Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:39 AM
Connect Directly

Banks Need to Take Risk-Based Approach to Data Management

Banks need to approach their data privacy and security from a risk point of view, according to experts with New York-based Deloitte. The firm held a webcast Tuesday that discussed how financial institutions can transform themselves from being compliance-driven organizations to risk-driven organizations, two models that are distinct, Edward Powers, a principal with the firm's security and privacy practice, said.

Over the last six to eight months, Powers said he has seen a continued sensitive to risk among financial institutions. "At the same time, I've seen significant moves to downsize budgets and human resources. This is creating strain. Most organizations are now optimizing around the things that are most urgent."

To help banks find a balance, Powers suggested they become "risk-intelligent enterprises." What this means is that rather than allowing factors like budgets, laws and regulations, and stakeholders to push the organization to simply meet the minimum requirements by law, a risk-intelligent enterprise takes a more proactive approach to managing security needs. Data becomes the focal point of this model.

"A compliance-based approach to data management creates gaps, redundancies and inefficiencies," Powers explained to attendees. "This may reflect the current regulatory environment but not your organization's current posture. You end up reinventing the wheel and building redundancies."

He said that for a bank to become a risk-intelligent enterprise, it must incorporate three attributes: 1. Asset inventories and the need to understand the data, along with the data flows. 2. Creating a risk catalogue with a common risk language that takes into account legal requirements, and internal and external standards and policies. 3. Becoming serious about third-party oversight so that the bank's service providers are held to the same standards of data security as the bank.

"A risk-intelligent enterprise is communications-centric. The organization has a common reporting language," Powers remarked. "It is intended to align the business requirements, compliance requirements and vulnerability management to eliminate overlap and create an efficient risk management environment."

"Data is an asset," added Richard Baich, also a principal with Deloitte. "It's the most central asset, besides people, that the financial services industry values. You have to understand data is not just owned by IT or the data warehouse."

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.