In 2021, the FFIEC issued the Architecture, Infrastructure and Operations (AIO) booklet to replace previous guidance from 2004. This updated title demonstrates the importance of an entity’s architecture, infrastructure and operations as well as the expanded role of IT. This booklet is among many contained in the FFIEC’s IT Handbook and provides a foundation for understanding the principles and practices within the functions of AIO.

This new guidance emphasizes a risk management approach to IT and discusses how oversight and proper management of IT contribute to an institution’s overall safety. To achieve an effective IT environment and align technology and strategic business goals, institutions should follow the principles of the AIO functions. Failure to properly coordinate these principles and practices could open an institution up to operational and reputational risks.

What is the FFIEC’s AIO Booklet?

The AIO booklet explains how separate functions of architecture, infrastructure and operations work together to allow management oversight into an institution’s activities related to developing and managing technology. This framework describes the key components of an institution’s technology and requires board- and senior-level oversight and understanding of all three functions. The key in each of these areas is to ensure an institution’s IT initiatives facilitate the fulfillment of strategic objectives.

• Architecture is the strategic design of the hardware and software infrastructure components, including how such components support business objectives. Planning an effective IT architecture helps institutions implement infrastructure that aligns with strategic goals.
• Infrastructure encompasses the physical elements and services required to provide and maintain ongoing operations to support an institution’s activities. As a subset of infrastructure, IT infrastructure includes hardware, network and telecommunications, software, IT environmental controls (e.g., power, heating, ventilation, etc.) and physical access. Once built and implemented, IT infrastructure can be managed internally or by a third-party service provider as part of operations.
• Operations include the processes and procedures deployed within an IT environment to support business functions, such as ongoing maintenance, monitoring and support for business systems. As a key function, operations help create and deliver business value to internal and external customers. The AIO booklet addresses IT operations through the lens of tactical management and daily delivery of services that support the overall business processes of an institution.

Oversight of Architecture, Infrastructure and Operations

In accordance with the updated AIO booklet, regulators expect boards of directors and senior leadership to have a fundamental understanding of technology and cybersecurity. Board members must have appropriate knowledge of risks to provide a credible challenge to management responsible for AIO functions within an institution.

A credible challenge means being actively engaged by asking thoughtful questions and exercising independent judgement in risk-related issues, not day-to-day business management. Institutions should enable appropriate management training on AIO functions to empower the board to carry out its responsibilities and effectively manage risk.

Management oversight of AIO includes promoting alignment and integration between the functions of each area. Such oversight should also include assessing and updating management’s AIO strategies and plans to reflect the current business conditions and operating environment for continuous improvement.

According to the AIO booklet, senior management should implement and maintain a safe operating environment that supports an institution’s goals and objectives while complying with applicable laws and regulations. Establishing accountability for the administration of the day-to-day functions within an institution falls to management, while the board acts in a supervisory capacity.

To comply with FFIEC guidance, an institution’s management should provide the board with regular reports on AIO functions and activities as well as capture discussions regarding AIO with the board in meeting minutes. Creating processes for monitoring AIO-related issues and associated resolutions will also serve to strengthen compliance with regulatory expectations while minimizing risk.

The Role of Risk within the Architecture, Infrastructure and Operations Booklet

The AIO booklet discusses processes for addressing risk related to designing and implementing an institution’s IT system. While the conventional approach to cyber risk is often dominated by fear, uncertainty and doubt, this often results in poor engagement with senior leadership and boards of directors.

This approach leads many institutions to spend a fortune on a suite of controls to strengthen cybersecurity, but this sets an institution on a path to miscalculation and complacency—especially considering this approach does not account for business objectives or defined risk.

An effective IT governance framework—comprised of processes to ensure an institution’s technology aligns with business objectives—allows institutions to create a business context around IT and cybersecurity. However, achieving this result requires an institution to understand how risk relates to its business model. Each institution has a risk appetite and risk tolerance, and both affect everything from an institution’s budgets and costs to its business processes and desired objectives.

Each of these areas has specific risk factors and underlying supporting technologies with associated risks. Institutions must view IT and cybersecurity in the broader context of potential business impact to determine how possible threats play into the institution’s overall strategy and risk appetite.

As institutions determine the right amount of investment in IT, cybersecurity and compliance, a financially and business-driven approach strengthens risk management and use of resources.

Embracing IT Governance to Satisfy FFIEC AIO Booklet Requirements

Since technology is now viewed as a necessary strategic component of financial services, institutions should proactively ensure technology aligns with their business strategies and goals. To achieve this, many institutions choose to embrace an advisory model for IT governance.

As the IT and cybersecurity landscapes evolve, many financial institutions require a partner to navigate complex requirements. Working with a third-party provider for IT governance offers institution access to industry experts with valuable experience and insight that might be difficult to find otherwise. By embracing IT governance, institutions gain a comprehensive view of their IT, security and compliance initiatives, ensuring these areas do not operate in silos.

Institutions choosing to partner with IT governance consultants must remember that responsibility cannot be outsourced. Whether partnering with a provider for IT governance services or handling it in-house, institutions should identify and evaluate the risks associated with AIO and create policies and procedures to mitigate those risks.

Learn More about IT Governance

The AIO booklet underscores the importance of an institution’s senior leadership and board understanding risk in relation to the AIO functions, as well as how that risk could affect business goals. By extending their focus beyond cybersecurity and compliance to a holistic approach rooted in IT governance, institutions can better articulate business objectives and how technology affects the execution of those objectives.

Download our white paper to learn more about how embracing IT governance benefits financial institutions by ensuring their IT, security and compliance strategies align with business goals.

READ NOW