There has long been debate about whether innovation and risk management can coexist. For some digital pioneers, risk and compliance are synonymous with being a roadblock to innovation. 对于一些风险管理者来说, 引入创新变革就像盲目飞行, while focusing on ensuring cyber and technology risk elements are properly addressed is like a speedometer steering the safe and secure delivery of a digital financial product.
在金融科技领域尤其如此. 近年来,金融科技行业获得了很多关注, 包括虚拟银行的激增. 这些虚拟银行具有创新性, 而是因为没有实体店, any cyberattack or system instability can cause a greater impact to the technology-driven business models.
There are seven practical steps for embedding cyber and tech risk practices into the digital products while facilitating innovation:
- 了解环境一个组织应该知道什么价值被交付给客户. This includes a thorough understanding of the business proposition and product features, relevant regulatory requirements and how technology is used in delivering the digital product. 在一天结束的时候, the nonfinancial risk associated with a business activity comes from the process, 人与技术. An innovative product usually has unique features compared to its conventional counterpart, ranging from its feature and delivery channel to the emerging technology used. Adding the details into a one-page product program will provide a birds-eye view of the target customer segment, 技术与运营模式, 监管要求及其创新的潜在风险.
- 建立高级管理层的支持-无论是金融科技还是传统金融机构, risk management is a top-down approach activity stemming from the risk appetite set by the board of directors, followed by the leadership of the senior management team and executed by risk managers and process owners in accordance to their roles and responsibilities. A strong governance model steers the innovative digital delivery against the headwind in the uncertainties of and risk arising from innovation. This typically includes the board-level endorsement of the risk frameworks and risk appetite statements, 持续的管理报告和来自董事会成员的挑战. 对每一个风险管理项目来说,在高层定下基调是至关重要的.
- 制定明确的指导原则—Every innovation come in a different form; however, 没有为每个表单引入新的风险类型. 也就是说, the principle-based approach to manage 网络安全 and technology risk will continue to be suitable for digital innovation. Risk managers should reference existing internationally recognized frameworks such as COBIT and the US National Institute of Standards and Technology (NIST) Risk Management Framework Special Publication 800-53. 风险管理者应该选择合适的框架, adapt them to fit the organization’s environment and obtain senior management’s endorsement. 将这些框架作为创新过程的一部分, the key guiding principles can be translated into a concise control checklist, 强制控制和理想控制. 强制性的控制, 例如客户数据保护, 永远不应该妥协, 理想的控制在哪里与行业最佳实践相一致.
- 利用监管环境-并非所有金融科技机构都讨厌监管. There are progressive regulatory reforms that support innovation in the financial industry. Although some of the regulations may have been published more than a decade ago, financial regulators have continuously provided additional guidance to support financial institutions, 既有澳门赌场官方下载,也有金融科技公司, 推动创新,提升网络安全成熟度. 许多金融监管机构, 比如英国金融市场行为监管局, 新加坡金融管理局和香港金融管理局, provide a regulatory sandbox to allow fintech start-ups to conduct live experiments in a controlled environment under a regulator’s supervision. Given a smaller population for the sandbox environment, certain controls could be relaxed (e.g.,某些停机时间更容易接受)。.
- 采用灵活的工作方式—The agile delivery methodology allows iterative enhancements to be made to an innovative concept based on a working product in each sprint cycle. 这种模式遵循创新精神——从小处做起, 快速失败,使产品能够快速交付. The agile way of working does not stop at technology delivery but encompasses all processes such as operations, 遵从性和, 当然, 网络安全. An agile 网络安全 practice includes alignment of the security patching schedule and the review of security configurations. 网络安全 and technology controls should also be integrated continuously to ensure an innovative digital product with optimized performance, 弹性和安全性.
- 执行持续的风险和控制评估——金融科技环境更加活跃, 包括虚拟银行, more regular assessments should be conducted to detect any control breaks in alignment to delivery phases. 强制性和理想的控制可能在不同的交付阶段发生变化. 例如, 在沙盒环境的早期交付阶段, rainy day controls such as disaster recovery could be considered desirable controls, whereas all customer data protection controls including data encryption are mandatory regardless of the situation. 当风险经理评估产品向公众发布时, the resilience control will become more important and be considered mandatory.
- 培养风险意识文化—A strong governance model supported by a suitable risk framework and risk tooling permeates the risk language across a fintech organization. Something as simple as clicking on a phishing email or answering a social engineering call could compromise confidential data. 培养风险意识文化包括模拟,比如红队, 互动培训和员工绩效奖励. 归根结底,风险管理是每个人的责任.
Exploring the fine line between digital innovation and managing its associated risks requires the hands of a craftsman. There is no one-size-fits-all approach to risk management as it requires thorough understanding of the business and operating model, 使用的技术和涉及的人员. Only with a fit-for-purpose risk management model can the innovation DNA in an organization be unleashed to deliver safe and secure digital products.
编者按: For further insights on this topic, read 唐纳德谢霆锋’s recent Journal article, “虚拟银行的网络安全和技术风险”, ISACA杂志,第1卷,2022年.
ISACA期刊今年创刊50周年! Celebrate with us—and don’t forget you can still receive the print copy by visiting your 偏好中心 选择加入!
