One of the most common examination findings recently (particularly with the FDIC) has been the lack of an IT Strategic Plan. I’m not sure why the focus lately (perhaps the shift from the CAMELS “A” to the “M”?), but the concept is certainly not new. The regulatory mandate for it is found in the 2004 FFIEC Management Handbook:
“The Board of Directors and management should* implement an IT planning process that:
- Aligns IT with the corporate wide strategic plan;
- Aligns IT strategically and operationally with business units;
- Maintains an IT infrastructure to support current and planned business operations;
- Integrates IT spending into the budgeting process and weighs direct and indirect benefits against the total cost of ownership of the technology; and
- Ensures the identification and assessment of risk before changes or new investment in technology.”
The first requirement of an effective IT planning process is alignment with the overall strategic plan, yet whenever I ask a group of financial professionals how many have seen their own strategic plan, very few hands go up. I get more hands in a group of senior management than in a group of network administrators, which seems to make sense except for one thing; the administrators are the ones actually maintaining the IT infrastructure (#3 above). So the very folks tasked with making sure the infrastructure is aligned with the overall strategic plan, probably haven’t even seen it!
This is the real disconnect from my perspective. Although you can develop an IT Strategic Plan from a template fairly quickly using standardized verbiage, integrating it into the overall plan, and then executing it, is much trickier. It should be a live document, linking the overall Strategic Plan with IT projects and issues through the IT Steering Committee. In fact, the FFIEC even suggests that the IT Steering Committee is the ideal forum for this, stating that the committee:
“…may also oversee the development and maintenance of the IT strategic plan.”
“The information technology steering committee’s cross-functional membership makes it well suited for balancing or aligning the organization’s IT investment with its strategic and operational objectives.”
So the Management Handbook strongly suggests that IT steering is the best forum, and that everyone from the Board of Directors, to IT line management, to business unit management should participate. But this brings us back to dilemma I mentioned above; that IT line management (and most business unit management, for that matter) are rarely familiar enough with the overall strategic plan to effectively affect alignment. This brings us to the “how”:
- Step 1 – Senior management must communicate the mission,
- Step 2 – Ensure that the IT Committee is tasked with implementing that mission by making sure all IT initiatives support and enhance the missions’ goals and objectives.
- Step 3 – Most importantly, make sure the committee has the tools and expertise necessary to effectively monitor, gather, analyze and report the data that will document the entire process. Because in the end…
“…institutions that are better at keeping IT aligned with changing business goals and objectives are positioned to compete more effectively.”
*In FFIEC-speak, “should” really translates to “must”.