Westpac is aiming to evaluate the risk controls linked to its application portfolio more extensively and regularly in response to evolving expectations, especially from regulators and customers.
Dominant controls officer Jurgen Richter shared at a recent ServiceNow A/NZ Summit that the institution has been utilizing ServiceNow for self-assessments of controls throughout its technology realm for approximately four years.
Self-assessments are a frequent governance, risk, and compliance (GRC) practice. In this instance, it pinpoints hazards linked with vital technology systems and the efficiency of controls deployed to tackle or shield against those hazards from emerging.
Richter mentioned that the intricate technology landscape at Westpac, shaped by mergers and acquisitions, involves “over 1000 applications supporting business operations”.
Despite the bank maintaining a standard set of controls for technology systems, it has historically been limited in the speed of assessing control effectiveness and in the applications covered by assessments.
This led to the assessment of controls related to critical applications, mostly on an annual or biannual basis.
Yet Richter highlighted that evolving anticipations – from regulators, customers, and the business itself – necessitated the capacity to conduct tests more swiftly and broadly across its technology environment and application portfolio.
Around nine months ago, the realization dawned on us that we had to pivot swiftly,” he mentioned.
“So, on our path, we’ve transitioned from a very stationary, manual, retrospective control environment, [and are] shifting more towards real-time, anticipatory monitoring of the environment to feed the business, aiding them in making instantaneous decisions.”
This transition is being driven by the gradual automation of control testing – and the bank has set itself ambitious objectives for the forthcoming years.
“We’ve only just commenced the endeavor to move from conducting these assessments annually or biannually to triggering them more in real-time to offer improved, quicker, broader coverage across the complete technology landscape,” Richter stated.
“Over the following three years, we have a bold strategy to attain 70 percent automation regarding control testing.
“While many banks globally target 30 to 40 percent, we are aiming for 70 percent, demonstrating ambition but achievability.”
The presence of real-time outcomes means there is tangible data available for making judgments about control ratings on diverse applications.
Richter also mentioned that this initiative is aiding an internal restructuring of the bank’s organizational structure.
“Westpac is transitioning from a conventional hierarchical divisional format to what we refer to as value chains, encapsulating end-to-end business processes,” he commented.
“As we embark on this journey, the business expects insight into how technology functions throughout these end-to-end business processes.
“Our automation strategy across controls is pivotal here. Hence, we are utilizing data to connect applications to value chains, offering comprehensive views across their portfolios.”
About Author
