FSCA and PA’s Joint Standard on IT Risk Management: EUC controls we should have in place anyway
In the spirit of Cybersecurity Awareness Month, we draw attention to the Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA)’s draft Joint Standard on Information Technology Risk Management and explain why IT risk management is a good idea – regardless of regulation.
The (mis)use of Excel has resulted in countless horror stories over the years, which have been embarrassing at best and catastrophic at worst. From Public Health England misplacing 16 000 COVID-19 cases to JP Morgan Chase losing more than $6 billion in their London Whale disaster, the impacts of an errant value paste here or careless drag there have resulted in losses, fines and even closure of businesses.
This is not the fault of Excel. As much as the actuarial world dreams of that fully-automated and Excel-free ‘one-click valuation process’, we all know that the last spreadsheet will need to be pried from an actuary’s cold, dead hands. Excel is a revolutionary tool that has many applications. Its user-friendliness, flexibility and pervasiveness have enabled its involvement in everything from household budgeting to the valuations of multinational organisations. Unfortunately, the qualities that make Excel so attractive also make it dangerous. Because it’s so easy to use and manipulate, Excel users have been allowed to run amok – often pushing Excel far beyond its intended limits (we’re looking at you, actuaries) – without the training and controls associated with the systems managed by specialist IT teams.
Of course, knowing how much havoc something like a nested IF function can wreak, it is clear that this lack of control leads to significant model risk. While Excel is the most well-known culprit, this risk exists with all End-User Computing (EUC) applications – those IT systems that are created, used and maintained by the people who use them rather than the IT department. In an actuarial context, actuarial cash flow and liability models, SQL databases and any other system that produces numbers or deals with data would all fall under EUC.
Until now, the extent of controls placed around EUC applications of South African insurers has largely been at the discretion of each organisation, giving rise to risk that may be overlooked and not taken seriously. To make matters worse, there is often a strong resistance to change in terms of adopting controls required to reduce this risk (e.g. version control, documentation and change management). When a user is accustomed to complete freedom, any form of control feels like an imposition and a waste of time.
The FSCA and PA understand this risk and its dynamics and therefore published draft Joint Standard 1 of 2021 on Information Technology Risk Management in June 2021. In their Statement of the need for, intended operation and expected impact of the proposed Joint Standard on information technology risk management, the two authorities recognise that:
The statement goes on to describe the objectives of the Joint Standard:
- “ensure that financial institutions have established a sound and robust IT risk management framework;
- assist financial institutions in integrating technology risk management into their overall management system; and
- ensure that financial institutions have implemented information security controls for the information held on IT systems.”
IT systems, in this context, refer to any hardware, software, network or other IT component found in the business environment, including those classified as EUC applications.
The Joint Standard proposes a risk-based approach, stating that its requirements must be implemented in accordance with the nature, size and complexity of the financial institution. In addition to the operations usually owned by the IT Department (such as backup and access control), the requirements include all the elements of a comprehensive model risk management framework, including:
- Development of appropriate IT policies.
- Identification and assessment of the criticality of IT assets.
- Maintenance of an up-to-date IT asset inventory.
- Establishment of processes and procedures for change management.
- Documentation of critical IT operations and systems (including user documentation and technical system documentation).
- Protection of sensitive or confidential information.
While it is unclear if or when this Joint Standard will be finalised (it has yet to be submitted to Parliament), the requirements it sets out are sensible and have merit regardless of regulation. With so many other risks to worry about and plenty of low-hanging fruit in the implementation of model risk management, a forgotten hard coding should not be the downfall of any insurer.
The Insight Life Solutions team has extensive experience in designing and implementing EUC management frameworks. Email us at lifesolutions@insight.co.za to discuss steps you can take to de-risk your spreadsheets and other EUC applications.
Get an email whenever we publish a new thought piece
In 2023, Insight Life Solutions conducted a series of surveys to seek South African life insurers’ views on specific IFRS 17 topics. The surveys aimed to summarise the progress made
3.2 min read
Insight Life Solutions conducted a series of five surveys in Q3 2022 to seek South African life insurers’ views on specific IFRS 17 topics. The surveys aimed to summarise the
3.5 min read