Large banking group: an agile approach to better manage IT compliance regulations

Modernize and centralize the bank's IT compliance management 

A leading player in the international banking sector, the group's challenge is to ensure consistent regulatory compliance with numerous regulations such as GDPR, NYDFS, PCI-DSS, CSP Swift, etc., without disrupting business development. With an international scope, the bank's IT departments consist of several thousand staff. 
Historically, the bank documented its IT compliance processes in Excel documents. Today, the bank has chosen to use a tool to help it manage IT compliance regulations, especially cybersecurity-related ones, more efficiently.
The solution is organized around a single repository to provide the following: 

• Operational compliance management for the Information Systems Departments;
• Optimized compliance management costs;
• Reduced loss of quality data between different business divisions; 
• Evergreen monitoring of IT compliance, including the ability to work without the involvement of IT project teams that withdraw after completing the initial implementation.

The challenge for the group was to set up a common repository to manage the compliance of IT resources to meet all internal standards and external regulations.

An agile project to increase compliance with various regulations

To achieve its objectives, the banking group has also decided to rely on its Enterprise Architecture repository for compliance initiatives. To do this, it has added MEGA's internal control management solution - HOPEX Integrated Risk Management – to manage compliance across its entire application estate. The choice of solution was made on three main criteria:

• Relevance of the proposed solution based on the bank's requirements
• Ability to integrate into the existing Enterprise Architecture repository in HOPEX, therefore making it possible to capitalize on the current application inventory
• Support from MEGA consultants in leading the solution integration project

The company has taken a pragmatic approach to innovation by setting up an MVP (Minimum Viable Product) strategy. This consists of launching a first version, then developing it according to the needs reported by all the project's stakeholders.

The agile organization of the project was developed over time and gradually evolved with the business project team, project management, and the MEGA International team. These discussions enabled the solution to grow agilely, build an extended MVP, and begin the first concrete use case: Compliance with the GDPR. Once the production of this use case had started, all the information was entered by the project management team directly into the HOPEX repository—thus ending the use of Excel files for this type of operation.

Centralization of information for better access to knowledge

By centralizing compliance data onto a single platform, the group now has reliable, precise, and up-to-date information, facilitating access to knowledge. To achieve this result, cross-functional cooperation was required to ensure the bank's IT compliance.

Centralizing information also provided better visibility into the overall compliance levels of IT resources. The bank was initially able to assess compliance with GDPR for several hundred applications, and many additional applications have been added since. 

The next objective for the bank is to industrialize (automate) the compliance management of its application portfolio. The other central requirement is to reduce the costs of compliance management.

Solutions

• HOPEX Integrated Risk Management
• HOPEX IT Portfolio Management
• HOPEX platform
• MEGA Services Team