Santander Banespa bets on the Modulo Risk Manager™ risk assessment methodology to assure reliability in its business chain.

Outsourcing has become a reality in many of today's market segments. Especially in the financial sector, this trend takes on an absolute countenance as it is adopted by institutions of different sizes and types. The Santander Banespa bank has adhered to this model, and added a competitive advantage by investing in IT risk assessment methodology to ensure reliability when establishing partnership agreements. The solution is based on Modulo Risk Manager™.

A bank's operating activities cannot be transferred before risks are evaluated. Our business partners should be prepared to protect our assets as we would do, internally", says Alvaro Teofilo, Santander Banespa's information security executive manager. At Santander, the process for evaluating partners was developed based on a risk management methodology established internally. The model used is essentially based on COBIT and includes principles of the OCTAVE approach, an assessment method developed by the Carnegie Mellon University, in Pittsburgh, PA.

The model used by Santander Banespa requires that each type of risk assessment address one particular type of process. Processes, in turn, are divided into several phases before they reach their final report format. First of all, the scope of the assessment is defined, as company data is collected and conditions agreed; secondly, Business Relevance and Criticality are defined with the identification the company's level of dependence upon the process. The next step is to run questionnaires appropriate to the nature of each service, then schedule a visit to the company and consolidate the results obtained. The model culminates with a final report containing consolidated data and presenting recommendations to each individual partner.

This process was not previously carried out in a satisfactory manner. "That was why we adopted Risk Manager. The solution has helped standardize demand and guarantee that the checklists made available for each type of contract can be reused across business partners”, says Alvaro Teofilo.

Since checklists are preset by the program, Santander Banespa's information Security Department has saved a significant amount of time in the development and maintenance of these tasks. "And what's more - he adds - the product allows lists to be adapted according to the different business needs. If a partner only stores some of the bank's physical materials, it does not need to comply with logical security requirements as strictly as other partners who maintain network links with our structure”, explains Teofilo.

Another aspect highlighted by the Santander executive is that Risk Manager allows automatic assessment of the risk controls, both at the start of the project and during the term of the contract: "The assessment is conducted by focusing not only on the initial security structure, but also guaranteeing that the partner's service keeps improving when it comes to risk control." The implementation phase was concluded in late 2005.

The consolidated solution rendered the requirements presented to partners more transparent, given that the bank established a standard path and simplified its relationships.

The good performance presented by Risk Manager in the assessment of partners has led the company to adopt the tool in different business areas. The product has been applied as a basis for the technical definitions in the Security Guide for Windows Servers, and also for lower platforms.

According to Teofilo, the adoption of Risk Manager has added great general benefits to the financial institution, since it provided an integrated view of security and the business.

"The owners of each operation are now more comfortable, knowing that a number of requirements have been met. In addition, they are also aware that this commitment requires continuous updating, so as to constantly improve partners' structures", complements the executive.