The financial industry in Japan has seen a growing number of organizing financial groups or conglomerates since the Japanese antitrust law was revised in the late 1990s to make it easy to establish a holding company and formulate a company group.
Now, as emerging technologies evolve globally, IT has been contributing to more and more effective and efficient company operations, enabling not only digital transformation, but also new business model creation by using innovative technologies.
Under these circumstances, holding companies of financial groups in Japan are seeking opportunities to create value for stakeholders through business integration with innovative start-up companies and providing their group companies with centralized and shared IT services so all can enjoy the benefits of their group synergy.
Growing Importance of Group IT Governance
Prior to 2016, the Banking Act1 in Japan forced some business restrictions onto financial groups. These restrictions created a structural impediment to investing in digital innovation or financial technology (fintech) companies and further development of the fintech sector. These investment restrictions also prevented financial groups from integrating their duplicated IT operations into shared IT services operated by an IT service subsidiary.
The Financial Services Agency of Japan (FSA) undertook an initiative to amend the Banking Act to respond to environmental changes such as the evolution of technologies. The Banking Act was revised in 2016, and those regulation barriers have been removed.
As a result, financial groups in Japan are moving toward the acquisition of fintech companies and the consolidation of their IT service operations. These moves have magnified the importance of group IT governance. A holding company whose group is challenged by this kind of transformation needs to establish and strengthen its group IT governance system to create value for stakeholders, including shareholders, global customers, the management team and employees of the group companies and the global economic society, the FSA and local regulatory agencies worldwide.
IT Governance as an Area of Group Governance
For the holding company of a financial group to create value for its group stakeholders under the aforementioned legislative environment, it needs to establish effective group governance over its financial business group companies. Just as IT is a key functional area for enterprise operations in today’s emerging technology era, IT governance is a critical element of enterprise governance (figure 1).2
Figure 1—Position of IT Governance in Group Governance
The holding company of a financial group needs to perform 2 major, essential functions: oversight of its group companies and management of shared IT. Oversight and shared IT can be seen as a pair of wheels on a car to drive a financial group toward value creation for the group’s stakeholders. Note that this concept can be applied to all other governance areas, but only IT governance is discussed in this article.
A Pair of Wheels: Oversight and Shared IT
A series of discussions with various financial groups has revealed that the essences of group IT governance are the holding company’s oversight of the group company’s IT management and its management of shared IT (figure 2).
Figure 2—A Model of Group IT Governance System
Oversight of each group company’s IT management—Oversight by the holding company is enabled by designing and operating the governance system. The governance system design includes the framework design for the governance of the group companies’ IT. The governance system operations include the setting of the group themes/strategies and the supervision of the group companies’ IT.
Management of shared IT—The shared IT services are introduced by the integration of common and/or duplicated operations within the group into the shared IT services managed by the holding company. Usually, it is outsourced to a group company whose operation includes IT service delivery to other group companies. Shared IT mainly includes development and operation of the common IT systems such as the financial reporting system, human resources (HR) management system and core business application systems, but it also includes support services to the group companies’ IT management, such as project management office support and implementation support of other IT processes defined by COBIT 5. In addition to traditional shared system services, the shared IT sometimes includes the delivery of digital innovation or fintech services by start-up companies acquired by the holding company. Managing the shared IT (i.e., shared systems and fintech services) is the responsibility of a holding company.
A holding company oversees the IT management of each group company, while a part of the group company’s IT management depends on the shared IT services provided by the holding company. It has been recognized that this kind of combination of oversight and shared IT management by the holding company is key, just like a pair of wheels on a car, to enable effective and efficient operations as a group and to drive realization of the benefits of group synergy.
In addition, it should be noted that the oversight can uncover new stakeholder needs that can be used as feedback to improve the shared IT services to the group companies.
Structure of the Group IT Governance System
The structure of the group IT governance system consists of oversight and shared IT management, as described in figure 3. Of course, the contents of the group IT governance system are likely to differ from group to group, based on stakeholder needs. The system should be constructed by utilizing the guidance provided by COBIT 5.
Figure 3—Structure of Group IT Governance System
Design of Governance System
First, a holding company needs to design a framework or governance system to oversee the group companies. Section 1.1 of figure 3 describes the items to be designed.
The COBIT 5 framework provides 5 guiding principles for IT governance. Among them, principle number 4, Enabling a Holistic Approach, together with the enabler model defined in COBIT 5, should be considered as a good guidance for the framework design.
Basic policies should define the principles and policies for group IT governance. This corresponds not only to an implementation of the COBIT 5 principles, policies and frameworks enabler, but also to the Culture, Ethics and Behavior enabler in some cases.
Organizational structure design is clearly meant as an implementation of the Organizational Structure enabler.
The remaining items or processes correspond to the Processes enabler. The COBIT 5 process reference model,3 especially its Evaluate, Direct and Monitor (EDM) processes, is an informative guide for these processes.
Operation of Governance System
Second, a holding company needs to operate the framework or governance system, which includes the setting of a group IT theme/strategy and supervision of each group company’s IT management.
A holding company should select IT themes as the direction in which the group should go. This activity is suggested by the guidance of the COBIT 5 principle Meeting Stakeholder Needs. The stakeholders and their needs are identified, the governance objectives are set to value creation, and the stakeholder needs are cascaded to enterprise goals and then to IT-related goals or the IT theme/strategy. Needless to say, the group management issues that have been identified from the experiences of the governance team would be integrated into the themes as a part of stakeholder needs. Development of an action plan, including the implementation of resource enablers, such as Information, Services, Infrastructure and Applications and People, Skills and Competencies, follow as the setting of group IT theme/strategy.
