Skip to main content
Security and resiliency

How one Belgian bank boosted its regulatory readiness

Article 4 Sep 2024 Read time: min
By Anton Wilsens

It is no great secret that many financial service providers have relied heavily on outsourcing to meet their IT needs. This approach has enabled banks to modernize their offerings without the burden of managing IT services in-house.

However, while banks have always maintained ultimate accountability for their operational risk, including their IT, European banking regulators are now adopting a tougher stance on IT governance to ensure the accountability is backed by the right controls.

By early 2025, through regulations like the European Digital Operational Resilience Act (DORA), financial service providers and third-party IT vendors in the EU must adhere to rigorous new standards for managing their IT infrastructure.

Regulations like DORA signal positive change. They encourage banks to strengthen their IT controls and by extension, boost their cyber resilience in an environment of more frequent and sophisticated cyberattacks. According to a recent Kyndryl report, over 70% of organizations have experienced a cybersecurity-related event in the previous two years alone.

Still, the prospect of developing an operating model that ensures total governance over a sprawling IT environment can be overwhelming.

Belfius, one of Belgium's leading banks, already has made significant strides towards strengthening their IT controls and regulatory readiness.

Their progress has been driven by four practical steps that IT leaders in the EU may also want to consider when preparing for the 2025 DORA deadline.

Define the target operating model

After years of outsourcing of their complete IT infrastructure to one industrial partner, supported by Service Level Agreements (SLAs), Belfius realized a new approach was needed to regain control.

In other words, the team was ready for a strategic overhaul, to increase oversight and flexibility in their IT operations. And to achieve this, they would need to establish a new target operating model.

Defining a new Target Operating Model is a crucial first step for any team seeking to reconfigure their IT management practices. The added benefit is that it requires teams to identify their objectives early in the transition. With these objectives as a starting point, the optimal operating model can be co-created to define how teams will collaborate, how governance will be assured and how the main KPIs will be met.

"Defining a new operating model came along with three objectives: bring the infrastructural control back to Belfius, increase the flexibility of our infrastructure products and services and improve the overall quality of delivery."

Benoit Sepulchre
Head of IT Platforms at Belfius

 

Conduct a skills audit

A key part of Belfius’ new operating model would be increased control over their Service Integration and Management layer.

Belfius decided to re-insource this control internally, while still leaning on one of their partners for Resources on Demand. This would in turn allow the bank to move from a single, large contract with their total outsourcing partner to multiple agreements with various IT service providers, each focusing on their strongest value proposition.


"Our ambition was to enter in an open and transparent partnership with every single infrastructure partner, and where possible to avoid any sub-contracting."

Benoit Sepulchre
Head of IT Platforms at Belfius

 

To navigate this transition smoothly, teams should consider a comprehensive skills audit to pinpoint gaps in their organization's capabilities around the most important SIAM (Service Integration and Management) processes. Through the audit’s learnings, teams can then craft a targeted upskilling strategy.

For some, this might mean hiring new talent; for others, implementing training programs; or in cases like Belfius, a combination of three solutions: hiring new talents, insourcing providers’ resources and creating combined teams under Belfius management.

Assign ownership

As the saying goes, "With great power comes great responsibility.”

Taking control over the Service Integration and Management layer also means assuming full responsibility for the management of incidents, problems, service requests, and more across all IT systems and providers.

One strategy to adjust to this new responsibility is to make sure your partners run the platforms as a service, still offering end-to-end ownership with SLAs on the uptime of the platforms.

To firmly embed this within the organization, your team could assign a two-in-the-box management model where dedicated owners on the organization’s side closely interact with the platform owners from the respective infrastructure partners. This approach not only distributes the workload, but also makes sure the client and the partner are aligned on the short- and long-term vision of the evolution of each platform.


"The two-in-a-box model is very powerful. It creates more transparency and alignment on the way we manage the infrastructure, and the strategic choices to be made. Also, it gives the people a common feeling of belonging, making the collaboration even more efficient."

Benoit Sepulchre
Head of IT Platforms at Belfius

 

Adjust to the new normal

For Belfius, the aim of this transition effort was not just regulatory readiness, but also more control, flexibility, and quality throughout their IT environment. By shifting their SIAM layer in-house, the team at Belfius has also been granted greater insight into and ownership over their relationships with their partners.


"This new operating model is not only a new type of contractual relationship with infrastructure suppliers, it is a fundamental step in our transformation towards a hybrid platforms strategy, where all platforms must be offered as a service to the DevOps teams."

Benoit Sepulchre
Head of IT Platforms at Belfius



Anton Wilsens is the managing partner for Belfius at Kyndryl.