While there are no set rules detailing how your institution must structure its IT department, regulatory guidance includes a discussion of roles, responsibilities and a separation of duties. Typically, required positions within an IT department depend on an institution’s overall approach to IT.
An institution with an in-house approach will require a more complex and personnel-heavy IT department. In contrast, an institution that embraces outsourcing for IT can reduce the complexity and in-house staffing level. Read on for guidance around the roles, associated compliance implications and considerations for determining whether outsourcing is right for your institution.
Determining Your Approach to Structuring Your IT Department
Although regulations speak of roles and structures appropriate to the size and complexity of an institution, asset size is not the only factor to consider when determining which approach to take. To determine the best IT structure, your institution’s senior leadership and board of directors should seek expert opinions and guidance, basing the final decision on how roles will accomplish business objectives and mitigate risks.
Most institutions favor a hybrid model to balance in-house IT resources with outsourced services, such as IT governance services. IT governance—the process used to ensure an institution’s business objectives align with IT and IS strategies—helps institutions achieve greater effectiveness in pursuing their goals. In fact, many institutions embrace an advisory services model for IT governance, as the benefits of this approach include access to experienced industry professionals.
IT governance consultants typically work with institutions of all sizes and in different markets, allowing your institution to benefit from their deep bench of knowledge.
Many IT issues—including scalability, growing attack surfaces for cyber threats, complexities of IT and increasing regulatory burdens—prove challenging for institutions to navigate. These challenges make it even more imperative for institutions to understand how to organize their IT departments and develop a long-term plan to address business objectives and risk, especially as they grow.
For an in-depth look into a risk-based approach to IT governance and how institutions benefit from an advisory services model for IT governance, download our white paper.
Factoring Scale into Your IT Decisions
The FFIEC’s Outsourcing Technology Handbook lists the following among the reasons why management may choose to outsource IT operations:
- Gain operational or financial efficiencies
- Increase management focus on core business functions
- Increase the availability of services
- Refocus limited internal resources on core functions
While the goals listed above are worthwhile, financial institutions must also consider scalability. Outsourcing to a third party is an effective means of achieving scale and leveraging a deep well of knowledge. This approach is a tactical solution or framework to address a real—and common—business problem, as the issue of scale affects institutions of all size, complexity and maturity levels.
IT staff must have the knowledge and skill diversity to respond to various technology needs and the depth to recover from or absorb the loss of personnel. But this ideal is difficult and often impractical to accomplish only using in-house staff. Institutions that outsource have an advantage in dealing with these challenges, as working with a third party leads to increased resilience.
However, outsourcing does not eliminate the need to maintain internal support and investment. While an institution may outsource functions like audit, IT support or HR, effective IT requires in-house staff with specialized knowledge and specific skillsets. Institutions may not need a large internal team, but in-house staff should function as a liaison with the provider and handle localized tasks that are often more efficiently accomplished internally.
Examining IT Organization through a Regulatory Lens
With the issuance of the AIO Handbook in 2021, the FFIEC overhauled its previous guidance on operations and expanded the scope of the topic to include architecture, infrastructure and operations, as well as the expanded role of IT. The FFIEC expects regulated institutions to properly align their business requirements with external customers’ expectations, strengthening their IT foundation and developing a service delivery model that removes and discourages siloed operations. The AIO Handbook defines operations as “the performance of activities comprising methods, principles, processes, procedures and services that support business functions.”
The AIO Handbook also details specific governance topics like roles and responsibilities related to operational oversight. Your institution may use different titles than those illustrated within the AIO booklet; however, the responsibilities described should be appropriately assigned. Smaller institutions may find it inefficient and costly to support each of these roles and responsibilities in-house, as many of these roles require significant compensation, and the number of available candidates is often limited.
The scarcity of candidates for some of these roles will impact a wide range of institutions, leading many to embrace IT governance services and leverage industry experts. Your institution may also choose IT governance services due to the amount of activity required for each role. For many institutions, there will not be enough activity to justify a full-time employee for some roles and responsibilities. And positions such as chief information security officer or chief information officer (CIO) are increasingly difficult to fill, as candidates are highly sought after and often require generous compensation and benefits packages.
