A complete and innovative solution for the Digital Information Risk Management in the Financial Industry

Managing risks in the financial industry is a complex task, and banks are engaged in risk governance at several levels. With the rise of the Digital Information age the task of protecting information assets and keeping systems and ICT infrastructures aligned with the pertaining business processes became a lot more difficult.

Oil & Energy


Almost all of governing bodies and the different entities supervising financial markets, in all countries of the world, are imposing a strict management of Digital Information Risk Management, and of the overall ICT infrastructure security, requiring Banks to have in place an integrated and robust Risk Governance framework. The Risk Governance Framework shall generally be monitored and approved at board level, with unified methodologies for qualitative and quantitative measures and analysis of ICT risks, and reflecting adequate management for all risk beyond the appropriate levels.

Client Description

The Client is one of the top five retail banking groups in Italy by branch number, part of one of the top five European banking groups by capitalization and overall reach.

Client Needs

  • Coordination difficulties where experienced in all compliance activities, namely in the company practices and processes related to multiple and disparate regulatory and statutory frameworks;

    • Compliance management needed an overall improvement, in terms of process uniformity, and the respect of regulatory standards for all the different business owners of all company departments;

      • Need of the adoption of an aggregated model for risk management, providing an integrated view of different risks on multiple layers;

        • Integration in the new framework of the implemented monitoring points, and of the pertaining metrics already in place;
Screen Infosync RM
Infosync Architecture

Esc2 Value Added Solution

Esc2 analysts, based on the findings worked with a methodology built on a holistic vision of Risk Management, and set up the project aiming at the following goals:

  • Realization of Risk Summary overview by business service and department, functional areas, and IT and Business process, calculating and weighting values based on Risk Management best practices such as COBIT and ISO 27005, as well as retaining the ability to flexibly include country specific regulations, or company standards;


  • Collect and reuse all already available information (i.e. produced in projects), and the streamlining of the field assesment methods;


    To successfully implement a solution covering all of the client requirements and more, the Esc2 team proposed the INFOSYNC RM™ solution, the team’s answer to Compliance, Risk Management and Security needs. The solution fully engineers and automates the steps of collection, analysis and assesment of all information pertaining the evaluation of ICT risks, and the evaluation of their sustainability according to the business that has to be protected and of the potential legal, compliance and reputational impacts, so to ultimately reduce the measured exposure to underlying risks to acceptable levels.

    With the adoption of Infosync RM™, the client had access to a powerful and integrated framework for multilevel risk management.The platform unified view allowed a faster scenario analysis, connecting risks to the related assets, processes and infrastructural layers, streamlining and aligning the internal Audit processes for all the management levels involved, and the ongoing preparation and deployment of risk treatment and mitigation plans.

    Why Infosync RM?

    One of the key success factors making Infosync RM™ ideal for the Client is the methodology embodied in the solution through extensible and customizable libraries, fully reflecting all best practices, international industry standards, and regulatory and statutory frameworks applicable to the Client context. This ground breaking approach allowed the Client to achieve all the following goals:

    • Creation of a unified and integrated view of all ICT risk components;

      • Sharing of information between business functions responsible for the ICT risk management in an effective, timely and exhaustive way, allowing for mutual collaboration;

        • Fair risk value attribution in the decisional processes related to the ICT service infrastructure evolution;

          • Support for the processes of ongoing compliance to internal policies and external statutory and regulatory frameworks;

    Client Experience

    During six months of adoption, with progressive asset evaluation and modeling of risk scenarios, the Client successfully created the annual compliance reporting, exceeding the management initial expectations regarding the respect of company policies and of the pertaining statutory requirements.

    Key Benefits

    1. Compliance with local BankItalia directives of the regulation 263 Cap VIII, the new supervisory mandates for the banking industry;

    2. Standardization of the computational model and risk evaluation;

    3. Across the board Risk evaluation, results comparison and measurability on different time frames;

    4. Automation of risk weighing, based on frequency and assumed impact of historical and potential incidents;

    5. Ongoing operational models adjustment based on field assesment resulting from projects, ICT infrastructure and incident management;

    6. Complexity reduction with regard to Internal Audit counterparts;

    7. Adoption of standard measurement and values in risk treatment (Cobit5, ISO 27001, Privacy Law);