“We’re not there yet, but we’re getting there.”
The positive way in which credit unions have embraced technology over the last number of years, as well as the foresight demonstrated in undertaking digital transformation, has been pivotal to their recent growth. Having worked with a number of leading branches in recent years, we have seen firsthand the positive strides taken by the credit union sector as a whole.
In January, the Central Bank of Ireland published a report that was received with concern in many quarters. The report titled “IT Risks in Credit Unions” shines a light, negative at times on some of the IT practices in the nation’s credit unions. In the piece below, the team here at ActionPoint have sieved through the detail to highlight some of the positives contained within while also addressing some of the areas where improvement is needed.
In summarising the report, it might be useful to borrow some messaging from another of the nation’s stalwarts, Irish Rail with their widely recognised slogan of the early 2000s – “We’re not there yet, but we’re getting there.”
Although positive steps have been taken, there’s still a lot to be done.
The report came off the back of a thematic inspection carried across twelve credit unions between June and October of 2017. The inspection was carried out in order to understand the current status of IT management. The work included an assessment of the policies and procedures relating to a number of key areas, including:
- IT Governance and Outsourcing.
- IT Security.
- Business Continuity Management.
There were a lot of positives to be taken from this report. Improvements in credit union IT governance, IT security and general IT awareness were evidenced during this time. While the areas that demonstrated the most improvement included business continuity and penetration testing.
Notwithstanding this, weaknesses in a number of key areas were consistently mentioned throughout.
Risk Management Framework
The report pointed out a need for credit unions to integrate IT risk management into their overall risk management framework. Credit unions must understand and appreciate the importance of the data they process and store. The inspection found little evidence of credit unions monitoring their ongoing risks. Most credit unions had not carried out an independent inventory of IT assets. There was also no evidence of risk assessment being carried out when engaging in cloud storage solutions.
The report highlighted a primary focus on IT in certain areas such as the shares and loans systems, as opposed to a full end-to-end infrastructure.
Awareness and Understanding
Throughout the report, a common theme was the contradiction between awareness and understanding. In all three areas inspected, there seemed to be an awareness of certain policies but a lack of understanding behind the rationale.
A standout example of this was in the area of cybersecurity. Here, there was an awareness of their vulnerabilities but a lack of understanding as to how cyber attacks actually occur.
Over-Reliance on Outside Sources
Overall knowledge and engagement by management varied from being very good to being very dependent on outside sources. This dependence was likely caused by a communication breakdown in regards to responsibility and project ownership.
Many credit unions could not articulate the controls in place with regards to business continuity management. There was also a lack of understanding as to the disaster recovery solutions in place.
An Outdated Mindset
In a lot of cases, the credit unions seemed to harbour an old way of thinking. Some credit unions viewed IT more as an expense instead of seeing it for what it really was – a core enabler of their business.
This mindset could be the lead domino which sets in motion a trail which accounts for the shortfalls in clarity between members, the underappreciation of IT assets and the passing of responsibilities away from upper management.
The report issued by the Central Bank of Ireland has shone a light on some poor practices with regards to certain IT risks. However, we don’t want to dwell on the negatives. We’d rather you reframe it as an opportunity to ask yourself some important questions. “Do you know your risks?”, “Do you have the systems in place to ensure that such risks are sufficiently mitigated?”, “Have all stakeholders bought into your digital transformation plans?” and “Are you future-proofing your business?”.
The answers to these questions can be difficult to find without the help of an experienced and reliable IT partner. With rich experience supporting some of Ireland’s largest credit unions, ActionPoint are on hand to help you find the best solution, turning a potential challenge into an opportunity to transform.
For more information or to get in touch check out the dedicated credit union section on our website.
Article by Vincent Hely, Credit Union Specialist at ActionPoint.
References: For the full Central Bank report click here.