Around half of the firms we surveyed tolerate, rather than support, this break from the traditional approach of centralised software development. However, with a third actively encouraging business-developed IT, it is expected to increase substantially over the next three years and will require the appropriate levels of governance.
We discussed this challenge with a group of “C” level managers at our most recent Sionic Signals forum, held virtually in December 2020.
While some of this development is down to lack of functionality in existing applications and frustration with the speed of centralised software development, the main reason is to enable more sophisticated data analysis and to allow investment teams to add their “secret sauce” to the investment decision making and portfolio construction process. This has been facilitated by:
- More flexibility, capability and usability offered with modern programming languages, cloud computing and software applications.
- A marked increase in the number and ability of tech-savvy employees.
Python is the most prevalent programming language and PowerBI the most popular tool for data visualisation, given its ease of use. It is most widespread amongst the investment desks, though reporting, finance and operations teams are also undertaking their own development.
Nearly two-thirds of the firms we surveyed are managing business-developed IT as a medium to high level of operational risk:
- Support – only 10% of the firms we surveyed have found a way to effectively support business-developed IT. This is done most often on a best-endeavours basis, with many IT departments being reactive rather than proactive.
- Data – there is a risk that incorrect data sources are referenced or that unlicensed market data is used.
- Key-person risk – this is especially of concern if the business is dependent on software that is not well documented, not broadly understood or not proven to be robust.
- Robustness – is the code robust, has it been fully tested, does it open up any security vulnerabilities, could there be flaws in the algorithms?
How to manage the risk
The main approach has been to implement a governance framework to provide some form of control over how and what software is developed; this tends to be created and managed by the IT function. Nearly 80% of the firms we surveyed require IT approval for the use of development tools, so there is a basic level of control, but in most cases, more work is required to build out these frameworks.
The challenge is ensuring adherence with the framework. This will be achieved by educating capable employees on good practice and behaviours, as well as building a strong culture supporting internally developed software.
This begs the question, to what extent does IT becomes more federated? 28% of the firms we surveyed felt that it would and that the centralised IT team would provide a more oversight and mentoring role. In discussion, it was felt that the IT function should be an enabler of business-developed IT and needs to evolve to focus on creating operational alpha. This includes offering further enhancements supporting the business in areas such as data science and advanced development techniques.
With growing interest from the regulators looking to test technology maturity, Operational Risk teams need to ensure there is robust management of the risks that business-developed IT poses, as firms increasingly look to the use of technology to improve investment performance for their clients and enhance their competitive edge. Culture plays a large part in this, with organisational awareness and buy-in to the controls crucial to the success of the risk management framework.
Sionic Signals is a forum for C-Level technology representatives from asset management firms to discuss key industry challenges. Keep an eye out for our next Signals survey on Operational Resilience. To find out more about Sionic Signals, please contact Clare Vincent-Silk.