 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
| |
|
|
|
|
|
|
|
|
|
|
The Challenge: Controlling Costs Without Compromising Service
As the economy takes its toll on risk management department budgets and in the wake of
a spread of hacking attacks unlike any seen before, organization's of all sizes are under enormous
pressure to secure their digital assets while simultaneously reducing cost. Maintaining client trust
and containing costs are the two most important goals a firm must meet. However, the challenge
is that those two goals are often at odds when protecting the company's systems and securing
private client data. Hence, technology risk management is of critical importance to organizations
despite of the industry, as well as the regulators and supervisors charged with preserving the
safety and soundness of the financial system and customer protection.
Clients, regulators, and business partners expect your organization's systems, applications and
data to be secured and available, when needed. And there’s the question of having the time and
expertise required to properly secure the digital environment. That is why more and more firms
are taking a closer look at outsourcing the Technology Risk Management functions which
consists of Information Security, Compliance, Audit, Business Continuity Planning. Outsourcing
has become a popular way to reduce long-term overhead, yet still obtain knowledgeable help.
Outsourcing Goes Mainstream
Outsourcing is a common business practice. In essence, your organization will be delegating
essential functions to professionals (who can also be hired on a part-time basis) that can provide
high quality services, while leaving you free to do what you do best. Better still, you don’t have
them on the payroll, so you don’t have to foot the bill for their health care, Social Security or
401(k) contributions, training, etc. You pay only for what you use and for when you need it.
Many financial institutions are now taking that logic a step further, passing functions that are
supplemental to their core business proposition to someone who can do it efficiently and cost
effectively. The business and economic considerations driving outsourcing decisions apply
equally to the Technology Risk Management practices of all sizes, especially when it comes to
security and regulatory compliance requirements.
Understanding Outsourcing Options
The term outsourcing covers a range of alternatives from the implementation and maintenance of
risk assessments, specific platform audits, all the way to the full implementation of a Technology
Risk Management function that executes all of its processes. The outsourcer provides
Technology Risk Management expertise and solutions. The client, however, still retains
responsibility for ensuring ownership and accountability of all of the systems in order
to have adequate risks prevention and mitigation solutions.
There is usually an agreement between the outsource provider and client clearly outlining
what services will be performed and how they will be fulfilled.
Why Outsource?
A Question of Time and Money
Time is a precious resource. It’s imperative to spend it on the tasks that matter most and
at which you are most adept—tasks that generate revenue and strengthen client relationships.
So what are your priorities?
Do you want to be working on strengthening your core competencies? Do you want to focus on
expanding your client base and increase sales and revenues? Do you want to be exploring
new
investment ideas and solutions? Do you need to stay better attuned to the movements of the
market for both risks and opportunities?
Executive management would answer yes to all these questions. But if you are spending
a
significant portion of each month on tasks that are necessary, such as managing your
technology risks, rather than on clients and their portfolios, then your business could be
paying the price.
Outsourcing offers a lower cost alternative, particularly upfront, while enabling you
to leverage the technology, skilled resources, and technology risk management capabilities
of its provider.
Defining Technology Risk Management Requirements
A major reason for outsourcing Technology Risk Management functions is to be able to provide
professional and precise technology risk mitigation strategies that business partners and clients
expect
and regulators require—without having to do the bulk of the work necessary for developing
such strategies
followed by its implementation. Besides your internal management expectations,
you need to consider the requirements of your business partners, clients and the regulators in
defining your technology risk management requirements. In fact, there are many set requirements
that regulators expect that companies must adhere to (e.g., Federal Financial Institutions Examination
Council (FFIEC) - Outsourcing Technology Services, Audit, Information Security, BCP).
Regulatory Requirements
Regulation relating to technology risk management, particularly for security and privacy,
has been getting progressively more stricter in recent years. Currently firms must comply with
HIPAA, GLBA, FFIEC, and there is more to come such as the signing of the Dodd-Frank Act.
There is no doubt that firms are going to be under more intense scrutiny than ever in the years ahead.
Fair and transparent Technology Risk management practices are in everyone’s interest. However,
it means that companies are faced with more rings to jump through to prove they are upholding the
confidentiality, integrity and availability of their systems and data and those rings are constantly
shifting. Yet whatever the volume or complexity of regulation, or the rate at which it is changing,
security and privacy for compliance are non-negotiable.
When considering an outsourcing option, ask if the solutions available will enable you to meet
increasingly demanding client expectations and regulatory requirements. Again, with anything
less than full due diligence in identifying and mitigating information technology risks, you
may have trouble getting through a regulatory audit.
Outsourcing is more than a service. To be successful it should be a mutually beneficial relationship
between you and your provider.
How can outsourcing your Technology Risk Management to DataGuardZ help
your organization for Today’s Challenges and Beyond
With service demands and technology requirements on an ever-upward trajectory, that quandary
to manage technology risks are not about to disappear. As a result, growing numbers of
small and medium companies who want to control costs without compromising quality outsource
their Technology Risk Management processes to DataGuardZ in order to realize the following benefits:
| • | Cost Savings:Total cost of compliance can vary from year to year based on needs, whereas Technology Risk Management functions operate as a fixed cost. |
| • | Flexible Budgets: Financial institutions are required under the Safeguards Rule to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. This process should be done by Security Program Coordinator through a Risk Assessment that identifies foreseeable risks including: attacks through the Internet, viruses, and compromises to the physical aspects of security (i.e. no password protection or shared "common" passwords). |
| • | On Demand Access to Talent: Specific Technology Risk Management skills and
resources can be effectively matched to the requirements by using specialists in Information Security, Audit, Business Continuity, Technology, and other areas where applicable. |
| • | Manage the Peaks: Technology Risk Management departments would need a higher level
of fixed staff to manage the peak levels encountered during the year
(e.g., Sarbanes Oxley efforts), whereas an outsourced model brings resources only when needed to meet the peaks of the risk management cycle and moves them elsewhere during off-peak periods. |
| • | Focused Effort: Outsourced resources try to avoid miscellaneous office distractions, arriving late and leaving early, running errands during the workday, and attending general office meetings, as this time cannot be charged to a project. |
| • | Sharing Best Practices: Using an outsourcing or co-sourcing provider allows access to more information, experiences and best practices from not only your industry. |