This document outlines a presentation given to the Reserve Bank of India on technology management in banks. The presentation covers the history of banking in India, the current technology landscape, and enterprise architecture management. It then discusses typical IT structures in banks including mission, governance, and processes. The presentation is divided into sections on changing business needs, running current infrastructure, and securing the bank. Specific topics covered include business architecture, channels, processors, data infrastructure, infrastructure reference architecture, IT risk controls, and compliance with RBI guidelines.
1. Technology Management In Banks: A Practitioner’s
Playbook
Presentation to the Reserve Bank of India, Bangalore
Aniruddha Paul
April-2012
2. Schedule
Introduction
1. History of Banking in India
2. Performance Assessment of Indian Banking
3. The Changing Scenario
4. Ensuing Complexities in the Technology Landscape
5. Enterprise Architecture Management: Introduction
6. Enterprise Architecture Management: Key Aspects
7. Enterprise Architecture Management: Checklist
Typical Bank’s IT
1. IT – Mission
2. IT – Governance Structure
3. IT – Governing Processes
Change The Bank
1. Business Architecture – Reference Architecture & Change Program Review
2. Business Architecture – Ecosystem Integration
3. Channels – Road Ahead
4. Processors – Road Ahead
5. Data Infrastructure – Road Ahead
Run The Bank
1. Infrastructure Reference Architecture – Current Status
2. Infrastructure – Road ahead
Secure The Bank
12. IT Risk – Key Controls – Framework
13. IT Security – Current Status & Road Ahead
14. Compliance to RBI Guidelines – Current Status Assessment
2
3. Disclaimers
• Opinions expressed in and during the course of the presentation are not necessarily
the opinions and positions held by ING Vysya Bank
• Templates and data points shared in and during the presentation are purely indicative
and representational
3
4. History of Banking in India
Bank of Calcutta (later, Bank of
1806 Bengal and in 1921, SBI)
1st foreign bank in India:
1860 Comptoire d'Escompte de Paris External shocks have undermined
under capitalized Indian owned
Indian banks inspired by the
Swadeshi movement. Dakshina banks
Kannada became the cradle of
1906-11 Indian banking
GoI direction imposed on banking
RBI Act; Banking Regulation
1948-49 Act
1969 Nationalization
Liberalization of the economy and
1990s Liberalization the industry leads to the rapid
Banking Code & Standards
growth of banking, especially retail
2006 (BCSBI) banking as we know it. Demise of
the 4-6-4 method!
2011 Guidelines on new licenses
5. What’s been good for Indian banks hasn’t been good
enough for the country
• Scorching pace of growth since liberalization: CAGR of
around 30% to touch a figure of INR 9700 Billion. Bankable
households are growing at a CAGR of 28% (2007-11)
• What’s powering this growth?
• Economic prosperity and growth rate
• Young population (70%<35 years)
But • Technology channels: ATM, POS, Web, Mobile
• Retail loans constitute 7% of our economy versus 35% in
other Asian countries
• Retail assets are at only 25% of total banking assets
• 41% of India’s adult population is un-banked
• Number of loan accounts: 14% of adult population
• 73% of farm households have no access to institutional
credit
• Share of money lenders in rural debt has moved from 17%
in 1991 to 30% in 2002
5
6. Fortunately, the scenario is changing
• Financial Inclusion (FI) is an RBI mandate, government
mandate and a social mandate
• There IS a fortune at the base of the pyramid
• Social security payments and NREGA payments are
being routed through banks
• MFI’s have shown that it’s possible to run extremely
profitable businesses. Most major banks are working on
a business-driven FI strategy
• Simplified KYC norms and UID is expected to drive down the
cost of customer acquisition
• Innovation in mobile / hand held devices using an uniquely
Indian model offers the best potential breakout strategy
6
7. The Technology Response to the complex business
landscape has been…….complex!
Technology Mayhem vs.
Technology Management?
7
8. Enterprise Architecture Management: Introduction
As companies innovate, add new business lines and products, or expand their
international presence, processes proliferate, and the discipline around them can go out
the window.
Meanwhile, the IT that underpins these processes can also become more entangled as
aging legacy systems jostle with new applications to support the needs of the business.
Over time, this kind of complexity can unravel technology standards and undermine the
coherence of the architectural blueprint. As application volumes grow in response to a fast-
changing economic, regulatory, and business environment, the issue of complexity is
becoming acute for many organizations.
Enterprise architecture management (EAM), a framework to manage IT architecture and
ensure that both the business and IT are well aligned, aims to restore order to this
landscape.
McKinsey on Business Technology, Spring 2010, Helge Buckow et al
8
10. Enterprise Architecture Management: Checklist
◘
Leadership
• Focus on transformation: Educate leaders at the highest level to help them understand that EAM is about change
◘
management and not simply a new IT initiative.
• Choose new leadership: Select a chief architect or CTO with strong business and technical skills and the requisite
•
budgetary and leadership authority to manage the change process.
Know what to avoid: Expand candidate searches beyond the ranks of career IT denizens ◘
◘
Governance
• Define the mission: The goals of EAM must be translated into business terms or risk being branded as an IT-driven
◘
initiative.
• Communicate clearly: Many EAM frameworks are written for a technical audience, with no clear business rationale for
◘
non-IT types. New rules for implementation must stress the business case rather than the engineering details.
• Lead locally: Ensure that the project-management team includes both business line and IT managers on a
◘
global, regional, and local level to disseminate program changes throughout the organization and ensure institutional buy-
in.
