WITH AN EYE ON PARTNERS
Santander Banespa bets on the Modulo Risk Manager™ risk assessment methodology to assure reliability in its business chain.
Outsourcing has become a reality in many of today's market segments. Especially in the financial sector, this trend takes on an absolute countenance as it is adopted by institutions of different sizes and types. The Santander Banespa bank has adhered to this model, and added a competitive advantage by investing in IT risk assessment methodology to ensure reliability when establishing partnership agreements. The solution is based on Modulo Risk Manager™.
A bank's operating activities cannot be transferred before risks are evaluated. Our business partners should be prepared to protect our assets as we would do, internally", says Alvaro Teofilo, Santander Banespa's information security executive manager. At Santander, the process for evaluating partners was developed based on a risk management methodology established internally. The model used is essentially based on COBIT and includes principles of the OCTAVE approach, an assessment method developed by the Carnegie Mellon University, in Pittsburgh, PA.
Santander in figures
Established in 1857, the Santander group resulted from the merger of four large Spanish financial institutions: Banco Santander, Banco Central, Banco Hispano-Americano and Banco Español de Crédito. As of the early 1990's, the group has pursued an aggressive acquisition strategy worldwide, from Norway to Mexico and the United States of America.
In Brazil, Santander has acquired Banco Geral do Comércio, Bozano Simonsen, Banco Meridional and Banco do Noroeste, and bought the São Paulo state bank, Banespa, in 2000, after paying R$ 7.05 billion in a privatization auction. In the second half of 2005, Santander Banespa generated net profits of R$ 461 million in Brazil alone, and grew 41.3% compared to the same period in the previous year.
The model used by Santander Banespa requires that each type of risk assessment address one particular type of process. Processes, in turn, are divided into several phases before they reach their final report format. First of all, the scope of the assessment is defined, as company data is collected and conditions agreed; secondly, Business Relevance and Criticality are defined with the identification the company's level of dependence upon the process. The next step is to run questionnaires appropriate to the nature of each service, then schedule a visit to the company and consolidate the results obtained. The model culminates with a final report containing consolidated data and presenting recommendations to each individual partner.
- Partners are only accepted after all the requirements set forth by the company have been met;
- The use of checklists has guaranteed standardization of demands;
- Checklists are reused across business partners, increasing productivity in the Santander Banespa's information security department;
- Automatic evaluation of risk controls is now conducted both at the start of a project and during the term of the contract;
- The method ensures that partners continuously invest in the improvement of their internal risk control structure.
This process was not previously carried out in a satisfactory manner. "That was why we adopted Risk Manager. The solution has helped standardize demand and guarantee that the checklists made available for each type of contract can be reused across business partners”, says Alvaro Teofilo.
Since checklists are preset by the program, Santander Banespa's information Security Department has saved a significant amount of time in the development and maintenance of these tasks. "And what's more - he adds - the product allows lists to be adapted according to the different business needs. If a partner only stores some of the bank's physical materials, it does not need to comply with logical security requirements as strictly as other partners who maintain network links with our structure”, explains Teofilo.
Another aspect highlighted by the Santander executive is that Risk Manager allows automatic assessment of the risk controls, both at the start of the project and during the term of the contract: "The assessment is conducted by focusing not only on the initial security structure, but also guaranteeing that the partner's service keeps improving when it comes to risk control." The implementation phase was concluded in late 2005.
The consolidated solution rendered the requirements presented to partners more transparent, given that the bank established a standard path and simplified its relationships.
The good performance presented by Risk Manager in the assessment of partners has led the company to adopt the tool in different business areas. The product has been applied as a basis for the technical definitions in the Security Guide for Windows Servers, and also for lower platforms.
According to Teofilo, the adoption of Risk Manager has added great general benefits to the financial institution, since it provided an integrated view of security and the business.
"The owners of each operation are now more comfortable, knowing that a number of requirements have been met. In addition, they are also aware that this commitment requires continuous updating, so as to constantly improve partners' structures", complements the executive.