COBIT Case Study: Banco Supervielle S.A. Implements COBIT as It Pursues Expansion 

 

Click here for a Spanish translation of this case study.

Abstract

Banco Supervielle S.A. has grown considerably and steadily in the last 15 years, and is now one of the main private banks of the Argentine Republic. To increase this expansion, the directors of the enterprise have focused on improving technology services administration, specifically by implementing a master plan providing for the governance of information technology (IT).

The enterprise learned about COBIT through the ISACA Buenos Aires Chapter and decided to adopt it as its framework for governing IT. COBIT was developed by ISACA, is continually updated and is available as a free download from www.isaca.org/cobit.

Background

Banco Supervielle S.A., founded in 1887, is one of the main private banks of the Argentine Republic. At present, it is mainly focused on banking and financial services targeted to individuals and small and medium-sized companies. Its banking network includes 103 branches, 66 service centers and 270 automated teller machines (ATMs) located in the main provinces of the country.

Among private-sector banks in Argentina, Banco Supervielle is ranked eleventh in terms of deposits and twelfth in terms of total assets and loans. Among national capital private banking groups, the bank is ranked sixth in terms of deposits and seventh in terms of total assets and total loans.

In virtue of its strategy, which is aimed at increasing its market share in the Argentine banking and financial services sector, Banco Supervielle S.A. has achieved sustained organic growth.

In recent years, the board of Banco Supervielle S.A. began work on a plan to improve IT-business alignment, its added-value services, and the administration of risks and resources effectively. It has also been working on the sustained improvement of its corporate governance, in which both technology administration and its role within the enterprise are included.

Process

In 2009, the bank launched an IT governance project, in which the chief executive officer (CEO) was the sponsor and the chief information officer (CIO) and his managers were the leaders.

This project stemmed from key issues such as the improvement of strategy-business alignment; the need to generate a language friendly enough to be interpreted, managed, improved and understood by both IT and business areas in terms of fulfilling internal controls and being aware of each person’s role within IT processes; and the compliance of all regulations set by the different controlling agencies governing the bank’s activity—most important, the Central Bank of the Argentine Republic.

Based on the needs of the enterprise, COBIT was seen as the best reference framework to use as a guideline.

As the first task and initial scoring, the bank measured the maturity level of current processes. Using COBIT, additional good practices (ITIL, International Organization for Standardization, Instituto Argentino de Normalización y Certificación, etc.) and local norms, the current maturity levels were identified successfully. Forms were utilized, and all results were summarized for proper understanding. In turn, once the current level was understood, the expected maturity level; estimated time to achieve that level; and short-, medium- and long-term goals were discussed by the board and top managers.

Banco Supervielle S.A. utilized COBIT in the following ways:

  • Training—Training and awareness of internal controls, the framework and best practices accounted for the first tasks. Aided by the local ISACA chapter, all system and technology managers and reports, including the areas of information security, system development and maintenance, IT risks and business continuity, project administration, testing, quality assurance, and process and technology infrastructure, received COBIT training.
  • Redefinition of IT internal processes—After the processes in the bank’s IT process life cycle were grouped, they were aligned with those in COBIT. It was found that certain processes depended on the current maturity level and that their updating would require greater investments and longer terms.
  • Redefinition of roles, responsibilities and new tasks—With the purpose of ensuring the achievement of the different initiatives and the fulfillment of the project goals, the project control area was strengthened and the IT risk administration and business continuity (IT risk governance) area was established.
  • Control dashboard—A series of indicators based on COBIT’s main metrics were developed with the purpose of measuring the fulfillment of the main control activities. Such metrics have their own implementation plan, which works gradually and depends on the urgency of the process to be measured.
  • Risk analysis—The inclusion of IT risk administration has played a key role. The methodology and administration of risks were improved based on the Risk IT framework and others. In each process, the bank utilizes the annual IT risk administration cycle and the main control points framed within COBIT, and the analysis of risk is used to identify and mitigate risks and to ensure alignment with the IT governance framework.

Conclusion

Using COBIT’s control objectives and processes allowed Banco Supervielle S.A. to trace a road map to better achieve the enterprise’s desired maturity level. Several initiatives are underway, and business continuity has been improving. Management is confident that implementing the COBIT framework will enable the bank to achieve its objective of growth.