In today's economic scenario, if markets are increasingly moving towards free trade on the one hand; the number of rules and regulations to be met to truly qualify as a global entity is constantly rising too. As far as banks are concerned, meeting a barrage of world-wide compliance standards like BASEL II, Sarbanes-Oxley and Clause 49 is a major headache. IT frameworks like ITIL and COBIT, which have in the past been largely relegated to the realms of dreamware, are now emerging as ways to help financial institutions meet varying compliance standards.

HDFC Bank is in the process of implementing the ITSM solution from CA and Mindview from Symantec to untangle the chords of the compliance and governance struggle. G V Gopalakrishnan, executive vice president-IT, HDFC Bank, in conversation with Biztech2.0, discusses how IT is helping the bank to meet international compliance standards.

SOX Requirements Drove Need for Compliance Solution

Financial institutions listed in the US are required to demonstrate compliance with the Sarbanes-Oxley (SOX) standard since March 2007. To achieve this goal, HDFC Bank had embarked on a journey of internal changes in the financial year 2006-07 itself. "During this transformation process, we decided to look at a much larger framework to meet a myriad of compliance regulations that went far beyond SOX standards," states Gopalakrishnan.

After drawing up a framework to meet the immediate SOX requirements, HDFC Bank started looking at multiple frameworks like COBIT, ITIL and ISO 27001 to reach a broader compliance platform. "We decided to stitch multiple frameworks together, in addition to forming a governance practice within the technology group, which would make the process of meeting all kinds of compliance standards in the future easier and faster," explains Gopalakrishnan.

External Audit & Other Challenges Involved

The primary challenge in any governance environment is demonstrating year-long compliance during an audit. "Demonstrating compliance to an external auditor involves collecting evidence of processes and policies that are implemented throughout the year. This poses a major challenege as it is the most time-consuming element of the entire governance activity," says Gopalakrishnan.

Maintaining consistency is another important aspect to compliance, which can be controlled effectively by automating the entire process of evidence collection. This enables the creation of a repository of compliance evidence, which can furnish proof of adherence to processes during an audit. The repository can also help organisations in self-assessment by allowing them to know exactly where they stand with regard to compliance at any given point of time.

Choosing the Right Solutions

After an extensive evaluation process, HDFC Bank tied up with CA for implementing its ITSM solution, which is ITIL based. The overall governance solution chosen was Mindview from Symantec. Mindview enables repository formation for processes and facilitates automated gathering of evidence.

The implementation is yet in its initial stages; however, it is expected to reach completion within the next six months. This will give the bank a reasonable amount of time to collect data for the next audit.

Performance Consistency and Business Compatibility

"A big challenge that cropped up when we started was justifying an investment of this magnitude to the top management," says Gopalakrishnan. After overcoming this hurdle with the reasoning that it is important to put processes in place to meet regulatory norms, the next challenge arose in the form of performance management. The entire IT team had to consistently follow all established practices and processes; however, a check had to be maintained to see that this created no negative impacts for business users. Thus, the entire IT organisation had to be oriented towards making this solution work without impacting business deliverables.

Multi-Compatibility Premier Benefit

"The biggest benefit that I foresee is the availability of results for multiple regulators with a one-time process implementation," asserts Gopalakrishnan. "Ultimately, most regulators follow the COBIT and ITIL framework, therefore this is going to result in huge savings for the bank and additionally, it will allow the IT team to focus on their job, rather than spending precious time meeting regulatory requirements."

Although compliance is high on the priority list of most BFSI organisations, few companies are actually addressing long-term compliance needs. HDFC Bank, however, has planned a comprehensive governance and compliance strategy, as described above, to take the organisation forward without any governance glitches.