State Bank of Pakistan released its “Enterprise Technology Governance & Risk Management Framework for Financial Institutions” at the end of May 2017 and expressed its desire that all FIs to comply by it by June 30, 2018. The objective of this Framework is to prepare the FIs in Pakistan for what is called ‘digital banking’. This is an excellent and timely effort, probably one of the very first of its kind anywhere and deserves praise. It is comprehensive, covering almost all relevant domains in its six chapters – Information Technology Governance, Information Security, IT services Delivery and Operations Management, Acquisition & Implementation of IT Systems, Business Continuity & Disaster Recovery, and IT Audit.
Its title is very appropriate, mentioning “Technology Governance”, not just “IT Governance”. This is in line with the concepts I have mentioned in my book “Technology Governance – Concepts & Practices”, London, February 2017, available at Amazon. However, the concept of “technology governance” is not maintained throughout the Framework as is evident from the titles of the chapters. The Framework should have covered the entire spectrum of technologies that are employed in any financial institution, not just “information technology”.
The Framework is very rightly based on a collection of standards and best practices. These include ISO 38500, ISO 27001, ISO 20000, ISO 22301, CobIT 5 and ITIL. It also encourages FIs to comply with these standards without naming them. The Framework makes a major assumption in its very first clause when it requires that “technology governance framework shall be closely aligned with FIs’ corporate governance framework”. In my experience, most corporates do not have a proper “corporate governance framework”. In my wide experience in designing, implementing and automating corporate governance frameworks, the best statutes that provide guidance in this regard are BS 13500 from the British Standards Institution and the King IV Report on Corporate Governance from the Institute of Directors in South Africa.
I have the experience of seeing the emergence and implementation of frameworks around the world. These include the NIST Cybersecurity Framework from the US, which was initiated by President Obama and has been enhanced very recently by President Trump. The other framework that I have witnessed going through its emergence and popularity is that of BIM – building information modelling – in many countries of the world. The third framework that I may mention for the sake of variety is the cybersecurity framework of the UAE by their National Electronic Security Authority. All of these three frameworks have been very successful in their own ways and have gone through a similar early life and issues. This Framework from the State Bank of Pakistan has a lot to learn from the three mentioned ones.
First, this Framework should have followed the logical structure that the ISO standards have now come to adopt. This would have made it more readable and easy to break into sub-clauses, each of which could be mandated in its own right. Also missing is a definition of standard terms in the pattern of the ISO standards. State Bank of Pakistan could have, alternatively, referred to the ISO standards for definitions.
Second, this Framework, being so comprehensive, may be misinterpreted. The FIs will start seeking clarifications from the State Bank of Pakistan on various clauses. This may mean considerable effort on both sides. The solution to this is the issuance of supporting documents on the pattern of the ISO 27000, ISO 27002, ISO 27032 etc. for the ISO 27001 standard. However, these supporting documents can now be issued one-by-one as is being done for NIST.
Third, the Framework does not lay down the template for the reporting of compliance by the FIs to the State Bank of Pakistan. As a result, each FI will use its own format and style to report compliance, making it a nightmare for State Bank of Pakistan to decipher these reports and compare them for any high-level analysis. In fact, to begin with, a spreadsheet-based audit tool may be sufficient. I have already prepared such a tool and can offer it to the State Bank of Pakistan and the FIs to use.
Fourth, the Framework assumes that all FIs will certainly comply by June 30, 2018. In my view, this may not be possible in most cases since compliance may mean considerable effort and cost. State Bank of Pakistan should ask the FIs to report, for each sub-clause, the date of compliance if not already compliant. Fifth, how will the State Bank of Pakistan ascertain that the compliance reports are correct. Will the State Bank raise a group of technology auditors who will do external audit of all the FIs? This is a demanding task and may need a set of processes, procedures and tools in its own right.
This Framework is an excellent effort but it is just a starting point. FIs will tend to interpret the requirements to suit their level of compliance and report full compliance. The next release of this Framework should seek not just a go/no-go compliance but a proper maturity assessment on a scale of ‘0’ to ‘5’ as is done for CMMI and CobIT 5 maturity assessment. This will enable the FIs to better assess themselves and the State Bank of Pakistan to assess the FIs. This will also provide room for improvement that a simple go/no-go compliance does not.
Considerable effort shall be needed on the part of the FIs to comply with the Framework and to report the compliance. This may be taxing on the resources available in the FIs since this exercise requires a very wide spectrum of skills – from corporate governance down to penetration testing and vulnerability analysis. The first question that most FIs will face is that of responsibility – ‘who leads the effort’. The logical answer is ‘compliance’. The Head of Compliance is the logical choice to combine the efforts of all the departments to achieve compliance to the Framework. On the other hand, if the project is handed over to IT, it will, very likely, fail. The very basic concept that most companies do not understand is that technology (or IT) governance is the responsibility of the board of directors, not IT. Making IT itself responsible for “IT Governance” is a very clear conflict of interest.
Given the turmoil that the banking industry is going through because of the rush towards “digital banking”, the severe threat that it is facing to its very existence from cryptocurrencies, and the challenge that is facing due from ‘fintech’ and ‘regtech’, it is best for FIs in Pakistan to create a new position titled “Chief Transformation Officer” reporting to the CEO. He should work in close co-ordination with the head of compliance, the head of legal, the head of internal audit, and the head of operations to bring about a radical change in the institution based on standards, best practices and industry norms – compliance to the State Bank of Pakistan Framework for Technology Governance will naturally follow.
(The writer is an international consultant practicing in the GCC and Africa. His recent book titled ‘Technology Governance – Concepts & Practices’, published in London, is available on Amazon. He can be contacted at azharzr@usa.net or through LinkedIN.)
Keywords: Science and technology , State Bank , Chief Transformation Officer , Technology Governance , Information security , Business Continuity , Cyber security Framework , ISO , Pakistan