Q&A: Bill O'Day, Standard Life

Changing attitudes towards IT risk management is a priority at the insurance giant

O'Day: "We want to stop dealing with yesterday's incidents and focus on mitigating prospective issues"

IT delivery and support director at Standard Life, Bill O’Day, is responsible for the risk management strategy at the insurance group. He tells Computing about how the economic downturn is shaping the IT plans for that area of the business, the firm's efforts around predicting risks and the challenges he expects to face during 2009.

Can you sum up Standard Life’s approach to IT risk management?

We are not concerned with dealing with yesterday’s incidents and problems. Instead, we focus on detecting the prospective issues we may need to mitigate tomorrow. Those are the areas where we have embedded risk management as a service discipline.

The key point is to assess the risk events to determine what is the likelihood of that happening and the impact if that event happened.

There is a lot of talk in the industry about how to better manage IT risk but we’ve had a good set of processes that help us identify potential risk events for quite a while. We also do a regular monthly control self-assessment where we look at all our key risks, and we also employ [IT best practice] Cobit processes to develop appropriate governance around those things.

An important part of the process is encouraging staff to alert us to any potential hazards, but we also keep a tight control of who is accountable, consulted and informed about those particular processes.
What is the impact of those policies on the day-to-day running of IT?

We have a variety of manual and automated detective and preventative controls built into our day-to-day service elements. For example, if we have a service incident or an outage on a particular application, we investigate it to find the root cause and ascertain whether our control activities need to be adjusted to prevent a repeat occurrence.

Our risk controls also help us take action and identify any threats before we go under production. If my colleagues in development are building applications, they would have a series of precautionary controls as part of their testing and implementation plan.

Trying to map out the relationship between risk events, incidents and key controls we need to have in place is challenging, but we are constantly refining all our processes.

Given recent events in the financial services sector, do you expect extra regulatory pressure to improve your IT risk management set-up?

Standards in the industry increase every year and I only imagine that in the years to come, demands to be able to demonstrate good operational control will increase.

We have some obligations to the Financial Services Authority (FSA) to be able to show that we know and understand risks. So the better you control your environment, the less capital the FSA will require you to set aside for any unlikely events that may come around.

At Standard Life, we see risk management as a real business benefit as it helps us from a regulatory perspective, but it is also a key part of our operational excellence cycles. We find that rather than being a bureaucratic exercise that it initially was, we now have people who will use those processes to get their job done.

What are the opportunities for IT staff trying to get into risk management in financial services?

When looking at risk from an IT perspective, there are opportunities out there for people who understand their technical disciplines as well as the key processes they are operating in.

Since risk management processes cover multiple business functions, there is always the possibility of things dropping down in a hole in some way if you don’t have the right controls in place, so a good understanding of the process and technology and how to link those two things is essential.

What are the key projects you will be delivering on during 2009?

We will see improvement taking place in our existing processes during 2009, though we can already identify and manage risks reasonably well. The priority is to keep embedding risk processes into the business and look at things such as capability models, seeing how we can quickly identify and close down any risks and manage any variations. We want to eliminate any delays in hand-offs between identified risks, so we are doing a lot of work on speeding up those procedures.

Going forward, while we will keep introducing robust risk management frameworks, the main challenges are educational, getting people to see the benefits of doing that kind of thing. It is important to avoid seeing risk management as some kind of overhead, because it can actually add value and eliminate waste and variation in processes.