I.B.6 Planning IT Operations and Investment
Financial institution boards should oversee, while senior management should implement, an IT planning process with the following elements:
- Long-term goals and the allocation of IT resources to achieve them, usually within a three- to five-year horizon.
- Alignment of the IT strategic plan with the enterprise-wide business plan.
- Identification and measurement of risk before changes or new investment in technology are made.
- An IT infrastructure to support current and planned business operations.
- Integration of IT spending into the budgeting process and weighing of direct and indirect benefits against the total cost of ownership of the technology.
Planning involves preparing for future activities by defining goals and the strategies used to achieve them. Future activities may include releasing a new product or service, planning mergers and acquisitions, or preparing for the end of service for an IT system. IT is an integral part of financial institution operations. Therefore, institution management should integrate consideration of IT resources and investments into the overall business planning process. Major investments in IT resources have long-term implications on both the delivery and performance of an institution's products and services.
Plans may vary significantly depending on institutions' size and structure. Management should strive to achieve a planning process that constantly adjusts for new risks or opportunities and maximizes IT's value. Management should document its plan; a written plan, however, does not guarantee an effective planning process. Management should measure the effectiveness of a specific plan by whether the plan meets the institution's business needs. A sound plan should involve the board of directors, senior management, and staff in the planning process. The board of directors should provide a credible challenge to management when the board reviews and approves the plan. Senior management participates in formulating and implementing the plan. The individual departments and functional areas identify specific business needs and, ultimately, implement the plan.
An institution that uses third-party providers should verify that the provider can continue to support the institution's plans and that the plans and actions of the provider do not negatively impact the institution. As part of the institution's ongoing monitoring process, management should participate in third-party provider client user groups. Institution management should also consider a review of client portals, news articles, provider newsletters, and press releases to maintain awareness of provider activities, changes in strategy and products, future plans, and potential or actual service or security issues.
I.B.6(a) Strategic IT Planning
Strategic IT planning should address long-term goals and the allocation of IT resources to achieve them. Strategic IT planning focuses on a three- to five-year horizon and helps ensure that the institution's technology plans are consistent and aligned with the institution's business plan. Effective strategic IT planning can ensure delivery of IT services that balance cost and efficiency, while enabling the business units to meet the competitive demands of the marketplace. The IT strategic plan should address the budget, periodic board reporting, and the status of risk management controls.
Tactical plans support the larger IT strategic plan by defining specific steps necessary to fulfill it. Tactical plans outline specific steps, personnel, tools, and timetables to achieve the goals laid out in the IT strategic plan, typically using a one-year time frame. These tactical plans typically address hardware and software architecture, end-user computing resources, and processing done by third-party providers. These plans are often created by mid-level managers.
The operational IT plan is used to achieve the goals and objectives of both the tactical plans and the larger strategic plan. It provides the detailed information to perform the tasks needed to implement the tactical plans of an institution. The operational IT plan includes the milestones and tasks that must be undertaken, the individuals who have responsibility for each milestone and task, the timelines in which they must be completed, the conditions for success, and the financial resources necessary to complete each milestone and task. Operational plans should flow logically from both the tactical plans and the larger IT strategic plan. Front-line management typically creates and revises operational plans as needed based on changes in the underlying business needs.
Strategic IT planning should consider a number of factors:
- Marketplace conditions.
- Customer demographics.
- Institution growth targets.
- Mergers and acquisitions.
- Technology standards.
- Regulatory requirements (e.g., privacy, security, consumer disclosures, and other reporting requirements).
- Cost containment.
- Process improvement and efficiency gains.
- Customer service and technology performance quality.
- Third-party relationship opportunities versus in-house expertise.
- Optimal infrastructure, including systems and software replacement.
- Ability to adopt and integrate new technology.
These factors should align with the institution's business plans. Well-implemented IT plans enable the institution to deliver business value in terms of market share, earnings, and capital growth. If used, the IT steering committee's cross-functional membership makes the committee well-suited for balancing or aligning the institution's IT investment with its strategic objectives. Typically, institutions that align IT with changing business goals and objectives have more effective operations.
Technology expenditures should be commensurate with the financial condition of the institution. They should also be appropriate to meet the changing IT strategy, provide enterprise-wide value, support necessary growth, ensure appropriate security and business resilience, and mitigate technology incompatibilities. For example, delaying investments and spending too conservatively on infrastructure or new products may lead to ineffective operations and service levels. Without a full understanding of the available technology, the institution is not able to update processes and products or achieve productivity gains or increased revenues. To create the appropriate balance, institutions should link strategic and operational plans between IT and the business units.
