Professional Chat: Technology and risk

In an increasingly competitive financial services industry here in Rwanda and in the wider region, the use of technology as a strategic business tool has become more pronounced. Indeed, the more recent innovation initiatives in banks have focused on rolling out new technology based services, for example SMS banking. Significant financial investment has also gone into new core banking systems to replace the legacy systems, as banks seek to improve cost efficiency, enhance customer service, create new service delivery channels and support business growth. However, experience in the region shows that most core banking system implementation programmes have been plagued with challenges. New systems expected to improve competitiveness have instead created loopholes for fraud, eroded brand equity, raised regulatory concerns and increased operational costs. Those who have been through a core system changeover will be all too familiar with the efforts that go into resolving significant suspense accounts and reconciliation problems months after the system has gone live. These challenges, if not well managed, expose an institution to IT related fraud risk and impact significantly on financial and regulatory reporting processes. While much has been invested in technology improvement, there are instances where some entities are not able to achieve competitive advantage. Often when technology implementations became costly and complex, the overarching goal becomes “getting the system live.” Accordingly, compromises in process automation and functionality are common occurrences and inferior processes may be migrated to the new platform. This results from a failure to leverage the new systems to re-engineer or improve the business processes, improve customer service and deliver new products. Benefits realisation from increased automation is achieved only when new organisational structures and ways of working are adopted. Implementation of a new system should therefore necessarily include a process to identify opportunities to improve key business processes to make them more efficient and effective. This would involve an organisation wide effort to identify process bottlenecks, following this up with root cause analysis and identifying the required steps to enhance the processes. This should be an integral part of an entity’s risk management processes. In new systems implementation, many institutions fail to adequately address the quality and usability of information expected to be generated from the system. A distinction needs to be made between data and information and the two should not be confused. Every system will generate data but that data becomes business information only when organised in such a manner as to enable management to make business decisions. The quality of information generated from a system has a significant bearing to the quality of risk management processes for a financial institution. Many IT transformation projects overlook the opportunity to embed more sound and accurate performance management methods. Many aspects of risk and financial reporting are constantly re-visited after ‘going live’ as financial institutions try to determine how to best leverage the new systems and infrastructure to drive performance. The effort expended in fixing the new system to support the business as initially planned demonstrates poor needs definition at the initiation stage, especially from a risk management perspective. Many financial institutions will acknowledge that manual workarounds and extensive spreadsheet use outside the core system continue long after a system has been implemented. Manual workarounds and spreadsheet based processes result in inconsistency and are inherently prone to errors. Technology investment projects should therefore involve collaboration with the business units and risk functions and should never be seen as an IT department project. This aspect has typically been sacrificed to get the system live. IT security risk is one of the more significant risks financial institutions in the region have to deal with. This is an extensive subject in itself and is the topic of another day. The author is a Manager with PwC Rwandasamuel.g.kariuki@rw.pwc.com