BHOLD Controls deliver improved access governance to international bank

Like any bank, Triodos Bank takes access governance very seriously. Banks, perhaps more than any other industry, need to contain worker access to their IT systems. To prevent internal fraud and in order to comply with international banking regulations it is fundamental that Triodos has the ability to closely monitor and control employee access to its finance systems. However, the bank has grown rapidly in recent years and it recognized that its current manual access governance processes would soon struggle to cope with the growing size and complexity of its enterprize.

“KPMG raised our awareness that it would be very difficult to sustain our current processes satisfactorily if our employee numbers continued to increase. We decided to take a proactive approach and implement a new, automated access governance process that would improve our ability to regularly monitor and control access to our finance applications.”
-Michael Jongeneel, Chief Operations Officer, Triodos Bank

Triodos Bank was established in 1980 in The Netherlands. It offers a pioneering banking model based on investing in ethical, sustainable organizations. The bank is growing at a phenomenal rate. In 2009 it announced a 73% growth in lending and commitments; funds grew by 30% and customer numbers increased by 50,000. Naturally this growth is reflected in the increasing size and structure of the organization. In the same year, Triodos' employee figures increased by 21%. This growth is primary reason for taking up Acces Management solutions.

Additionally the bank's auditors, KPMG, indicated in a report that if employee figures continued to grow, the manual processes the bank had in place to control access to its IT systems would struggle to keep up with demand.

In recent years international banking regulations have focused increasing attention on banks' access governance procedures. This put additional pressure on Triodos to improve its ability to manage and monitor employee access. 

Triodos' manual access governance processes were not only a potential compliance risk, but they were becoming increasingly labor intensive. Control over access to Triodos' core banking application was managed locally at the bank's ten international locations. Like any organization that is rapidly growing, Triodos was experiencing an increase in internal movement due to job changes and promotions. It needed an improved access governance system that would allow it to quickly respond to changes in employee access requirements and enable it to centrally monitor and govern access policies.

Michael Jongeneel, Chief Operations Officer, Triodos Bank commented, "We had satisfactory access governance procedures, but these were based on intensive manual processes. People move departments and roles a lot more frequently these days. Analyzing those changes and ensuring each individual has the right access certainly isn't something you want to be doing manually." He added, "KPMG raised our awareness that it would be very difficult to sustain our current processes satisfactorily if our employee numbers continued to increase. We decided to take a proactive approach and implement a new, automated access governance process that would improve our ability to regularly monitor and control access to our finance applications."

The Solution

Triodos Bank enrolled the assistance of KPMG to investigate its options for a new access governance solution. Under KPMG's guidance the bank selected the recently released software solution from BHOLD, BHOLD Controls.

Maarten Stultjens, Business Development Manager, BHOLD commented, "BHOLD Controls has been developed in conjunction with IT auditors to ensure the product is designed to meet their specific needs. It was therefore a good fit for Triodos, who required an extensible process for semi-continuous monitoring and auditing of their access rights."

Michael Jongeneel added, "We started on the trajectory to understand the available tools and processes, but soon discovered that it's a very complex subject. With the help of KPMG we researched a couple of tools on the market and selected BHOLD Controls. BHOLD has very clear experience in access governance and they came highly recommended by KPMG whose guidance and judgement we trust. We were looking for a long-term, sustainable partner and felt that BHOLD would fit well with the way we like to do business."

The Benefits

BHOLD Controls is an analysis tools that enables auditors and security managers to perform a complete check on who has access to what systems and immediately discover violations. Once unauthorized access has been detected it can be rectified, thereby achieving a demonstrable reduction in security risks.

Triodos Bank worked with KPMG to review its existing access policies and define its proposed business rules.

Michael Jongeneel commented, "BHOLD will monitor and report on access rights based on the rules the business has imposed. It's therefore important to get those rules right and KPMG were able to assist us with this exercise. We cleaned up the people in the system that shouldn't have been there and fine tuned our business processes. We updated our process for granting new co-workers access and ensured we have a robust system for controlling access going forward. "

The software can be used to run reports as regularly as an organization requires. Triodos Bank is currently running a report every six months to monitor its access rights. Reports on access violations are sent to local managers who then either amend the access rights or explain the deviation so the business can refine the business rules.

BHOLD Controls has provided the bank with an effective way of controlling its access rights. By removing the manual processes it has not only delivered greater efficiency, but has substantially decreased the risk of manual error. Perhaps more crucially it has given the bank a reporting tool to prove to auditors that it is monitoring and controlling access.

Michael Jongeneel said, "BHOLD Controls has enabled us to get to grips with controlling who has access to our core banking system and what they can do in it. We now know more accurately who has access to what, and also important, we can prove it."

Triodos' core banking system is one of more than 100 applications used across the enterprise.  Although the bank is still only in the early stages of roll-out, it will scale the solution to more applications in the future to provide even greater control across the organization.

Michael Jongeneel concluded, "Most banks will have some authorization monitoring in place, and if they don't they really need to get started. We have positive results from working with BHOLD Controls. It gives us complete control over access governance and even more crucially for compliance purposes, it provides us with the ability to prove that we are in control."