Higher software literacy has seen a growth in ‘shadow IT’ development by employees outside of IT departments. This is recognised as a growing risk, finds Nicholas Pratt.
‘Shadow IT’ might have gone on since the days when portfolio managers created their own spreadsheets in Excel – and perhaps still do. But IT managers are increasingly concerned about colleagues outside of the IT department who increasingly have skills good enough to develop their own applications. It potentially exposes firms to regulatory penalties and cyber crime.
A survey of IT directors and chief technology officers by tech consultancy Sionic found 93% of asset management firms have employees creating and designing their own applications. A combination of more advanced programming languages and increased IT literacy has led to this.
The practice is supported and actively encouraged by almost a third of firms, not least because it speeds up the pace of IT development and allows portfolio managers and other front-office staff to create more sophisticated tools suited to their own preferences.
However, it creates risk. The survey showed nearly two-thirds of respondents saw this kind of tactical IT development as a medium to high operational risk if the development is not managed within a controlled environment. Risks include the use of unlicensed software, unverified data sources, spiralling data costs, exposure to cyber crime, and the use of code that is neither tested nor supported.
According to Sionic partner Clare Vincent-Silk, this industry trend not only raises questions about the best way to manage IT risk, but also the future role of IT departments and directors within asset management firms, with IT directors potentially taking on responsibility for IT governance and development that fall outside of their own department.
Fewer firms are building technology as opposed to buying, and more time is spent on IT integration rather than development. Consequently IT heads could become more focused on other areas such as cyber awareness, data science, IT infrastructure and what Vincent-Silk terms the search for ‘operational alpha’.
The research was carried out as part of Sionic’s Signals forum, which took place in December 2020 with 15 senior managers at asset management firms. It found that the increase in shadow IT development is partly down to the lack of functionality in existing applications and frustration with the speed of centralised software development.
Some staff have the ability to develop more advanced and personalised applications. The practice is predominantly within the front office, among investment and quant teams that are looking to build more sophisticated data analysis tools or add their so-called ‘secret sauce’ to the portfolio construction process.
The practice of employees designing their own software, or so-called ‘stealth’ or ‘shadow IT’, is not entirely new. For example, portfolio managers have been building their own Excel spreadsheets for years, much to the annoyance of IT managers. However, the rise of programming languages such as Python and data visualisation tools like Microsoft’s Power BI has given business users much more capability, not least because they are much more accessible.
The simplified syntax and emphasis on natural language means that coding can be easily written and executed much faster than other programming languages. The Sionic study found that Python is used unanimously for software development while Power BI is used by 61.5%. Other applications and languages used included R, Tableau, .NET and QlikView.
Managers expect shadow IT to continue, with most activity taking place in the front office for portfolio construction, research and data science. But they do also see certain support functions in the back and middle office developing their own IT in order to increase levels of automation.
While most firms have rules around software development, not all of them are enforced or up-to-date. Almost a quarter of firms (23.5%) have no governance framework in place at all, while more than half employ only a basic framework that needs to be brought up to standard.
The study also showed that there are currently tighter rules on the use of IT procurement than on software development. Almost three-quarters (71%) of firms are buying software outside of the IT function; however, 29% of firms allow procurement only in conjunction with the IT department.
In contrast, none of the firms in the study prevented areas outside of the IT function from developing their own software. Furthermore, less than half of firms’ IT functions are able to offer support and only 7.7% have managed to find a way to make this work well.
Asset managers will need to enhance their governance frameworks in order to manage the associated risks – but they will also need to ensure that employees follow the guidelines, says Vincent-Silk.
“More collaboration between front-office staff, data management and the IT function should take place to ensure a proper governance framework is in place, while more focus on risk culture and organisational awareness would ensure better adherence to the rules,” she adds.
The pandemic and the mass move to working from home have raised attention on operational resilience among regulators as well as asset managers.
Germany’s BaFin recently amended its rules on IT risks for financial institutions, including the rules for IT governance and application development, while the UK’s Financial Conduct Authority has used a Technology Risk Management framework developed by the Securities and Exchange Commission in the US to test the maturity of financial firms’ technology.
© 2021 funds europe