• Adopt new metrics: Align milestones, key performance indicators (KPIs), and incentives with business goals
A new architectural model ◘
◘
• Establish a new blueprint: Business requirements rather than technical needs should be at the center of the IT
architecture.
• Standardize and simplify: Break up complex applications into their component parts to find common elements that can
be standardized and shared. Capabilities that involve similar functions and rely on similar data, such as billing or credit
◘
approval, can be grouped into domains. A domain-based architecture streamlines the number of applications
supported, freeing up human, financial, and system resources.
• Create a new playbook: A guide to the architecture should dispense with complex hardware and software specifications
and instead describe what IT can deliver to the business
10
11. IT – Mission: Typical Example
2006-2009 2010 and After
To be a
System stability and Strategic business
better application
partner based on
utilization / performance
Service Excellence
in critical areas through
through Technical Leadership
better processes &
strategic initiatives / in a secure
Investments and cost-effective manner
11
12. Typical Governance Structure
Parameter Weak Governance Strong Governance
Org
CIO CIO Vendor
Structure Mgmt
General Vendor Change Service IT Security
Pool Mgmt Delivery & Delivery
PMO
Single Outsourcer –
Virtual Captive
Virtual Captive: Multiple Assignment
Outsourcers specific out-
Outsourcers – specific
sourcing
assignments
Governance Weakly defined • Strong SLA based contract with penalties
Model commercial contract • ISO 20K process framework
• Intrusive, detail oriented oversight
Cost Monolithic • Flexible and driven by business priorities
Structure
• Better SLA
12
13. Governing Processes – ISO20000
ISO 20000 is chosen as the standard for Service Management processes. 9 of the 13
standard processes have been implemented and have been audited by Internal audit
team for the effectiveness. The following is the current status assessment:
ISO 20000 Process - Current State of Effectiveness assessment
Sl No Service IT Service Management Process -name Audit Rating
Management
Process - Category
Service Resolution
1 Incident Management Process Sufficient
Processes
2 Problem Management Process Sufficient
3 Control Processes Change Management Process Sufficient
4 Configuration Management Process Sufficient
5 Release Processes Release Management Process Sufficient
Service Delivery
6 Service Level Management Sufficient
Processes
Service Continuity & Availability
7 Sufficient
Management process
8 Capacity Management Process Sufficient
Relationship
9 Supplier Management Process Sufficient
Processes
15. Business Architecture: Reference Architecture and Change
Program Overview – Typical Example
Channels
Processors
6
Channels: In place; next wave of
renewal and innovation
Processors: In place; next wave of
renewal
Data
Data Infrastructure: Focus area
Completed
In Progress
Planned
Open
15
16. Beyond the Enterprise – Integrating with the Ecosystem
• Integrating with B2B (Corporate and Business Banking) e.g. Amway,
MCFL, LIC
• Integrating with B2C (collaborative Retail platforms) e.g. Angel Broking for
Online Share Trading and Enstage for Mastercard 3D Secure
• Integrating with and Outsourced Service Providers (Operations) e.g. 3i
Infotech and Karvy for AOF outsourcing
• Faster time to market: 60-90 % less integration effort
Source: Verizone
20. IT Risk - Key Controls – Framework
Key drivers
1. Bank’s
Minimum
Standards
2. New RBI
Guidelines
released in
2011
20
21. IT Risk – Current Status and Road ahead – Typical
Objectives
2009 2011 2011 2013
IT Risk IT Risk IT Risk IT Risk
Level : Level : Level : Level :
2.x 2.x 1.x 1.x
User access management Privileged user id management – IT
process strengthened - Web Infrastructure
Based User Access Management Application level identity
system implemented management, SSO
Improvements in the perimeter Feature set extension of UAMS, to
security include branch level user access
Process for data sanitization reviews
defined and implemented for Unified Compliance Management
customer related applications
Configuration status monitoring
Initiatives taken to block USB through Configuration Management
access at centralized level System
OSG guidelines defined for key Application penetration testing –
infrastructure components Internal applications
Strengthening of ISO 20000 Data Leakage Prevention system
processes and the outsourcing
model. Data centre re-design to
accommodate future growth
Focus on Processes Focus on Technology
21
22. Compliance to RBI Guidelines – Current status
assessment – Typical Measurement
Key requirement summary- RBI Guidelines
Meeting & Reporting
Governance, Policy & Procedure related Key IT Risk Control implementation
related Requirements
Category Information & Information & Number of
Must/Should Must/Should
Recommendations Recommendations Requirements
Closed / Closed / Closed / Closed / Closed /
Open / WIP Complied Open / WIP Complied Open / WIP Complied Open / WIP Complied Open / WIP Complied
Information Security 3 14 0 2 TBD 122 TBD 82 1 1
IT operations 0 0 0 0 0 0 0
1 7 6
IT services outsourcing 0 0 0 0 0
9 1 13 1 7
Cyber frauds 0 0 1 1 1
3 1 13 6 3
Business Continuity Planning 0 0 0 2
20 1 1 8 3 2
Total 3 47 1 5 TBD 163 TBD 98 4 13
Overall compliance levels are quite high…
22
23. ITSMG – Vision
Best in Class IT
Department in the
Industry
BI Masterminds,
2012
Best Project Award Top 50 Award:
in India: Corporate Excellence in
& Business Marketing & IT
Innovation: ING Banking Portal Best Internet Banking Top 10 BI
Inwards – PCM Portal in Asia: ING Implementations: SAP BO
Product Converge Implementation
23