By Wendy Mars, CTO, ThruPoint
At ThruPoint, I engage in work, from a global standpoint, related to IT governance—that is, I look at it from a regulatory and compliance perspective. It's a considerable challenge for companies all over the world, especially those in the financial services sector, one of the seven industry segments on which ThruPoint focuses. The increased focus on IT governance requirements has created a number of interesting dynamics.
For instance, in the United Kingdom, we're dealing with the Markets in Financial Instruments Directive (MiFID), a new regulation mandated by the Financial Services Authority (FSA). (The FSA is similar to the Securities and Exchange Commission in the United States.) MiFID is a significant part of the European Union's Financial Services Action Plan (FSAP), which is designed to help integrate Europe's financial markets. Among other things, it sets out more detailed requirements to govern firms that offer investment services, the conduct of business for investment firms, and the way regulated markets and multilateral trading facilities operate.
This directive has organizational importance for businesses. It not only affects how you functionally deal with financial transactions, but it also has an impact on how you build your infrastructure in terms of access to (availability and performance) and archiving of (how long must retain) certain information. One MiFID goal is to enable stock purchasers to analyze whether they got the fairest deal. It is a noble goal, but it puts the financial services firm under a high degree of scrutiny.
Let's look at these issues and their ramifications.
As you add data and applications to your environment, you need to ensure that you do not compromise performance and availability. In an environment where multiple business units share the same core of data and services, you must manage that particularly effectively. When you plan to deploy new services, it's important to know what capacity you need to add, and to add that capacity rationally, in a way that keeps your infrastructure manageable. Adding different hardware and software combinations, for instance, will increase your operational complexity.
This also relates to business continuity management. When you're talking about access to information, as MiFID does, there is an increased awareness that appropriate levels of service should be offered to your client base. As you make changes to your infrastructure from a business unit perspective, therefore, you should always consider how you're providing clients with availability of information. Run formalized tests regularly to ensure that you can easily find or recover the appropriate detailed information. Do this at least once a year.
When it comes to archiving information, you need to understand retention periods, which are a minimum of five years for transaction data and one year for client telephone conversations. That's what tax law dictates in the United Kingdom and the European Union. Be sure, also, that you have the ability to access information when it's archived.
Another concern is what happens beyond retention, when assets and infrastructure elements reach their end of life and are no longer formally supported. You need to have strong controls in this area to understand where your assets are, how they're being used, when they should be phased out, and whether you can legally do so. This requires tools that give you this visibility and a strong policy on who is authorized to make such changes. A defined auditing program goes a long way toward helping you understand what assets you have and how you're using them.
All this brings up issues beyond access and archiving for the chief information officer. It means you should have centralized accountability and enforcement. Stakeholders have to work together to develop and update the policies, but once the framework is developed, a single group should be responsible for enforcement. (You may want to appoint a chief compliance officer to deal with these issues on an ongoing basis.) You also have to plan how to communicate those policies and educate employees about them. You can post your policy framework on the corporate intranet, but you have to make sure that people are notified and aware when changes occur.
If you are a young company—at ThruPoint we deal regularly with small and midsize companies, as well as large enterprises—your focus has probably been more on growth than IT governance. But it's crucial that you start thinking about IT governance: Audit where you are today and benchmark yourself according to current regulations that affect you. This will give you the insight you need to move forward. After all, you can't solve a problem if you don't know it exists.
Send To a Friend