Other parts of this series:
The advantages of cloud technologies are widely recognized, offering enhanced productivity, agility, resilience, and innovation. Despite these benefits, the Financial Services industry lags behind other sectors in adopting cloud technology. According to our Cloud Rotation Index study, only 15% of banks’ workloads had been migrated to the cloud by the end of 2022. The “elephant in the room” is often the core banking system. While many banks have quickly moved their surrounding systems to the cloud, this is usually not the case for core banking. These systems hold the largest processing volumes and the most critical workloads.
On one hand, modernizing core banking systems is perceived as a complex, multifaceted, and expensive journey. It demands significant time and effort, poses a risk to business continuity, and could delay other business growth initiatives. What’s more, while boards are imposing shorter timeframes for realizing the targeted returns on investment, traditional approaches to core banking modernization do not deliver immediate, directly traceable benefits but require time and acting on components beyond core banking to fully play out. On the other hand, CIOs are struggling to make a sound case for change with clear tangible value. This makes many banks hesitant to start modernizing core banking systems.
In my previous blog, I explored how banks could approach core banking modernization through interoperability and composability, using the ecosystem, and utilizing AI and cloud technologies to minimize risks, enhance efficiencies and ensure quick wins and timely business outcomes.
In this blog, I’ll delve into how to build a strong business case for core modernization, making its value tangible. I’ll cover how to assess the current situation, engage key stakeholders in the modernization initiative, and secure internal buy-in.
Risk management in core banking modernization: mitigating IT risks
The value of core banking modernization, which drives the case for change, stems from its potential to boost economic value through business growth, efficiency, and productivity, while also mitigating IT risks. Assessing the economic value in the business case can be complex. It requires participation from various Lines of Business (LoB), and the outcomes are influenced by factors beyond core banking. However, these challenges are typically manageable. The real difficulty lies in crafting a compelling business case that compensates the inherent risks of the program, the required investments and focus, potential delays in other business growth initiatives, and outcomes that might not be immediately apparent.
Introducing IT risk into the equation plays a critical role. The complexity of legacy platforms, characterized by multiple architectures layered, numerous software and technologies, and extensive customization, along with the exponential growth in processing volumes, creates a perfect storm for maintainability, upgrades, and production operations. This leads to significant challenges in resilience and business continuity.
Considering the obsolescence of software and hardware, the fading expertise in critical software, the scarcity of legacy technology resources, and the outdated operating models, it’s clear why authorities and regulators are increasingly focusing on resilience requirements e.g., EU: DORA; UK: ORP, PS21/3; US: NYDFS 23, NYCRR 500, FFIEC, GLBA; Singapore: TRMG; Australia: CPS 234, CRG; Hong Kong: CFI.
By adding the often-underestimated element of non-financial risk and compliance to economic value, the decision to modernize core banking systems becomes a no-brainer decision.
Quantifying IT risks: Legacy systems vs. modern core
To fully appreciate the value of core modernization, banks need to quantify the risks associated with maintaining their legacy core systems versus migrating to a modern core. A significant challenge lies in defining a comprehensive and quantified set of Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). Without these, IT risk is unlikely to be sufficiently considered in the business case, and the true impact of modernization will be underestimated.
IT risk can be broken down into four key areas:
-
- Business continuity
- Security
- Reputation
- Compliance
The primary latent risks that are often overlooked or downplayed when developing a business case for core modernization include:
-
- Technical debt and right availability: The health, obsolescence level, and complexity of the bank’s technology stack, and its ability to meet business recovery services (BRS) and disaster recovery (DR) according to business service criticality and risk appetite.
-
- Strategy: Inadequate definition, deployment, or governance of the business strategy.
-
- Design and development: Errors in decision-making, design, and construction of IT solutions.
-
- Transition to production: Errors in the deployment of solutions.
-
- Decommissioning: Lack of clear standards and focus on decommissioning technology.
-
- IT operations: Inadequate capacity affecting processes, monitoring, and the frequency, severity, and duration of incidents and outages.
-
- Back-office operations: Inability to support optimized operations.
-
- Logical security: Inadequate protection of systems and data.
-
- Third parties: Vendor lock-in, dependencies, and inherited vulnerabilities.
Redefining IT Risk: A strategic imperative
Often, IT risk is viewed as the responsibility of the CIO and the Chief Risk Officer. It’s a specialized, technical area that many directors and business executives are not familiar with. As a result, business executives often underestimate the relevance and potential impact of IT risk on business operations and see investments in maintaining IT health as non-productive.
An effective strategy is to translate IT risks for each business service or capability within each Line of Business (LoB) by assigning a specific risk rating with clear and tangible potential impacts. In the highly regulated financial services sector, this approach generates a common understanding of the actual risk and compliance landscape and its potential business impacts across the organization. This strategy transforms the interaction between business and IT functions and fosters shared ownership of risk mitigation needs. Moreover, the benefits of this approach extend beyond core banking and risk management.
Banks today are more dependent than ever on a strong and flexible digital core banking system. As technology continues to evolve—most recently with the rapid emergence of generative AI—this dependence will only increase. Any business case that fails to recognize IT risk mitigation as one of the most important benefits of core modernization misses this vital point. Banks that are intent on driving towards business efficiency and agility through their modernization journey can create a positive cycle by developing a stronger, more secure and resilient IT estate, which in turn speeds up the delivery of new business value.
To learn more about how to create and syndicate a solid core banking modernization case for change contact me here – I would be happy to share our experiences of making transformation work.