Nordic bank DNB ASA centralises IT data with ServiceNow to reduce risk and boost compliance

 

DNB ASA is the largest financial institution in the Nordic region, with combined assets of more than NOK 1.9 trillion (USD$190 billion). The bank prides itself on its digital capabilities - where, for example, if you are a Norwegian citizen and apply for a loan, the whole process is digital, automated and can be approved in minutes.

However, this level of digital maturity, combined with the need for banks to bolster their risk and compliance regimes post-2008, means that DNB ASA needs to have stringent IT governance structures in place. With approximately €500 million IT costs every year, 1,200 IT internal staff, as well as up to 1,000 external IT consultants, you can imagine this isn't a simple task.

To tackle this and reduce its IT risk exposure, DNB ASA is standardising on ServiceNow as its CMDB, using modules out of the box wherever possible - allowing it to gain better insight into its systems and process, whilst reducing manual intervention and an over-reliance on spreadsheets.

We got the chance to speak to Anne Kristine Næss, enterprise architect at DNB ASA, about the bank's continuing shift to ServiceNow and the impact its having on the organisation's risk profile.

Our conversation forms part of ServiceNow's virtual event Knowledge 2020, which you can access here. To check out all of diginomica's coverage from Knowledge 2020, you can access our dedicated resource hub here.

Næss explained how she was brought on board at the beginning of last year to build on the bank's implementation of ServiceNow, which started in 2017. The initial use case was to use the Now platform to boost system monitoring and reduce downtime of applications. She said:

We've bought almost all the modules from ServiceNow, apart from the HR module. The important reason for doing so is to have a unified database. There's so much data that we share across so many people, and there's such enormous amounts of money at risk for just the IT dimension of this. And if we are to have separate tools for the governance processes, that would increase our complexity to such a degree that I'm not sure we could keep on delivering economically efficient services anymore.

We also have all these internal and external audits, because of all the laws and regulations for this, so we have to provide lots of reports and materials all the time, stating that we have things in order.

I joined in 2017 because DNB had important customer facing services that were down for long periods of time, which happened several times every month. The first part was to get on board change, process, as well as incident, problem and monitoring.

Once we had done this, the fact that we needed the complete database was the next big issue. So we also bought discovery, so that we could automate the building of the CMDB.

Data is the key

DNB ASA is now using ServiceNow to execute on areas such as software asset management, as well as managing IT financials. On the former, Næss explained that given the size of DNB's IT estate, licensing can cause a huge amount of extra cost for the bank. Using ServiceNow it is able to track how many active users it has, monitor licensing, as well as do vulnerability scans across all of its equipment. This is helping to reduce the burden and cost of manual administration, but also, again, reduce the risk for the organisation.

The key part of this, though, is getting away from the use of Excel spreadsheets and having a centralised data model for IT. Næss explained:

Previous vendors relied a lot on Excel. But part of doing the transition was to make sure that the Excel information was transferred to our CMDB. And also that the teams were using the monitoring tools to test the data. Data is the most important factor. What we are seeing now with the risk process is that we use the same data there. We have risk profiles added to our business applications in the bank and we also relate the risks to the organisation dimensions - all the system users, all the department structures are present in ServiceNow.

All of this is a major business case for us, both in terms of security and economically.

Whilst using ServiceNow as the bank's CMDB for IT, Næss said that wherever possible she is encouraging the use of modules as they come - out of the box. She provided an example of a previous IT financials project which hadn't followed this guidance and as a result was missing out on new functionality. Næss said:

One of my major responsibilities is to make sure that we have tried out of the box first before we do any kind of tweaking. The project I'm spending the most time on right now is IT financials. The previous project ended up creating a lot of stuff on their own, which is sad because if they had spent the time correctly we would have come so much further and could have used so much of the good, new things coming from the latest ServiceNow releases.

We are a team of architects making sure we are the watchdogs for all the other projects and implementation teams, to make sure that the out of the box version is the best practice set up.

Benefits

Næss said that the benefits of using ServiceNow across IT have been "huge". And given the benefits that have been realised already, DNB ASA is considering extending the use of the platform outside of IT across the group to broaden the management of risk.

DNB ASA is also hoping that this superior approach to risk management, which doesn't rely on Excel, means that the bank can reduce the reserves it is legally required to hold in case things go wrong - by boosting its credit and risk scores. Næss said:

The cost of downtime on customer facing solutions is not easy to count, but we might have lost fewer customers...to put it that way. We also have reduced the staffing on the change management team, because the process is easier to handle on ServiceNow. Also, for the risk processes and the governance processes that have been using manual labour from Excel spreadsheets. We have had lots of expensive external consultants from Accenture and such to cover these areas, so we have been able to cut down the costs of that.

Also, based on our credit score and our risk score with some external auditors, we have to retain a certain amount yearly. That's some percent of our yearly revenue we have to store in case we have a catastrophe - that money could be spent much more wisely. Now that we have better processes in place, it makes it possible to gain a higher score on that scale and reduce the amount of money we have to set aside for bad days.