While your institution could choose to have an employee wear multiple hats, the efficiency and competency of this approach could represent a significant obstacle to achieving desired outcomes. Many institutions are better positioned to meet regulatory standards and balance talent costs by outsourcing IT governance. Your institution’s approach to IT governance ultimately depends on its strategic objectives, the complexity of its environment and the scope of services being delivered.
In addition to strengthening your IT foundation, the FFIEC expects regulated institutions to properly align the business requirements of the institution with expectations of external customers.
Exploring IT Management Responsibilities within Your IT Department
An institution’s IT management is composed of individuals responsible for overseeing the management, maintenance and use of IT resources. While the titles of these individuals may vary, titles defined in the FFIEC Management Handbook include CIO and chief technology officer (CTO).
Your institution should refrain from simply handing out or tagging people with these roles and responsibilities, keeping in mind there are separate tangible objectives associated with each role. In the traditional sense, a CIO is focused more on the internal management of information and improving internal processes. A CTO is typically an outwardly focused role aiming to leverage technology to improve or innovate products and services that benefit customers or members.
By emphasizing the incorporation of IT in an institution’s strategic business planning, the AIO Handbook indirectly advocates for at least more of a balance between the focus of a CIO and a CTO. Many institutions fall short of their objectives and underutilize technology in customer service-related areas and revenue generation due to an overemphasis on the internal focus of the CIO.
The AIO Handbook states that the CIO or CTO may also be responsible for overseeing the architecture function, which involves implementing and maintaining the entity’s infrastructure and managing IT operations in an integrated IT environment. It’s important to note that the AIO is not necessarily advocating that the CIO or CTO take on these roles and responsibilities but instead provides management and oversight of these areas. However, this does not supplant the oversight and governance obligations of your institution’s senior leadership and board.
Gaining a Broader Perspective of IT
When addressing these requirements, working with a third-party consultant is likely the most efficient path for smaller community financial institutions. Even larger institutions find it advantageous to engage a consultant or outsource at least some aspect of IT oversight to gain a broader perspective and guard against the disruption which can occur when an individual in a key position departs. An independent resource can also serve as a sounding board for ideas and policies for senior leadership and the board. Most third-party consultants work with institutions of all sizes and in different markets, exposing them to various trends and regulators’ expectations.
Regardless of your institution’s size, it is not uncommon for IT leaders or senior leadership to be confronted with challenges, often finding a lack of external confidants to consult for advice and differing perspectives. With IT governance consultants, your institution can consult an entire team of experienced industry experts that will share experiences and offer non-biased analysis.
IT governance consultants typically work with institutions of all sizes and in different markets, allowing your institution to benefit from their deep bench of knowledge.
Choosing an IT Governance Partner
If your institution embraces outsourcing as a foundational approach to the structure of the IT organization, your senior leadership and board must maintain oversight and place an emphasis on vendor management.
While traditional vendor risk management is an important regulatory requirement, the emphasis is on collaboration and leveraging the relationship with outsourced vendors. Your institution must have representation with vendors who understand:
- Your institution’s business objectives, risk appetite and risk tolerance
- The compliance aspects of IT
- Potential and limitations of deployed technologies and what is available
- How to exercise strong communication, conflict resolution and negotiation skills
For many institutions, finding all this in one individual could be difficult, or this could prove an expensive position to fill. Most institutions find they need multiple individuals and might even outsource part of this role. Regardless of how your institution fulfills this need, it must be addressed with the scope of your needs in mind.
Determining the Structure of Your IT Department
From an IT governance perspective, institutions must ensure the right mix of technology-driven features and services to meet the demands of their target markets. The right structure for an IT department allows in-house IT staff to focus on institutional goals, meet emerging needs, develop an IT roadmap to empower future success and leverage the expertise of IT governance experts.
Find out more about the benefits of IT governance by downloading our white paper.
READ NOW