Access Interview: Shavkat Akmalov, Head of Internal Audit and Information Security at AccessHolding
By Ivana Mitrovic
Shavkat is a banking professional with 19 years of experience. He joined the LFS Head Office in 2010, previously working in various network banks and projects in Uzbekistan, Azerbaijan, Liberia, and Indonesia. He has led the operational audit, technology assurance, cyber and information security of AccessHolding group since February 2018, after the merger of LFS with AccessHolding. During his career, Shavkat participated in the group’s major transformation, technology and development projects, and he is a technology passionate.
100 controls and no cyber culture is a way higher risk than having only 10 controls but the cyber culture.
Shavkat, you have worked for many years in AccessHolding, and you are heading the group’s operational and IT audits, cyber and information security; tell us a bit about your team and role.
Hello, and thank you, Ivana, for inviting me. The team and the team’s achievements are my motivational boosters, and I am happy to be boosted regularly. A few interesting facts about the team: the most diverse and multicultural team, the first-time talent promotion from a group bank to the headquarters, the first group competence and know-how organised outside of the headquarters – in Lagos, experience in twenty countries, more than eight languages spoken, more than 50 successful projects. Our team primarily focuses on the third pillar of our corporate governance and the internal control system of our group banks – audit, and the second pillar – cyber & information security, including Data Privacy.
Our role is to promote advanced practices and solutions, talent development and effective management of capacities, governance and organisational improvements in auditing, technology assurance, cyber and information security, and data privacy. Let me translate those fancy words into a few practical examples: we are developing advanced audit capabilities in our banks through agile audit methodologies, application of technology advancements in the audit and data-driven assignments and decision making; technology assurance through continuous benchmarking and maturity assessments, emerging risks and deep technical compliance with global standards and best practices; a successful deployment and a fast-track maturity gain in cyber and information security through tailored three pillar strategies.
In 2022, you became a team member of exciting transformation projects in our bank in Georgia. Would you like to share the projects’ objectives and scopes, your role, and your main takeaways so far?
Credo Bank’s people are amazing, I am happy to be part of their success, and it is always great to visit the country – cuisine I recommend. Indeed, the transformation you asked about was the next logical step after the smoothest and most successful integration and migration of business, technology, and data following the acquisition of FINCA Bank Georgia by Credo Bank. We employed tailored risk and quality strategies and the group experiences we had had from similar past transformations, which resulted in the shortest business downtime ever on the night of Go-Live and Credo Bank, achieving way below 1% of the impact level on the business availability and high customer satisfaction. What I like about mergers, integrations, and migrations is that in all difficult changes, besides gaining valuable experiences, you also observe many opportunities for business, efficiency, resilience, security, and effective controls. All these, combined with the Credo Bank’s management vision and strategy and having seen impressive growth, innovation, and digital transformation in the bank, led us to think ahead and identify several transformative projects with forward-looking objectives and values.
There were several interesting projects, and I was involved in Technology, Cyber & InfoSec, Audit, Internal Control, and Continuity. It will be a long if all the outcomes are listed, but to give a few practical cases, we achieved a big maturity leap in Cyber and InfoSec within 12 months by implementing the three-pillar strategy, agile technology governance and architecture followed by new solutions and processes, data-driven internal control supervisions and analytical dashboards on various risks. In one of our exercises in one of the projects, we achieved 300+ updates in the current technology solutions, increasing the resilience, security, and processing times, ultimately transforming into a more considerable value to customers and the bank.
Access group operates in Sub-Saharan Africa, where your team is very much engaged in supporting the group’s members. How would you define the impact of the digitalisation process in our network on your team’s skills and knowledge? What would be, people-wise, the main challenges and impediments you face daily?
