Scotiabank, known as BNS (Bank of Nova Scotia), is one of the five largest banks in Canada. In existence for more than 178 years and with a presence in more than 50 countries, it has an international network of branches and offices in Latin America, Canada, the US, the Caribbean, Europe, Asia and the Pacific.
At BNS, the COBIT 4.0 implementation project began with an international survey of the bank’s IT department directors to find out whether any of them apply a standard that involves having processes based on COBIT, in any of its versions, on a mandatory basis. As a result, a large number of "Scotiabankers" were found to have ISACA certifications, but no other branches had regulations similar to those in Costa Rica, such as the legislation SUGEF 14-091 approved by the National Counsel to Supervise the Financial System of Costa Rica (SUGEF, in Spanish), nor are any other branches subject to similar guidelines or directives such as those established for banks in Costa Rica in the IT management regulation included in SUGEF 14-09.
SUGEF approved the IT management regulation applicable to all banking and financial entities in the country starting in 2009 and establishing as mandatory implementing the 34 COBIT 4.0 processes and reaching the third level of maturity for each identified COBIT process within three years.
Compliance with these regulations is met through the execution of independent external audits, led by a CISA-certified professional, and framed in the external audit guidelines2 and professional and ethical criteria3 provided by ISACA, applying on a mandatory basis the S7 IT Audit and Assurance Standard4 and the G20 IT Audit and Assurance Guideline.5
As the culture of control is one of BNS’s principles, IT is supported by existing channels to disburse the controls implemented based on the use of web services and those in the compliance unit (the unit responsible for verification of compliance with external regulations) for IT regulatory issues. One of the critical success factors in the implementation of good IT governance was to use the current organizational structure to plan, organize, direct, coordinate, monitor, and make appropriate and timely decisions to gain from the advantages, benefits and opportunities derived from its use. This allowed the compliance unit to become the only authorized channel to receive and deliver requirements from auditors, whether internal or external.
Although the full responsibility for good IT governance falls by definition on the board of directors, duties are delegated to the different units of the bank—the control, evaluation and account performance of which follow the outline of authority and responsibility that is current within the bank.
Facing the Challenge
To face the challenge of implementing mandatory processes following the terms and conditions established by the local regulator, in this case SUGEF, BNS designed a route plan (a plan designed to achieve compliance as quickly as possible with the COBIT 4.0 control objectives) for the prioritization of measures to follow to successfully meet the requirements. The plan considered, first, the involvement of the IT committee with the active participation of upper management and the main bank executives.
Next, adequate implementation of the controls was verified using existing documents and taking on the task of upgrading, referencing and making the necessary standardizations to meet the detailed controls and requirements of the COBIT levels of maturity required by SUGEF for each of the processes. Two employees were assigned on a full-time basis to the project to ensure the continuity and follow-up of the route plan.
The implementation strategy clearly defined the general and specific objectives, which would allow the IT team to meet the objectives effectively, efficiently and economically, and to guarantee the availability of the resources required according to the scheduled tasks, the assignment of personnel committed and capable of executing the tasks assigned with excellence, and the active permanent pursuit of the progress of the project by the IT committee.
In its first phase, the plan analyzed 17 processes that required reaching maturity levels 2 or 3, as appropriate for the selected process.6 The following processes were included: PO1, PO3, PO5, PO9, PO10, AI3, AI5, AI6, DS2, DS3, DS4, DS5, DS9, DS10, DS11, DS12 and ME2. In the second phase of implementation, the remaining 17 processes that should reach maturity level 1 were analyzed to gradually reach maturity level 3 in a maximum of three years, starting in 2010.
Within the process, training in COBIT and good governance of IT, which focused on strengthening the knowledge of personnel participating in implementation, were included.
The benefits BNS received from using the conceptual framework from COBIT 4.0 include:
- Stronger alignment among business and IT strategies through the coherence of domains and COBIT processes
- Creation of defined processes with internationally accepted, auditable and measurable structures that integrate the best practices in the banking industry
- Identification of key controls that should be strengthened and implemented to ensure adequate internal IT control
- Better and more reliable processes that strengthen the application of practices related to management of the five elements of control that constitute good IT governance
This first experience related to the simultaneous implementation of various high-level processes, many of which are extremely complex and detailed, as well as to the need to create conditions that would yield the expected benefits. It required a significant effort by the institution, but with excellent results.
The effort has been substantial economically as well as in the amount of time dedicated by BNS’s process leaders—the demanding and continuous follow-up, monitoring and control, and the constant involvement of the entire organization, the board of directors, the administration, the managers and the IT department.
Despite the difficulties and the risk involved in the execution of a project of these dimensions, the strategy proposed with anticipation, the follow-up, and the timely and appropriate decisions made to once again follow the course have yielded the expected results, which, while they have just begun to emerge, are sure to create a more competitive, agile bank with strengthened processes, a greater focus on business and an enviable technological culture.
Manuel Vargas Roldan, CISM, CGEIT
With more than 29 years of experience in IT, is the senior manager of information security and IT compliance at BNS. He can be contacted at [email protected].
Francisco Herrera Hernandez, CGEIT
With more than 35 years of IT experience, is international IT director at BNS. He can be contacted at [email protected].
1 National Council for Supervision of the Financial System of Costa Rica, SUGEF 14-09, published in La Gaceta, no. 50, San Jose, Costa Rica, 12 March 2009, www.sugef.fi.cr
2 ISACA, IT Audit and Assurance Standard, Guidelines, Tools and Techniques, www.isaca.org/standards
3 ISACA, Code of Professional Ethics, www.isaca.org/ethics
4 ISACA, S7 Reporting, IT Audit and Assurance Standards, www.isaca.org/standards
5 ISACA, G20 Reporting, IT Audit and Assurance Guidelines, www.isaca.org/standards
6 Op cit, National Council for Supervision of the Financial System of Costa Rica (SUGEF)