Tech Time: A Principled IT Strategy

“…This above all, to thine own self be true…”  W. Shakespeare

Within many credit unions, the building and development of an IT strategy can be a challenge. How will changing systems, technologies, compliance requirements, security needs, known risks, unknown risks, personnel, and all the rest of the bits and pieces be governed and managed? How do we fit everything together? How do we know we’re on the right track? Well, the first thing to do is take a deep breath, step back and start from the beginning. What’s the beginning? The values and principles embedded in the CU’s mission, vision and enterprise strategy.

Building an effective IT strategy begins with understanding the credit union’s principles—the values and fundamental assumptions held by the CU. They are the beliefs guiding and putting boundaries around CU decision-making, communication within and outside the enterprise, and stewardship of member assets.

For some credit unions, these principles may be directly spelled out in a CU mission statement, ethics charter or other similar document. For others, they may be “understood,” but not necessarily delineated and documented. Through meetings and discussions, the credit union’s board of directors should formally identify and lay out the principles upon which decisions and actions undertaken by the credit union will be based.

Once the CU’s guiding principles have been defined, you can take the next step and build the credit union’s enterprise strategy. The enterprise strategy outlines corporate business plans and initiatives the credit union will engage in to meet enterprise goals (as aligned with enterprise principles).

Once the credit union’s enterprise strategy is outlined, work can begin on IT strategy items. The credit union’s IT strategy should support and aid in achieving enterprise strategy items.

To help understand how the above works, consider the following examples.

1.     CU operating principle: optimize the value of provided products and services

CU strategic objective: The products and services offered to members will:

• equal or exceed those offered by our competitors;
• be provided and maintained by the credit union in a cost-effective manner; and
• meet or exceed stakeholder needs and desires.

IT strategic objective: To assist in delivering products and services to stakeholders, IT operations will:

• ensure adequate and sufficient IT-related capabilities (people, process, technology, etc.) are available to support enterprise objectives effectively at optimal costs;
• establish a common system of business processes, information, data, applications and technology architecture layers for effectively and efficiently realizing enterprise and IT strategies; and
• analyze opportunities for business innovation or improvement through emerging technologies, services or IT-enabled business innovation, as well as through existing established technologies and by business and IT process innovation.

2.     CU operating principle: optimize business-related risks

CU strategic objective: To manage business risk, the CU will:

• complete risk assessments for business initiatives;
• communicate risk findings to appropriate stakeholders; and
• monitor internal and external environment for changes in risk factors and/or risk measurements.

IT strategic objective: To assist in managing business/enterprise related risks, IT will:

• ensure the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and risks to enterprise value related to the use of IT are identified and managed;
• continually identify, assess and reduce IT-related risk within levels of tolerance set by CU executive management; and
• define, operate, and monitor a system for information security management.

Once IT strategy items are defined, the credit union can work on developing the policies, standards, procedures and projects needed to achieve strategy objectives.

While we’ve shown how building your IT strategy from credit union principles works, it’s important we consider some of the many reasons why this is a valuable method.

• This method promotes good IT governance practices (i.e., ensuring IT sustains and extends enterprise strategies and objectives).
• It supports and promotes work by the board of directors in ensuring IT initiatives are appropriate and support enterprise goals.
• It aids in identifying or clarifying the metrics used to determine the success of a strategic item or initiative.
• As principles and values shouldn’t really change over time, they allow the credit union to build and maintain consistent long-term strategies and objectives.
• This method allows external stakeholders (auditors, regulators) to see that the credit union has a clear, logical system for determining, developing and aligning IT projects and strategies with strategic objectives and enterprise goals.
• This method aids in reinforcing credit union principles and values throughout the organization.

And while we’ve focused on IT strategy in this article, this same process can be applied to other operational areas (e.g., marketing, loans, personnel, shares, etc.) and their respective strategies to gain similar benefits.

Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting, LLC, Silverdale, Wash., and offers insights to CUs on information technology governance, information security and technology risk management.