Information Technology in the Regulatory Spotlight

Information Technology in the Regulatory Spotlight


IT governance is a process that ensures that IT capacity is working on the right things at the right time to enable business goals.

–Ben Bernanke, 2008


The information technology capabilities of financial institutions are receiving significant regulatory attention in the current environment. Why? Just some of the reasons include a plethora of new regulations; large-scale security breaches and regulatory requirements that, in some instances, both potential and actual breaches be reported; challenges brought on by natural disasters; reliance on complex and interconnected systems; and deferred IT spending during the financial crisis, among other factors.

Challenges and Opportunities

Managing complex IT priorities has become a significant challenge for many financial institutions. The companies that are able to do this effectively will not only fare better with their regulators, but will also have a strategic advantage in the marketplace.

Our Point of View

The key to an effective IT organization is a well-defined IT governance framework. That framework, which should, among other considerations, clearly delineate roles and responsibilities (including those of the board of directors and senior management), establishes the processes and procedures for determining IT needs, authorizing and tracking IT investments, and measuring the effectiveness of IT processes and tools and their value to the businesses they support.

Among the issues that IT organizations in financial institutions face today are the following areas of regulatory focus:

  • Information security, including data governance and data loss prevention, application security, technological innovation (e.g., the cloud, social media and continued advancements in mobile banking), vendor risk management, and security strategies that include prevention, detection and response
  • Business continuity, with a focus not only on the completeness and recency of the business continuity plan, but also on how often and rigorously it is tested
  • Data management capabilities to provide timely and reliable information to meet the day-to-day needs of the business, produce required regulatory reports, and support the institution’s enterprise risk management needs through, among other things, the timely compilation and aggregation of information across multiple business lines and legal entities
  • Oversight of specialized third-party technologies, such as those used for compliance management and quantitative valuations
  • Role of the technology organization in supporting the development and offering of new products and services
  • Implementation of new regulatory requirements, including significant changes required by the Dodd-Frank Act and other legislation, as well as routine rulemaking that is never-ending for the financial services industry
  • Ensuring that the “everyday work” is undertaken and completed while systems changes and improvements are underway

Needless to say, very few institutions have unlimited resources – financial or staff – to tackle all of their technology needs at the same time. Trade-offs need to be made. Institutions must address technology risks holistically with a top-down approach that includes input from all of the appropriate shareholders from the business as well as IT, and considers the big picture rather than just the insular needs of one department or business unit.


How We Help Companies Succeed

With delivery capabilities across the country, Protiviti’s U.S. Financial Services, IT Consulting and Regulatory teams partner to help our clients understand the inherent technology risks they face, along with the regulators’ expectations, as well as industry best practices, for managing these risks. Our experts assist clients by:

  • Analyzing the impact of regulatory requirements and regulators’ expectations
  • Performing gap analyses of a financial institution’s current practices as compared to regulatory guidelines and industry standards such as COBIT, ISO 27001, NIST and ITIL
  • Assisting with the remediation or enhancement of technology programs and practices stemming from regulatory inquiries or internally driven initiatives
  • Developing or enhancing overall IT and security governance programs and strategies
  • Performing reviews/audits of technology activities


We were engaged by a global financial institution to perform a gap analysis of a technology organization in comparison to U.S. regulatory expectations and estab lished global technology frameworks. We reviewed the organization’s capabilities and practices across a broad range of technology functions and assisted the company in identifying areas for improvement and developing a prioritized enhancement plan.

We assisted another global financial institution in developing an enterprise program office to drive strong governance sur rounding internal project spending and benefits realization, including that for technology. We also helped our client ensure that the allocation of funding is correctly focused and managed in a way that contributes to the company’s strategic objectives and, ultimately, shareholder value.


Carol Beaumier
[email protected]
Scott Laliberte
[email protected]

Ready to work with us?