Information technology accounts for two of the Top 10 Operational Risks for 2016 identified by risk.net while interviewing chief risk officers, heads of operational risk and other operation risk practitioners at financial services firms, banks, insurers and asset managers in global markets during December 2015.
Based on the operational risk concerns most frequently selected by those practitioners, the internet publication presented its ranking of the Top 10 Operational Risks for 2016 as follows:
* Cyber risk;
* Conduct risk;
* Regulation;
* Anti-money laundering, counterterrorism financing and sanctions compliance;
* Organisational change;
* Outsourcing;
* Recruitment and retention;
* IT failure;
* Terrorism; and
* Regulator fines.
Information technology – its misuse and its potential to fail – account for two of these: cyber risk ranked in position one and IT failure, ranked in position eight.
Published by Incisive Risk Information, winner of the coveted AOP Digital Publisher of the Year 2010 and 2013, risk.net acknowledged that IT failure and cyber risk draw attention to the drawbacks of technology – something clearly viewed as a double-edged sword by some operational risk practitioners.
“Whizzy, turbo-charged systems that automate processes from beginning to end are every chief technology officer’s dream, but firms say the reality is often very different. Instead, they face a patchwork of disjointed and sometimes incompatible systems that require a heavy dose of manual intervention. An overdependence on these systems and a failure to plan for outages can leave firms in trouble when things go wrong,” it wrote in its editorial.
It also suggested that, “to mitigate the risks posed by IT breakdowns, practitioners recommend properly identifying critical applications, ensuring those applications have built-in redundancy, making use of remote backups and – ultimately – upgrading systems that are no longer fit for purpose.”
Locally, a veteran of South Africa’s IT industry has suggested there’s another route operation risk practitioners should consider, a suggestion which has the backing of Gartner and King: active software escrow.
Escrow is another word for ‘trust account’ and in the context of intellectual property (IP) means “security in the hands of a trusted third party”.
As an independent and neutral third party, the escrow service provider safeguards the business-critical IP upon which their client organizations absolutely depend such as source code of software, important databases and/or industrial designs by holding verified copies of the material as an escrow deposit.
Under specific circumstances agreed in advance and embodied in an escrow agreement – for instance failure to perform on the part of the software supplier (for whatever reason – insolvency, hostile buy-out etc) – the escrow service provider is authorised to release the escrow material to the escrow beneficiary for the purposes of the beneficiaries business continuity.
The outmoded concept of ‘passive’ escrow simply dealt with storage of escrow material, whereas active escrow importantly ensures that all of the necessary components for business continuity and disaster recovery are included in the deposit, are regularly updated and are in confirmed to be in working order. In line with current international accepted practices, active escrow meets industry standards and is compliant with SAS 70 and type II audited, HIPAA, PCI DSS and CoBIT good governance best practice.
A simple analogy is that of the airline life vest. Neither the airline, nor the passenger nor the supplier of the life vest want there to be an ‘in the event of an emergency …’ but, if there is an emergency, the life vest must (a) be there – escrow an (b) be verified and certified, regularly and routinely, to be in working condition as measured against pre specified criteria – active escrow.
“Today, all companies – be they large or small – rely on mission-critical information technology – primarily, software products that are core to their business. In other words their business processes are dependent on software products which they do not own but use under license from third parties, and, therefore are subject to conditions or events beyond their control,” explains Escrow Europe MD, Andrew Stekhoven.
“This reliance on third party licensed software may not appear to present a problem, but companies who want to continue to use software vital to their business that needs maintenance and support from the software vendor would most certainly be affected by an unforeseen development impacting on the wellbeing of that software vendor’s business.
“Vendor insolvency, a change of ownership or a new strategic priority (for example, discontinuation of support and maintenance) could leave the software user stranded and the knock-on impact would potentially have an extremely serious, possibly catastrophic, impact on the financial and business health of the software end user’s business.
“And, unfortunately, this risk is also excluded from Directors & Officers (D&O) and loss of profit/business interruption insurance policies.
“To manage the risk of a business’s absolute dependence on a software supplier, active software escrow provides the business with guaranteed access to the source code material for its mission critical systems and is the most cost effective and efficient solution for managing the multifaceted risks and due diligence obligations facing directors.
The business case for active escrow is excellent considering, for example:
* The value of the business processes and revenue streams that are dependent upon the software concerned;
* The value of the investments that have been made in the software product, implementation project, training, support and maintenance etc; and
* The magnitude of reputational, consequential and other damage in the event of business disruption due to mission critical IT systems failure.
“Not only does active escrow provide a safety net that allows your company to hit the ground running if the worst happens, but it can also be employed by software vendors as a competitive advantage to win customers and get one step ahead of their competition. Assuring customers about the stability of applications and therefore providing good risk governance helps retain existing business and close new deals,” Stekhoven says.
Escrow Europe was originally founded as a neutral and independent escrow service provider in Amsterdam in 1989 and established a number of affiliate operations worldwide, including the operation in South Africa. Today, Escrow Europe (Pty) Limited is proudly South African and an independent provider of quality certified escrow services in its own right.
It is South Africa’s longest-established provider of active software escrow service, while Stekhoven is the author of various guides for South African Directors and Officers such as the IOD guide to active software escrow and the international COBIT article on the role of active escrow. The company has achieved the ISO 9001:2008 quality certification standard – the standard against which professional escrow service providers – local and international – are measured.