we are currently in the process of moving our data centre to a Tier 4 site managed by Injazat partnered with EDS, which also is one of the first facilities to acquire a Tier 4 certification in the region. The move started in November last year and is scheduled to finish in August. The reason we are taking almost nine months for the move is to avoid disruption to customer service and avoidable expenditure on new hardware. As of now, we have already completed 70 percent of the move with little or no interruption to our customers.

What is driving the need for adequate disaster recovery plans in the Middle East and are there any unique differences between the region and, say, Europe in how you manage this aspect of business?

SD. A disaster recovery plan is very much related to probability and the frequency of any disaster. Keeping that in mind, yes, there will be a big difference between the Middle East and Europe, which also does not mean we should stay blind to any unforeseen possibilities so we must take precautionary measures because there are predictable and unpredictable disasters that we should be ready for. I would also say the global crisis is a form of financial disaster - a disaster that was definitely a surprise to many or something that was considered a high risk but with least probability. 

Will the next area of focus for you be a new core banking solution?

SD. Yes, the main focus for the next 12 months will be looking at a new core banking solution that will fit into our environment, considering it's been more than five years since we implemented FLEXCUBE. In the last few years we have acquired best of breed applications for each business area to suit their needs, such as treasury, trade finance and CRM. We will be looking for a system that could retrofit into our environment with interfaces to multiple applications but that does not necessarily have to be a traditional core banking system with the ability to serve multiple business areas.

Another thing we will be working on is to build a service-oriented architecture (SOA) where business areas can have flexibility to choose from services with a lower total cost of ownership and will give us the option of re-using existing assets and services with a much lower cost and a faster turnaround time.  Some of the technology benefits of having an SOA architecture are faster application development, improved system interoperability, scalability, enhanced information quality and a capability of sharing, which turns into business benefits that can provide better responsiveness to customers, adherence to market and regulatory requirements and improved operational effectiveness, and cost avoidance/reduction. SOA has been there for years and is not a new technology. It's about decoupling business process from technology to enable organisations to change spontaneously in the most cost effective manner and today this would definitely be an added value to the organisation. We have several other initiatives that we are looking at but the two mentioned above would definitely be on top of the list.