The Center for Information Systems Research (CISR), part of the MIT Sloan School of Management, recently unveiled its landmark study The Future of the CIO, on the present and future roles of CIOs worldwide.
The report traced the evolution of the CIO's role as it changed from one that is primarily focused on maintaining IT services, to one that carries out a broad range of activities. The CISR pointed out that the CIO now has to work with external partners and customers, take part in the strategic management of the business and even handle non-IT tasks like sourcing and human resources.
Credit Suisse's Divyesh Vithlani, regional IT chief operating officer, and head of IT in Singapore, is an example of the CISR's resultant study.
When he first joined the bank in 1998, he managed the introduction of the Euro currency within Credit Suisse's operations in the Asia Pacific region. He then moved to preparing the bank for Y2K. He was also involved in completing the bank's shared services IT functions.
Today Vithlani is also the regional IT head for the bank's outsourcing strategy called centers of excellence (COE) in the Asia Pacific. He set up the bank's first COE in Singapore. "On the business management side, I am responsible for the regional IT financial performance manage process, quality, methodology policies as well as operational excellence, strategy and governance," says Vithlani.
He is also the head of IT in Credit Suisse Singapore where he oversees client and regulatory relationships, audit, control and operations.
The Excellence of Execution
In the early 2000s, Credit Suisse, like other banks, experimented with the traditional outsourcing model. "We have aspects of development work that you'd specify and a third party would be asked to essentially develop the code base and provide that with a view that we would then deploy the work," explains Vithlani.
While the model was more suitable for low risk functions, the bank felt that it needed to have a strategy that facilitates all areas of the bank to participate in off shoring and outsourcing. "The bank was moving forward pretty fast with new products and requirements coming online as well as changing priorities and market needs," he says.
The plan formulated entailed leveraging the benefits that outsourcing provides, with respect to the bank's ability to tap into the global talent pool, at the right price while staying competitive.
The COE was set up to "supplement cost-effective talent that not only supports the businesses in Singapore but to start supporting functions across the bank globally," says Vithlani.
Typically, COEs are created as many outsourcing companies locate in one area, taking advantage of available infrastructure, location advantages (cost of living or available real estate) or of ready talent pools, comments Michael Araneta, a senior manager in IDC.
"The underlying characteristic of the centers of excellence concept is that of efficiencies--where there is significant outsourcing expertise in one area, the better these outsourcing companies become and hopefully, the more cost-effective their services will be," says Araneta.
The banks approach to COEs varies from centers formed by groups of outsourcing companies to captive units based in the centers. With captive units, the banks "can keep a lot of their development in-house (a key concern since banks would like to keep technology innovation as a competitive advantage) but still take advantage of the benefits of these offshore locations," adds Araneta, which is what Credit Suisse has accomplished with its four COEs.
Through the COEs, the bank's objective is to leverage talent pools across the world. The bank looks at the capabilities and talent available before deciding the direction of the work by the centers.
"We look at creating either front-to-back competencies that might have a business function, the middle office function and an IT function, or we might decide that we're going to converge a particular technology process like testing or QA in one particular area," says Vithlani.
"We have work that is being done to support our investment banking business in terms of IT development, support, testing, we have work for our private bank division, we have work for the asset management division and we're also supporting every single area of shared services," he explains.
Working in the hot zone
As the head of IT, Vithlani handles information security, ensuring compliance with policies and external audit requirements. The role does not come any easier because in terms of information security, the financial services industry is a hot zone for attacks.
Key to combating the issues is to constant improvement of Credit Suisse's security methods. "We're constantly looking at what we can do in terms of improving our strategy, consolidating it with the business strategy, in terms of risk management negation, education, awareness, policy, protection, enforcement, measurement," says Vithlani.
In the area of protection and enforcement, Credit Suisse is setting up an IT investigation team focusing on digital forensic practice, in order to establish a global management of e-crime as well as e-fraud threats and events. The team would analyze and perform root cause analysis on any issues that may take place and provide mitigating responses.
With the ongoing One Bank technology platform integration strategy, Credit Suisse is consolidating a global integrated framework that includes the measurement on performances around risk, audit, compliance, disaster recovery and user access.
The Enemy Within
Vithlani feels that the internal threats are just as great as the external threats. What the bank has is a holistic approach towards information security through its range of policies.
While the focus was previously geared towards issues like denial of access, Vithlani is increasingly seeing a shift towards the protection of data. "If you think about it in that context, then there are proactive, reactive and ongoing measures that we need to undertake. The way that we address this point is really by focusing on data as the asset," he adds.
The bank implements stringent policies around access control. Each time when an employee leaves the organization, the human resource department would start a process called exit check list. It goes through the different departments in the bank where actions will be taken to disable access to applications, infrastructure and even buildings.
At the individual level, Vithlani says that the checks are in line with what the banks has for all its employees. "In terms of the individuals signing off the various non-disclosure agreements, regulatory compliance policies, internal compliance policies and data, data protection, ensuring that the access that they have is in line with the access that they need, there's a constant review of access controls that they have and clearly if the third party is not permitted to see certain types of data, then they will never see that anyway," he explains.
"It is a combination of IT risk as well as day-to-day management of providing and safeguarding the controls," concludes Vithlani.