Posted by: David Schneier
assessment, Audit, bcp, business, business continuity, business continuity planning, compliance, disaster recovery, DR, GLBA, NCUA, regulation, regulatory, Regulatory Compliance, risk, risk assessment, vendor, Vendor Management
One of the oddity’s of my career is how some issues present themselves in a wide range of my clients despite the fact that there’s often no meaningful way to compare them in size. Some have a single compliance person who is part Compliance Officer and part Information Security Officer and some have true CISO’s, Chief Compliance Officers and even Chief Risk Officers who themselves have teams of resources reporting into them. And so you’d think that many of the challenges that confront them would look about as different. Sometimes they do but many times (and more than you’d likely believe) they’re all staring down the same exact problems.
Most of what I do falls under GLBA-defined requirements and what that really means is that any institution I work with has identical goals. The designs of the related programs and procedures certainly can look different because everything that falls under the guidance of FFIEC is supposed to be adjusted based on the size and complexity of your institution. But they all need to conduct risk assessments, they all need to have current, up-to-date and recently tested business continuity plans, they all need to have viable vendor management programs and so on and so on… And I have many years of experience building out and/or supporting these very activities and know quite clearly what works, what doesn’t, what presents well to the examiners and what falls well short of expectations.
Sometimes though I’m caught off guard when a client rejects my advice because they’re confidant that what they’re doing or intending to do is consistent with their examiners expectations. I’m a fan of confidence, I sort of dabble a bit in the discipline myself and appreciate how it can be very effective when trying to sell something to the audience. But with regards to compliance there’s really not a whole lot of wiggle room. In fact sometimes it can be interpreted as binary – either you’re compliant or you’re not. So when I encounter a client who hasn’t updated or tested their BCP in years (if ever) and tell them that’s going to be a problem with their regulator I recoil when their reply is the dreaded “well the examiners haven’t had anything to say about it”. “Yet”, I typically reply, “they haven’t had anything to say about it yet.” All because the examiners haven’t dinged you for something doesn’t mean that you’re in good shape, it often means that they simply had bigger issues to focus on and haven’t quite gotten to it. I have a list longer than my arm regarding vendor management and the common mistakes most institutions make and how those mistakes are going to lead to trouble with the examiners. But when I bring this to the attention of the appropriate stakeholders I’m often treated as if though I’m simply trying to sell them my services and not giving them solid advice. It can be very frustrating particularly because our practice was built on giving out solid and oft times free advice. We’re willing to make the trade-off between generating revenue and doing right by our clients. However you can lead a horse to water, but, well y’know.
I have an idea, maybe a great idea that might help solve the problem. What if the examiners created a list of findings and issues culled directly from their reports and compiled them in a repository? They could make the verbiage appropriately anonymous to avoid any privacy issues but share with the public what it is they’re finding out in the field. The findings can be sortable based on the related requirement and or size/complexity of the institution so that any institution that shares the regulator can figure out where they may have issues. Remember, the purpose of compliance and the regulators charged with ensuring that it’s being addressed satisfactorily is to protect us, the customer. So it’s a very good thing to use all available resources to make sure that everything that can be done to make that happen is being done. If your bank or credit union is able to access such a repository and use that information to identify where they’re weak or deficient doesn’t that help protect all of our sensitive information? And it also removes the thin veil of ignorance associated with the logic that all because your examiner hasn’t documented any issues with a particular activity that must mean that you’re doing things right. And when a client tells me that they don’t need to conduct a periodic review of all high risk vendors I can show them where that’s recently been an issue in a report. Or when they tell me that testing their DR plan satisfies the need to test the BCP it’s part of I can show them how that logic failed to hold up under recent scrutiny.
Really in the end this isn’t so different than what happens now. All of us practitioners gather information from the field regarding what the examiners are focusing on and use that information to update our own guidance and advice. For example, when we recently heard that examiners are looking for greater scrutiny to be placed on SLA tracking as part of the vendor management program we made sure to include that advice in any of our audit and assessment reports. But why should the industry need to rely on an informal approach? Why not make it formal, take ownership and put the right information in the right hands to affect the desired results?
Is this idea a bit self-serving? Sure, at least a little. But really in the end if it helps get the right things done and in place who really cares? If I can prove to a client that a Red Flags program that’s recorded only a handful of incidents during the previous twelve months is likely ineffective and be able to get them to do something about it everybody wins. And can something like the proposed repository actually happen? Maybe. I’m sure the lawyers would weigh in with all kinds of issues. But it’s difficult to argue against the merits of such an offering and in this age of greater accountability this would potentially be well received.
Anyone have any better ideas?