IT Risk Banca Populare de Sondrio


Published on

IT: Measurement & Rules to Manage Risk
26/04/2013 By Nicoletta Boldrini Original Article from
Our Bank [Banca Popolare di Sondrio] confronts the IT risk management by the use
of sound management of complexity by applying a structured interdisciplinary

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IT Risk Banca Populare de Sondrio

  1. 1. IT: Measurement & Rules to Manage Risk26/04/2013 By Nicoletta Boldrini Original Article from ZeoUnoweb.it Bank [Banca Popolare di Sondrio] confronts the IT risk management by the useof sound management of complexity by applying a structured interdisciplinaryapproach.“Implicitly complexity is constantly evolving; to govern this you must know whereyou are at any point in time and measure it." Began Milo Gusmeroli, DeputyGeneral Manager and CIO Banca Popolare di Sondrio, in sharing with ZeroUno allcritical issues related to complexity management confirming that it must bechecked and managed. "In my opinion, complexity in IT is an intrinsic condition -continues Gusmeroli - and it can open new revolutionary opportunities. Not toconsider complexity would be a mistake, and when doing so, it is essential to use astructured interdisciplinary approach."In the case of Banca Popolare di Sondrio, the IT Governance base of the Banksfoundation constitutes five pillars: Organization (as people and structure),Methods (services and processes), Architectures and Systems, Project PortfolioManagement, Budgeting and Performance Management."As the complexity simplification is leading to greater capacity and more effectivegovernance, of the IT domain architecture where systems play a decisive role," saidGusmeroli. In this context, Banca Popolare di Sondrio has established anArchitecture / Systems and Security group in the PMO and our staff has defined acontrol system that takes into account not only the architectural models (SOA, forexample), but also the provisioning choices."The other important area that we consider essential is to understand theintricacies of IT (to measure and rule) and [he is] referring to the catalog of servicesprovided (which is part of the pillar methodology), which, in terms of control,allows the IT department to have a clear view of the relationship between bankingprocesses, organizational units, IT services needed to support and adequatecomputing resources, "says Gusmeroli."The unit dedicated to the portfolio of projects, i.e. project management office, inBanca Popolare di Sondrio for this has the responsibility for the integration ofbudget, projects / service catalog, reporting, measurement, reporting andrepositioning [this also to connect to the Bank of Italy reporting in terms of banksprudential supervision - Ed], "adds Gusmeroli. "Finally, the scope and budgetperformance management has in charge obtains a balanced scorecard, however,integrating all part of project administration and catalog services for the strategic
  2. 2. management of IT must always be supported by objective measurements andrelated to the objectives of business. "Interpreting the phenomena how to govern ITMilo Gusmeroli, Deputy General Manager & CIO Banca Popolare di Sondrio"IT is such a complex organization and IT can be effectively governed, however ITmust be measured precisely in its complexity," highlights Gusmeroli. "This measureis aimed, in our case, to understand and interpret phenomena using remotecontrol systems.""The interpretation of the [complexity] phenomena and the use of the informationIT generates using control systems, although we aim to achieve the highest level ofpredictability of IT systems behavior (and therefore the minimum risk), have adirect impact on the business, "explains the CIO of the bank.”This is why we areintroducing a stability indicator that allows us to have a view on the level ofcomplexity and potential consequences so that this level can determine the profileof the business."A similar view is being created in Banca Popolare di Sondrio through the platformOntoSpace, (risk management solution built by Ontonix that incorporatesprinciples and algorithms for measuring the complexity of systems or processes)this necessarily involves the integration of data and parameters both technical andothers of different nature. "Within the system of control we have collected manydata as well as technical performance indicators from the architecture which isderived from an analysis of operational risks - says Gusmeroli -. These are then
  3. 3. integrated with data coming from other systems, such as the balanced scorecard,to determine the risk and to assess their impact on the business. "Referring to case studies developed and looking for example the analysis of abanks server through technology Ontonix, the Bank was able to verify that theperformance of the robustness of the system shows an initial intense activity (bothbatch and user side) which progressively decreases. The system, after a first periodof tension, reaches an equilibrium situation and normal operating conditions.Continuing the analysis, it was also found that the most critical variables appear tobe related to the management of the hard disk storage, element, however, wemanaged to resize. The system during periods of high operational demand is moreexposed to unpredictable reactions, requiring greater management attention."The instrument used for measuring the complexity has also been applied tomeasure the response time of the transactions and then test the behavior ofapplications," said the CIO. "The analysis on the response times of applicationsshowed that the element to be monitored with greater attention are the momentsof discontinuity, i.e. the transition between activities (e.g. from batch to online)."Symptomatic and almost surprising the result of this analysis proved that: 27% oftransactions contribute to 80% of the operational complexity of the system. "Nowwe have more information to determine which applications and transactions arekey-centric [critical pivots] and why, in order to govern the IT systems andprocesses better, thereby reducing the risk leading to a higher index of stability."The analysis at Banca Popolare di Sondrio underway is intended to add otherfeatures on the potential and residual complexity and robustness of IT systems:in the vicinity of the critical level of complexity (to be placed on dashboards withintuitive graphic elements ), when the behaviors of a system becomesunpredictable thus putting stability at high risk. Based on this awareness, the Bankhas initiated plans aimed at monitoring and measuring the potential risk(represented by the critical level of complexity) and residual risk (which comesfrom the distance between the actual measured complexity and the level ofcomplexity identified as critical). The residual risk, in fact, measures the amountof indeterminacy [in concurrent computation] the system is able to withstandbefore starting to lose functionality and become unreliable, while the current riskmeasure the robustness topological and quantifies the ability of the system topreserve its functionality."It goes without saying that in order to maintain an index of stability, of the systemIT must keep a safe distance from the critical level of complexity," says Gusmeroli.