Governance Case Study: SynovusCollaboration the Key to Creating, Enforcing Standards For Synovus, a $32 billion holding company with 5000 employees and 37 affiliated banks across the Southeast, it's a bit of an understatement to say that IT governance is done on a broad scale.
Steven Jones, Director of Information Security for the Columbus, GA-based company, says the focus on IT governance, risk and compliance is where a great deal of the organization's enterprise risk has evolved. "For Synovus, one side focuses on information risk, the other around project and portfolio risk management.
The governance program at Synovus started with IT and it spawned into other areas including enterprise risk, strategic risk and compliance risk. "We formulated an operational risk committee that has key representation from audit, legal, credit, information security, compliance and other key business unit leaders," Jones says.
The committee is still evolving, as are its charter and mission. "But one of the big agenda items we've tackled up front is vendor risk management and vendor due diligence," Jones says. This priority aligns with the FDIC's 2008 focus on improved vendor management, and it validates the recent State of Information Security survey, in which respondents' own self-assessments show significant need for improvement.
Getting a Handle on Governance
Because Synovus is a "little bit different in terms of organizational structure" and offers a broader ranges of services, including financial management, brokerage trust, mortgage and insurance, Jones' team has chosen to centrally manage many functions and provide IT services to all the banks from a single IT center. There is a "dotted line" reporting structure within each of the banks to an affiliate coordinator, and they're responsible for some of the risk assessment activity for their banks. "Our compliance is also regionalized, so these things help us appreciate benefits from both a decentralized approach and a centralized approach in certain actions, such as risk management activities," Jones says.
In project governance, Synovus has an IT steering committee that prioritizes its portfolio and sets thresholds; these are set in terms of number of hours or number of dollars spent. For those projects that exceed those thresholds, they go to an executive governance committee that looks at those larger projects and helps prioritize the work.
Synovus has eight different high-level policies across all 37 banks with those pointing to more "fluid" standards. Jones, who is in charge of the standards, sends any new ones or revisions to a standards committee for approval. The affiliate bank coordinators then are given these standards and policies to distribute within the employees at the bank. "The policies are very short documents, and don't change very much, and point to the more substantial information contained in the standards," Jones notes.
Jones is empowered to review those standards quarter by quarter or annually, and the standards surround issues like access control, acceptable use policy, asset classification, anti-virus -- typically all the standards that are around information protection and GLBA compliance.
The information security program at Synovus began six years ago and was based on strong principles of risk-based security, risk assessment, information asset classification, all which were foundations of the IT governance program. Synovus' IT project management has been about four years in the making, while enterprise risk management is about two years old.
"We're still maturing," Jones says. "Overall we're about 60 -70 percent there. It's difficult to measure because each area is at a different level of maturity. Our regulators have a perspective, our customers and shareholders have a perspective, and we have an internal perspective, all of which we take into account."
Having started the governance program at Synovus, Jones says "One of the biggest hurdles we faced was to understand the business and the risks associated with the business."
The IT governance committee found that engaging in a two-way conversation with the business side to understand what's at stake was key to the success of the program. "Looking back, all of the most successful parts of our program have been the result of engaging as many stakeholders as possible, whether it's legal, compliance, or audit, or the business itself," Jones says. "Those conversations were the most fruitful and productive, and we made sure each one shared their perspective."
He advises other institutions to pay heed to the power of cross-functional collaboration. "Once we got all those people in a room, they discovered how much they all had in common," Jones says. "You'll be surprised how much concern they have about the same issues, like privacy and data security, confidentiality, integrity and all of those issues you thought no one was paying attention to at your institution but you."