Management should address the following four key factors of IT planning:
- Senior management participation: Senior management should understand and support the IT strategic plan and established priorities.
- Role of IT: Management should clarify the role of IT and determine whether the current IT planning process enables personnel to work toward achieving enterprise-wide goals and objectives.
- Impact of IT infrastructure: Management or the IT steering committee should understand the relationship between the IT infrastructure and applications and the business strategic and operating plans. The IT infrastructure should directly support the goals and objectives of these plans.
- Accurate scorecard on past performance: Management or the IT steering committee should monitor past IT projects and initiatives after implementation to determine whether the institution realized the anticipated costs and benefits. The scorecard should be based on a set of objective measures.
Management should also create and maintain an alignment between IT and enterprise-wide strategies by performing the following:
- Reviewing whether IT strategic plans are aligned with the business strategy.
- Reviewing whether IT performance supports the planned strategy.
- Ensuring that the IT department is delivering on time, within budget, and to specification.
- Balancing investments between systems that support current operations and systems that transform operations and enable business units to grow and compete in new areas.
- Focusing IT resource decisions on specific business objectives, such as entry into new markets, enhanced competitive position, revenue growth, improved customer satisfaction, or customer retention.
I.B.6(b) IT Resources
Management should provide IT resources that are adequate to meet the current operational needs of the institution. Operational planning should consider the impact of any changes on critical business processes. Business processes are the integration of people, technology, and procedures used to accomplish a task or complete a transaction. Changes in business processes should be coordinated and aligned with available IT resources. IT resources include the following elements:
- Infrastructure: Power, telecommunications capacity, network architecture, and facilities.
- Hardware: Mainframes, network servers, personal computers, communications networks, mobile devices, storage devices, and peripherals.
- Operating software: Operating systems, compilers, and utilities designed to enable the equipment and applications software to function effectively, both internally and externally.
- Application software: Programs designed to permit application users to perform a specific task or function. Application software runs on top of operating system software.
- Personnel: Staff and training programs.
Management should consider sufficient capacity for current and future needs for each of these elements.
Budgeting is another step in the operational planning process. The board should assess management's plans and its success in defining and meeting budgetary goals as one means of evaluating management's performance. The budget is a coordinated financial plan used to estimate and control the institution's activities. By assessing future economic developments and conditions, management creates an action plan and records changes in the balance sheet accounts and profitability (predicated on implementation of the plan). The budget not only projects expected results, but also serves as an important check on management.
When considering new IT projects, management should look at the entry costs of the technology and the post-implementation support costs. Increasingly, institutions are demanding, and third-party providers are providing, information regarding the total cost of ownership (TCO) beyond initial entry costs. IT projects often have undocumented costs, including the resources required to configure, maintain, repair, support, upgrade, and manage the technology over its lifetime. Readily available TCO models, as well as historical data, provide management with tools to incorporate such costs into the selection and budgeting process.
Some institutions budget IT as a separate department. A financial analysis of an IT department should include a comparison of the cost-effectiveness of the in-house operation versus contracting with a third-party provider. The analysis may also include a peer group comparison of operating costs and ratios. Depending on its size and complexity, the institution may allocate costs to the institution's lines of business. When cost allocation is used, management should ensure equitable assignment of the costs to each line of business. Equitable assignment of the costs is often accomplished by use of a chargeback system that records usage of resources based on a performance metric such as central processing unit cycles.
In some instances, a separate subsidiary of the holding company manages the IT function. An IT subsidiary can provide essential services at costs below those of third-party providers or individual institutions. Some relationships, however, may not result in a cost savings. Any transaction between the institution and its affiliates must comply with applicable laws and regulations. Sections 23A and 23B of the Federal Reserve Act, codified at 12 USC 371c and 12 USC 371c-1, govern transactions between certain financial institutions, such as Federal Reserve member banks, national banks, and federal savings associations, and the institutions' affiliates. Specifically, section 23B(a) states that an institution and its subsidiaries may engage in certain transactions with an affiliate, including the payment of money or the furnishing of services to an affiliate under contract, lease, or otherwise. The transactions must be on terms and under circumstances, including credit standards, that are substantially the same, or at least as favorable to such institution, as those prevailing at the time for comparable transactions with or involving other nonaffiliated companies. In the absence of comparable transactions, the statute requires that such transactions be on terms and under circumstances, including credit standards, that in good faith would be offered to, or would apply to, nonaffiliated companies. See 12 USC 371c-1(a). Refer to the IT Handbook's "Outsourcing Technology Services" booklet for more information.
I.B.5 Information Systems Reporting
I.B.7 Other Functions