IT/MIS: Measurement & Rules to Manage Risk, The Bank Popolare of Sondrio handles IT risk management by measuring complexity via a structured interdisciplinary approach where 27% of transactions contribute to 80% of the operational complexity of the system.

1. IT: Measurement & Rules to Manage Risk
26/04/2013 By Nicoletta Boldrini Original Article from ZeoUnoweb.it
http://www.zerounoweb.it/casiutente/it-misurare-e-governare-per-gestire-il-rischio.html
Our Bank [Banca Popolare di Sondrio] confronts the IT risk management by the use
of sound management of complexity by applying a structured interdisciplinary
approach.
“Implicitly complexity is constantly evolving; to govern this you must know where
you are at any point in time and measure it." Began Milo Gusmeroli, Deputy
General Manager and CIO Banca Popolare di Sondrio, in sharing with ZeroUno all
critical issues related to complexity management confirming that it must be
checked and managed. "In my opinion, complexity in IT is an 'intrinsic condition' -
continues Gusmeroli - and it can open new revolutionary opportunities. Not to
consider complexity would be a mistake, and when doing so, it is essential to use a
structured interdisciplinary approach."
In the case of Banca Popolare di Sondrio, the IT Governance base of the Banks
foundation constitutes five pillars: Organization (as people and structure),
Methods (services and processes), Architectures and Systems, Project Portfolio
Management, Budgeting and Performance Management.
"As the complexity simplification is leading to greater capacity and more effective
governance, of the IT domain architecture where systems play a decisive role," said
Gusmeroli. In this context, Banca Popolare di Sondrio has established an
'Architecture / Systems and Security' group in the PMO and our staff has defined a
control system that takes into account not only the architectural models (SOA, for
example), but also the provisioning choices.
"The other important area that we consider essential is to understand the
intricacies of IT (to measure and rule) and [he is] referring to the catalog of services
provided (which is part of the pillar 'methodology'), which, in terms of control,
allows the 'IT department to have a clear view of the relationship between banking
processes, organizational units, IT services needed to support and adequate
computing resources, "says Gusmeroli.
"The unit dedicated to the portfolio of projects, i.e. project management office, in
Banca Popolare di Sondrio for this has the responsibility for the integration of
budget, projects / service catalog, reporting, measurement, reporting and
repositioning [this also to connect to the Bank of Italy reporting in terms of banks
prudential supervision - Ed], "adds Gusmeroli. "Finally, the scope and budget
performance management has in charge obtains a balanced scorecard, however,
integrating all part of project administration and catalog services for the strategic

2. management of IT must always be supported by objective measurements and
related to the objectives of business. "
Interpreting the phenomena how to govern IT
Milo Gusmeroli, Deputy General Manager & CIO Banca Popolare di Sondrio
"IT is such a complex organization and IT can be effectively governed, however IT
must be measured precisely in its complexity," highlights Gusmeroli. "This measure
is aimed, in our case, to understand and interpret phenomena using remote
control systems."
"The interpretation of the [complexity] phenomena and the use of the information
IT generates using control systems, although we aim to achieve the highest level of
predictability of IT systems behavior (and therefore the minimum risk), have a
direct impact on the business, "explains the CIO of the bank.”This is why we are
introducing a stability indicator that allows us to have a view on the level of
complexity and potential consequences so that this level can determine the profile
of the business."
A similar view is being created in Banca Popolare di Sondrio through the platform
OntoSpace, (risk management solution built by Ontonix that incorporates
principles and algorithms for measuring the complexity of systems or processes)
this necessarily involves the integration of data and parameters both technical and
others of different nature. "Within the system of control we have collected many
data as well as technical performance indicators from the architecture which is
derived from an analysis of operational risks - says Gusmeroli -. These are then

3. integrated with data coming from other systems, such as the balanced scorecard,
to determine the risk and to assess their impact on the business. "
Referring to case studies developed and looking for example the analysis of a
bank's server through technology Ontonix, the Bank was able to verify that the
performance of the robustness of the system shows an initial intense activity (both
batch and user side) which progressively decreases. The system, after a first period
of tension, reaches an equilibrium situation and normal operating conditions.
Continuing the analysis, it was also found that the most critical variables appear to
be related to the management of the hard disk storage, element, however, we
managed to resize. The system during periods of high operational demand is more
exposed to unpredictable reactions, requiring greater management attention.
"The instrument used for measuring the complexity has also been applied to
measure the response time of the transactions and then test the behavior of
applications," said the CIO. "The analysis on the response times of applications
showed that the element to be monitored with greater attention are the 'moments
of discontinuity', i.e. the transition between activities (e.g. from batch to online)."
Symptomatic and almost 'surprising' the result of this analysis proved that: 27% of
transactions contribute to 80% of the operational complexity of the system. "Now
we have more information to determine which applications and transactions are
'key-centric' [critical pivots] and why, in order to govern the IT systems and
processes better, thereby reducing the risk leading to a higher index of stability."
The analysis at Banca Popolare di Sondrio underway is intended to add other
features on the 'potential' and 'residual' complexity and robustness of IT systems:
in the vicinity of the critical level of complexity (to be placed on dashboards with
intuitive graphic elements ), when the behaviors of a system becomes
unpredictable thus putting stability at high risk. Based on this awareness, the Bank
has initiated plans aimed at monitoring and measuring the potential risk
(represented by the critical level of complexity) and residual risk (which comes
from the distance between the actual measured complexity and the level of
complexity identified as 'critical'). The residual risk, in fact, measures the amount
of indeterminacy [in concurrent computation] the system is able to withstand
before starting to lose functionality and become unreliable, while the current risk
measure the robustness topological and quantifies the ability of the system to
preserve its functionality.
"It goes without saying that in order to maintain an index of stability, of the system
IT must keep a safe distance from the critical level of complexity," says Gusmeroli.