Information Risk Management for Financial Services Organisations

There are two non-contentious assumptions for financial services organisations of all shapes, sizes and focus: 1. Managing risk is critical to the business; and 2. Information is central to business process and innovation.

Therefore, it follows that effectively managing the risk associated with information is essential – and many financial services institutions (FSIs) are today starting to look at Information Risk Management as a strategy for comprehensively and effectively recognizing, assessing and mitigating the risk information is exposed to throughout its lifecycle.

Intellectual property, and financial, legal and personal information flows throughout the extended financial services enterprise. Information Risk Management – an information-centric approach – follows the information’s path as it is created, distributed, stored, copied, transformed and interacted with throughout its lifecycle. This “path” provides a holistic view upon which businesses can develop a comprehensive information risk mitigation strategy – and allows them to capitalize on new revenue opportunities, build brand value and address evolving market requirements. In other words, it will help ensure that your information is always an asset and not a liability.

Many FSIs are increasingly consolidating disparate and disconnected views of risk. Information Risk Management eliminates the siloed approach to managing information risk by taking an enterprise-wide and information-centric view of risk, compliance and governance. It is a strategy that enables FSIs to more effectively meet today’s challenges in each of the following five areas:

1. Meet regulatory and governance challenges

Financial services institutions are under intense pressure to demonstrate compliance with internal governance guidelines and external regulations. The burden of proving compliance and maintaining effective security operations is becoming a significant challenge as mandates become more pervasive throughout the enterprise. This, coupled with the nature of a global FSI (with the many continents and countries in which they operate, and the trend towards further consolidation) means such organisations need to keep pace with complex and diverse regulations and directives – and ensure their continued compliance with them. Through a complete Information Risk Management strategy, FSIs can consolidate compliance issues and transform security event data into actionable compliance and security intelligence.

2. Secure business continuity

According to a study by Accenture in July 2007, service interruptions cost one in 20 companies $5M per year. For FSIs playing in global markets, however, 24x7 operations (and the need to maintain fluid operations regardless of external or internal operational interruptions, attacks, or disasters) are a necessity – arguably more so than in other industries. Financial services companies are frequently the targets of online attacks and attempted fraud, and its business leaders need to be able to demonstrate that they have the best proactive defense against any type of operational interruption in order to uphold confidence from customers, employees and key stakeholders. An Information Risk Management approach can augment your readiness to manage and recover from the business impacts of data loss, security breaches, fraud and technology disruptions – and allow you to proactively engage in new opportunities.

3. Improve customer confidence

Customer loyalty is a key focus for all of us, so the impact that fraud can have on reputational risk is a significant one. Prevention, detection and resolution of fraud are not only key infrastructure requirements, but salient value propositions to end customers.

Customers enjoy the ease of self-service online business such as online banking, card services, phone banking and multi-channel banking. While enabling these channels helps to meet customer demand, online security threats continue to grow both in frequency and complexity, simultaneously increasing the risk of conducting online transactions and of reducing customer confidence. As businesses continue to recognize the benefits of operating online, it is critical to ensure that the online channels are trustworthy and secure.

Adding complexity to this scenario is the reality that different customer account types require different levels of security. Some transactions are riskier than others – and some customers prefer different types of protection. FSIs have to learn to balance risk and security throughout the enterprise without compromising the user experience or the bottom line. As online threats continue to evolve, organisations are continually being challenged to provide end users with flexible, cost-effective solutions that address compliance and offer optimal choice and ease of deployment – all while maintaining the highest levels of security.

By leveraging a complete Information Risk Management strategy, and ensuring that customer information is secured with proven, complete, up-to-date technologies and services, it is possible to improve customer retention, reduce the costs of customer retention and acquisition, generate new sales and migrate customers to lower cost self-service channels for the fulfillment of increasingly complex and high value products and services.

4. Expand into new markets

Global FSIs are constantly looking to expand into new lines of business and new regional markets, through organic growth, joint ventures and consolidation. Whilst this helps FSIs to meet their business objectives of increasing customer market share, profitability and compliance, it also creates an information risk management challenge as multiple – often disparate and complex – data sources need to maintain the integrity of secure data and access at all times and at all stages throughout the data lifecycle. For example, two merging FSIs may want to consolidate to a single data center for all customer records – meaning the data needs to be stored, accessed and migrated in a secure way.

Security breaches come from many sources – including employees, partners, competitors, governments and other organisations. These risks are heightened when FSIs expand into new regional markets and new lines of business. Meanwhile, protecting information in an ever-changing environment is critical if your business is to minimize risks associated with fraud, new technology and compliance mandates. Further, global operations can expose your business to additional information risks as new technologies, processes and cultures are introduced – and as new business models emerge from collaboration with third parties, or as a result of mergers and acquisitions.

In order to protect information in an expanding and changing organisation, you must manage information throughout the entire lifecycle. Access to sensitive data must have the appropriate level of authentication and encryption; security event management must be monitored; and fraud detection must be reliable. A combination of these tools enables a financial institution both to benefit from an enterprise-wide solution focused on internal as well as external threats when expanding into new markets, and will help you improve customer confidence through the deployment of new, secure channels that enhance the end-user experience.

5. Reduce the costs of doing business

A holistic approach to risk management that coordinates and aligns business and information processes will – by definition – open the door to cost savings as well as reduced risk. By identifying and closing security gaps through an effective Information Risk Management strategy (which enables businesses to manage information throughout its lifecycle and provides a single, enterprise-wide view of fraud, access, audit and information risk data), organisations can focus on critical operations that drive revenue and customer confidence instead of reacting to security breaches, fraud, operational inefficiencies and regulatory mandates. An integrated approach to managing information risk streamlines operations and would allow you to make worthwhile security investments while gaining significant and measurable ROI.

The ability of FSIs to conduct online transactions with customers is essential for reducing the cost-to-serve. As online security threats continue to grow both in frequency and complexity, increasing the risk of conducting these transactions increases costs. As financial institutions continue to recognize the benefits of conducting business online, the focus needs to be on the holistic deployment of integrated solutions designed to make certain that every user (employees, partners and customers) can securely and conveniently access the resources they need to conduct business.

By Andrew Moloney, Director, Financial Services, EMEA
RSA, The Security Division of EMC