Indeed, we are much engaged: I have been so many times to all our countries of our operations in Africa and have seen and been part of not only the inception of those banks but also their growth and maturity, and later their digital transformation. I highlight four impacts of new technologies and digital transformations: Capacity, Speed of change, Data and Compliance. Capacity is about people’s ability to change and learn new skills, experiences, think out of the box, and develop, attract, and retain talents in competitive markets. Then, you add the speed of current changes, including digital transformations and new technologies impacting organisational and cultural changes. And data is becoming the gravity for decision-making and many more opportunities. Furthermore, compliance is getting complex and ever-increasing, if you look at the last three years’ development of the landscape of regulations and standards we operate in, e.g., banking, auditing, risk, technology, security, and privacy. All these bring new challenges to the leadership of our teams, including being able to lead their teams and motivate them, especially being a role model.
How do you see the role of technology in the banking business? How can technology be used smartly without stressing and overstretching the internal systems and resources?
I often say during professional discussions that the technology is not only the business support, but already is the business. I love technology and employ it myself, though, so I am biased. In one of the recent transformations, we have seen technology becoming the backbone of the organisational structure, which is quite impressive but also comes with its emerging risks. One of my most used examples is imagine controls executed by 100 cashiers at 80 geographical locations for 1,000 transactions versus 1 technology for 1,000,000 transactions across unlimited geographical locations.
In a classical business model, the quality of control depends on your policies, procedures, onboarding, and continuous training of employees, so very much person and behavioural-dependent, and as a result, you get various effects of the same control multiplied by the size of your organisation. On top of it, your risk management and auditors shall supervise and ensure all those controls are continuously applied across your organisation. Technology brings significant efficiency and effectiveness improvements into internal systems and resources by standardising and harmonising qualities and simultaneously scaling the controls beyond our organisational physical boundaries. Continuing the example of mine, all of a sudden, the previously observable controls, where people could ask questions, see documents, interact, etc., have transformed into technology source codes, channels, and architectures, creating a vacuum between current knowledge, experience, methodologies of our people and new transformative solutions. This might stress and overstretch your teams, resources and people in charge of the systems if those transformations are not followed by new ways of doing things, e.g., new skills, learnings and experiences, advanced capabilities and methodologies, change in processes, and importantly use of data, etc.
What are our network experiences regarding the benefits and risks or traps of technology-driven banking?
Technology is transforming our lives and works, from being E-mail, Excel and shopping experiences to a more embedded part of how and why we live and work. Technologies create new jobs, enhance careers, and provide impressive AI diagnostics to doctors, and we can list tons of those benefits, including in the banks. So, let me then focus on the risks and traps here.
First, technology has its own physics and laws across several dimensions, and enterprise architectures in the banks, like massive engines, utilise those dimensions to transform business inputs into values and profits. Any innovation or transformation as a new addition to that massive engine without proper change management might lead to ever-growing technology debt, frequent technology failures, and firefighting as a new section in your job profile. There shall be cooling periods, too and focus on qualities and various homework.
Second, besides being one of the most regulated industries, banks are complex structures, including culturally and uniquely for the purpose and core business model they are built for and operating in competitive and thin margins. Innovations and digital transformations shall be net of hype and emotions, or even hierarchies unless you do not care to lose millions often and continuously disrupt and stress your people, culture, stakeholders, customers, and business model. Innovations and technology can hurt and be very painful, too.
Third, integration and data-driven innovations and technology are seen in the front-end experiences, but the power is generated at the backend and by the data. Backend includes effective and efficient integrations of your technologies, including ones with your third parties, and your people, processes, controls, security, etc. Big Data and data-driven business transformation and decision-making can be as powerful as innovation, especially since data is the best side-effect of digital transformations and new technologies.
Thank you for the interview. At the end, could you share your most valuable and favourite lesson learned or a quote?
Thank you to you too. Well, there are several depending on the case, but in the interview context: “100 controls and no cyber culture is a way higher risk than having only 10 controls but the cyber culture.” The number of controls shall not comfort and assure cause continuous education and awareness in transformations are better effects. That is why we prioritise our teams, people, and customers and continuously educate them on technologies, transformations, digital solutions, new emerging risks, and compliances.