For financial institutions to be successful today, they must have — and implement — a comprehensive IT strategic plan. The IT strategic plan must align with the overall strategic plan, outline future goals and objectives, and identify the steps needed to achieve such in a three-to-five-year timeframe.
The institution’s board of directors is directly responsible for developing the overall, or enterprise-wide, strategic plan, but they will most likely delegate the responsibility of the IT strategic plan to a board or management level committee (typically the IT Steering Committee). The board is still responsible for reviewing and approving it to ensure it aligns with the overall business strategy.
To understand the difference between the 2 plans, it’s important to note that the overall plan is where the broad goals and objectives of the organization are defined. This could mean many things like achieving certain revenue gains and financial ratios, but almost always includes adhering to current guidance and best practices relating to information security. The plan must include an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity. The IT strategic plan adopts the broad goals and objectives of the overall plan, and connects the specific day-to-day practices to those broader objectives. For example, the overall plan might have a broad objective to keep information secure. The IT strategic plan will identify each of the practices and proposed initiatives that align with that objective. Simply put, the IT strategic plan provides the linkage between the specific actions of the IT committee, and the broader goals and objectives of the organization.
Components of an IT Strategic Plan
Since the IT strategic plan is the document that outlines specific activities required to overcome challenges, there must be a solid understanding of the institution’s goals, business model, and objectives. In addition, there are three main components that all strategic plans should include:
- Mission and Vision Statement
The mission statement is the summary or explanation of an organization’s overall purpose, as well as the goals, values, and objectives. Having a solid mission statement ensures employees understand the direction and purpose of the financial institution and helps create a sense of identity. The vision statement will often be more concise and is designed to paint a picture of what a bank or credit union aspires to be in the future. While these components of the strategic plan may seem time consuming to develop initially, they are the necessary foundations for a successful organization, and unless the organization is experiencing a high pace of change, they are not difficult to maintain going forward.
- Risk Appetite Statement
Risk Appetite is defined as the amount of risk a financial institution is prepared to accept when working to achieve its objectives. In other words, risk appetite is a decision by the Board and Senior Management that the residual risk level, or risk remaining after controls have been applied, is within their pre-defined acceptable range. Failure to have a risk appetite statement could result in a financial institution improperly managing its risk, or misallocating its resources.
- IT Roadmap
The IT Roadmap is where all current and proposed strategic initiatives are tracked. The roadmap is the beating heart of the IT Strategic Plan and should be reviewed and updated at each committee meeting. Each roadmap initiative should identify how it aligns with specific enterprise-level goals which, although they will differ from one institution to the next, should include the following:
- Institution growth and customer demographic targets — Inc. mergers and acquisitions
- Current technology standards — the ability to adopt and upgrade/replace systems and software and integrate new technology to remain competitive
- Regulatory requirements (e.g., privacy, security, consumer disclosures, and other reporting requirements)
- Cost containment, process improvement, and efficiency gains
- Customer service and technology performance quality
- Third-party relationship opportunities versus in-house expertise
The plan should also focus on specific interdependencies, personnel, tools, internal and external resources, and timetables to achieve the designated goals. This also includes hardware and software architecture, third-party providers, and budget estimates.
Technology evolves rapidly, requiring institutions to implement enhancements to existing systems, and prompting new investment in infrastructure, systems, and applications. IT strategic plans serve as a powerful tool, one that positions banks and credit unions to identify and achieve key goals and desired outcomes. As the FFIEC states in the Management Handbook, “A financial institution capable of aligning its IT infrastructure to support its business strategy adds value to the institution and positions itself for sustained success.” A comprehensive IT strategic plan will ensure delivery of IT services in a cost-efficient and effective way, while enabling financial institutions to meet the competitive demands of the marketplace.