A holding company should then supervise its group companies’ IT management. This consists of group IT risk management, communication with the group companies and monitoring each group company’s IT management.
Japan’s FSA has been strongly interested in risk management for a whole group as a key role of IT governance since it is thought that the financial system is one of the most important social infrastructures and its reliability and security are crucial. From a global standpoint, the Bank for International Settlements recently released a guideline, “Corporate Governance Principles for Banks,”4 in which risk management for the group is one of the key functions of a holding company’s group governance. In such circumstances, the group IT risk management is identified as the first item of the supervision of each group company’s IT management. In addition, communication management as well as monitoring of group companies’ IT governance and management should be performed.
Management of Shared IT
Last, a holding company should provide its group companies with shared IT services to obtain group synergy. The shared IT could be infrastructure and application services as well as supporting services for implementation of local IT management processes.
The recent FSA’s deregulation enabled financial groups to integrate common or duplicated operations into shared IT services operated by an IT service subsidiary to minimize cost and maximize performance as a benefit of group synergy.
Furthermore, shared IT services can be a tool for enabling non-IT governance. The business and corporate departments of a holding company have their own governance system (figure 1), and they may introduce shared IT systems and require each group company to use them in order to perform their group governance effectively, e.g., group accounting systems for group finance reporting governance and group HR management systems for group HR development governance.
For these areas, it is obvious that the COBIT 5 process reference model provides valuable guidance. In addition, the COBIT 5 enabler model gives organized viewpoints to implement the governance and management of the shared IT.
A Case of Oversight Practices Over the Group Companies
In a property and casual (P&C) insurance group in Japan, as a part of its oversight framework, the holding company oversees each group company’s IT management in such a way as to set a group theme/strategy to improve key processes capabilities, direct their group companies to implement a plan-do-check-act (PDCA) cycle for the improvement of their capabilities and monitor group companies’ PDCA activities (figure 4).5
Figure 4—A Case of Oversight Practices at an Insurance Group in Japan
From the standpoint of a group company, it executes the PDCA cycle that consists of 5 steps:
- Assess capabilities.
- Develop improvement action plans.
- Consult the holding company.
- Determine and report.
- Improve capabilities.
A Case of Shared IT Service Practices
Typically, the shared IT services include infrastructure services as well as application services, but a case study illustrating either of those has not yet been obtained. Instead, a case for supporting service delivery is presented in figure 5.
Figure 5—A Case of Shared IT (Support Services) at an Insurance Group in Japan
In the aforementioned insurance group, the holding company delivers and manages the IT management supporting services to the group companies as the shared IT services. Those include project management office (PMO) support and other supporting services to the local IT management, whose needs have been identified by the monitoring of the group companies under oversight and/or have been requested by the group company itself.
Generally speaking, the result of the oversight helps a holding company recognize the shared IT service needs to improve a group company’s IT management, and the delivery of the shared IT services improves the group company’s IT governance, which can be recognized through its oversight process. In this manner, the holding company of a financial group can improve its group IT governance and effectively create value for its stakeholders with a pair of powerful wheels—oversight and shared IT.
With the globalization of the economic environment, as well as the evolution of digital innovations, the establishment and implementation of a group IT governance and management system for financial groups in Japan has been serving an important role for financial groups to create value for their stakeholders.
The essences of group IT governance are oversight of and shared IT service delivery to their group companies. The oversight of the group companies and operations of shared IT systems (and supports for those functions) have become a pair of wheels enabling holding companies to drive financial groups to deliver more effective governance for value creation.
In such a way, financial groups in Japan can create value with digital transformation of their group stakeholders under the current legislative environment.
The content of this article is based on the author’s personal opinion and does not reflect an official position by Deloitte Touche Tohmatsu LLC.
Yuichi (Rich) Inaba, CISA
Is a senior manager at Deloitte Touche Tohmatsu LLC where he has been engaged in advisory services for the financial companies from the various aspects of IT governance. Previously, he was a manager at the holding company of a global insurance group based in Japan, where he had engaged in the implementation of a group IT governance system for the group by using COBIT 4.1. Subsequently, he was a senior consultant specialist in the areas of governance, risk and compliance (GRC); IT governance; risk management; and information security at the IT service company of the group, where he implemented a GRC system for the IT service company of the group by using COBIT 5. He is a member of the Standards Committee of the ISACA Tokyo (Japan) Chapter and is currently working on the translation of COBIT 5 materials into Japanese as well as advocacy of COBIT 5 in Japan.
1 Financial Services Agency of Japan, English Translation of Banking Act, Act No. 59, Japan, 1 June 1981, Japan
2 Inaba, Y., “Creating Value with an Enterprise IT Governance Implementation Model Using COBIT 5,” COBIT Focus, 23 May 2016
3 ISACA, COBIT 5: Enabling Processes, USA, 2012
4 Bank for International Settlements, Basel Committee on Banking Supervision, Guidelines, Corporate Governance Principles for Banks, July 2015
5 Inaba, Y.; H. Shibuya; “Executive Management Must Establish IT Governance,” COBIT Focus, vol. 1, 2013