DNB takes a proactive stance on risk management

Present wherever its customers are
DNB is Norway’s largest financial services group and one of the largest in the Nordic region in terms of market capitalization. The group offers a full range of financial services, including loans, savings, advice, insurance, and pension products for retail and corporate customers.

Need to protect financial services
Banks provide such vital services that they must do everything in their power to eliminate or reduce their exposure to risk. If banking systems go down it can have a devastating effect on individual customers, businesses, or entire countries.

Whether it’s ensuring IT uptime, vetting third-party trading partners, or protection from external cyber-attacks, the need to identify and mitigate vulnerabilities is a daunting task. This is certainly the case for DNB, with an annual IT spend of more than €500m, and which has around 50 service owners handling nearly 1,000 IT-related applications, data centers, and cloud infrastructures.

In the highly regulated financial services world, DNB also needs to protect its 11 banking and financial products licenses by proving compliance with watchdogs such as Schrems II, Basel III, and NIST.

“If we had a security breach and a data intrusion it would be devastating for our reputation. We could lose our licenses to operate and get incredibly large fines, and customers might go elsewhere,” says Anne Kristine Næss, Enterprise Architect for the ServiceNow platform at DNB.

Managing risk is high on the DNB agenda, but the bank found it was impossible to do this complex job manually, using Excel spreadsheets. Too much time was taken up and when data became available, it was often stale.

The Basel III regulatory accord and the capital requirements related to DNB’s risk posture means that the bank must also put aside large sums each year as a contingency should things go wrong. The bank wanted more control of its risk and to be able to lower its risk posture to reduce capital requirements, allowing the bank to invest this money into more profitable activities such as building new digital products and features that match customers’ ever-growing expectations.

Risk mitigation based on current data
“We needed a tool that could provide us with a hierarchy where we could link nodes and deliver results that are of interest to different frameworks,” says Kristine. “We also needed to prove that policies are being adhered to which required task management so people could collect live data, see what is going on, and then do something about it.

“We have not been able to get rid of Excel entirely, but people now see that it is better to trust the data in ServiceNow than trusting their spreadsheets.” Already the user of many other ServiceNow solutions, DNB implemented ServiceNow Integrated Risk Management to manage risk for both internal services and threats from third parties.

The Software Asset Management (SAM) module and Vulnerability Response are used to track vulnerabilities around software assets which may be reaching end of life or need patches and upgrades. In this way DNB can ensure that information in its Configuration Management Database (CMDB) is correct and service owners have indisputable data to support funding for patches and other activities that make services secure.

ServiceNow Security Incident Response simplifies the identification of critical incidents and provides workflow and automation tools that speed up remediation. This enables the bank to learn from what has caused trouble in the past and add to its risk posture.

“I would also like to mention the DevOps module and the upcoming DevOps configuration where you can check code increments before they are deployed and go into production,” says Kristine. “This meets risk policies like NIST and ensures that more teams are working to best practice DevOps and providing an audit trail for us.”

Greater awareness of risk vulnerability
DNB now has a framework of centralized risk team members who co-ordinate process: risk and security champions within centralized IT and risk managers across the business side of the organization. 

Supported by ServiceNow technology, DNB has implemented a risk mitigation process with many new policies and controls designed to keep the bank safe by making service owners become more risk aware and take more responsibility. They concentrate on the timely acquisition of real-time data which enables staff to correctly assess current risks then prioritize what needs to be mitigated. They also feature automated risk assessments where service owners answer questions to address the risks they currently have, the mitigation they are about to do, and the final results. If they are successful, the risk can then be closed.

“Our work has definitely reduced risk for the bank and the evidence is the number of items we have addressed to reduce the likelihood of something bad happening,” adds Kristine. “Currently, we have a much better operational situation than we had before. That’s because we are really careful about what we put into production and we acknowledge that risk means a changed mindset, not just something to report on. This, along with our ability to report on a good risk management process, has already resulted in a noticeable reduction of capital bindings for the current fiscal year.

“We now have very little downtime on our critical services and very few problems, and if we want to stay in that position ServiceNow Integrated Risk Management comes into play because it will not allow us to drop standards. We want to provide increased customer satisfaction, zero downtime, and zero impacted services or security break-ins, and ServiceNow is helping us make that happen.”

Download PDF