The financial services industry continues to feel the pressure. Sustained regulatory attention, a sharper focus on shareholder value and customer service, coupled with an ever more competitive and closely scrutinised market are paving the way for much needed transformational change. Information technology has emerged as a key enabler to deliver this change, yet the resulting risks posed to organisations are on the rise.

Our previous survey, 'Heads of IT Risk: Directing a new function', showed how IT Risk functions originally emerged following improvements in risk management practices across the organisation.

Two years on, the IT Risk function has evolved, growing in size, responsibility and with higher executive visibility. These factors, combined with heightened regulatory focus, constrained budgets, and a struggle to find people with the right skills, have created a challenging environment.

This survey brings together insights from IT Risk functions from twenty of the largest global financial services institutions. Undertaking face-to-face interviews with those responsible for setting the IT Risk agenda allowed us to get an inside view into the challenges facing IT Risk in the financial services industry as it navigates its way through testing times.

IT Risk in the headlights

Heightened regulatory focus

In the UK, the Financial Conduct Authority (FCA) has cited technology as one of its five priority risks for 2013/141. Other recent regulatory stipulations, such as the FSA's 'Dear Chairman' letter requesting businesses consider resilience when changing or designing IT systems and processes, has added to the pressure put on IT Risk functions. Our survey indicates that the majority of IT Risk functions feel this increased regulatory scrutiny has, and will continue to, significantly impact their business as usual activities.

When asked where the greatest challenges lie over the next twelve months, unsurprisingly, regulation was the most common response from survey participants, with forty-five per cent citing it as a key challenge in achieving their IT Risk objectives (figure 1). The shared sentiment is that regulators are more visible and are playing a key role in shaping the direction of travel as they are becoming more prescriptive in their requirements.

Nearly half of survey respondents believe that interfacing with regulators is a key area of responsibility for IT Risk functions (figure 2). The more mature functions are building relationships with the regulators directly to get an early view of upcoming regulatory change and to help shape the direction through the consultation process.

Despite seeing the benefit in working more closely with the regulators, many of our survey respondents felt that there was still a need to overcome 'a lack of pragmatism', 'unrealistic expectations' and the 'sheer volume of requirements from multiple regulators'.

Increased executive attention

Informed opinion is unequivocal; IT Risk has never been higher on the executive agenda. Our survey tells us that organisational risk appetite is decreasing year-on-year, with seventy per cent of our respondents citing a reduction in the last twelve months, increasing the executive pressure and focus on IT Risk (figure 3).

C-suite focus on IT Risk is at an all time high and this attention has resulted in a significant increase in the number of IT Risk functions that are engaged directly by the Board to report, update or provide direction on IT Risk matters. Retaining and developing this executive support will be seen as a key opportunity for IT Risk functions over the next two years.

Missing signposts

Eighty-five per cent of organisations identified challenges in producing comprehensive data-driven Management Information (MI) to enable timely, accurate and relevant decisions.

Catering for the executive

Where IT Risk is reported to a senior level, considerable effort is required to present this information in an executive-friendly format.

Our survey respondents highlighted challenges across the financial services industry in producing consistent, transparent data in line with business requirements and on a timely basis.

Lacking the right tools for the job

The majority of respondents indicated that there was a large degree of manual effort required to generate regular reports. Organisations spend a considerable amount of time working around the data they have, rather than designing data, reporting and tools to suit their needs.

Looking ahead

Effective MI allows organisations to identify and escalate issues either as they arise, or before they are realised. Yet many respondents indicated a low level of maturity in their ability to identify risks proactively, with only fifteen per cent believing their IT Risk reporting was proactive and dynamic (figure 4).

Those on the front foot are harnessing their MI to build emergent capabilities in proactive education, awareness and forward-looking risk assessments.

A shifting role

Heightened executive attention has led to an increased set of roles and responsibilities and IT Risk functions are positioning themselves more and more in the second line of defence, forcing the front line to take responsibility for control operation.

A structural change

An increase in roles and responsibilities has led to a structural shift for many IT Risk functions. Sixty per cent now adopt a 'hub and spoke' model, where a central function sets strategic direction and policy, and geographically dispersed IT Risk teams bring local insight and experience to delivery. Typically, this approach is seen in the larger retail banks and global insurance groups.

Twenty per cent still rely on a more traditional model of having a light central function setting strategic direction and having limited day-to-day interaction with front line control and operational functions. This is typically where the organisational risk culture is more focussed on credit, financial and market risks rather than technology, and our survey suggests this is more common across the investment management and insurance sectors.

Lines of defence

The majority of respondents have a clear ambition to operate in their organisation's second line of defence, giving accountability for control design and operation to the front line. Our survey results show a marked increase in IT Risk functions moving from the first line to the second line of defence (almost two-thirds now operate in the second line compared to just thirty per cent in 2011).

Despite this seemingly rapid transition, it has not been without challenges. All functions that saw themselves as purely second line highlighted the on-going challenge to interact with the front line in an effective manner - citing issues ranging from the inability to gain traction, to overreliance on the IT Risk function. Nearly all respondents mentioned the continued challenges around extricating themselves from legacy arrangements, such as control operation and providing detailed Subject Matter Expertise (SME) input to control design.

This was compounded in organisations going through a restructure or global expansion, where control ownership and responsibility were in a state of flux.


1. Financial Conduct Authority. (2013). Business Plan 2013/14. London: Financial Conduct Authority

2. As quoted by the Institute of Internal Auditors (IIA), the first line of defence is management control, the second line of defence is supported by various risk control and compliance oversight functions, and the third line of defence is internal audit. Source: IIA (2013). Position Paper: The three lines of defense in effective risk management and control. Florida: IIA Global

To read this article in full please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.