Posted by: David Schneier
compliance, FFIEC, GLBA, regulation, regulations, regulatory, Regulatory Compliance, risk, risk assessment, risk-based
Years ago I added an addition to my first house. After my second child arrived, we had simply run out of room and decided it was easier to expand our current living space rather than trying to find a bigger one. Plans were drawn up, work scheduled and money deposited. Two days before the first shovel was due to hit the ground, our contractor called to inform us that a recent change in town ordinances required that our crawl space be deeper than what was originally there. As a result, they would need to rip up what was in place, dig another eighteen inches deeper and pour a new foundation. Day One minus two days and the blueprints were scuttled, the schedule changed and the project under-funded (concrete ain’t cheap). But that’s just the way things tend to happen in the real world.
It is why when I recently heard a fellow practitioner describe a popular industry framework as a turnkey solution that I cringed. Not only can you not use a framework as is, you can’t even accurately whittle it down and right-size it until you take it out for a test drive. Life happens, the world is imperfect and things don’t always align the way they should. Which is why the banking industry really needs to adjust its approach to compliance and take advantage of one of its greatest weapons in the never ending battle to comply with the overwhelming amount of regulations – risk management.
Seriously, it amazes me how so many of my clients overlook this valuable discipline when setting out to build their controls frameworks. FFIEC guidance is very clear that every solution, every process, every procedure should be designed based on the size and complexity of your institution. What they’re telling you is that what might make sense for $500 billion bank might not make sense for a $100 million credit union; you need to determine what you should have in place, and how you determine what you need ultimately comes from conducting a variety of risk assessments.
There’s all manner of risk (e.g. enterprise, operational, financial, information security, etc.) and an even longer list of sub-categories that belong to each of those. By identifying those myriad risk factors and assessing them properly, management is able to decide what needs to be managed, what can be mitigated, what can be eliminated and what they just don’t care about and are willing to live with. That’s how you decide what controls need to be in place and that’s when you’re ready to start leveraging the various frameworks, but that almost never happens.
Typically when an institution decides to build out a new procedure they download the appropriate framework and either try and use it as is or make what basically boils down to arbitrary decisions as to what should be included. It’s why I’ll often come across an information security policy that prohibits the use of company equipment to browse the Internet for non-business purposes despite the fact that they neither prevent it via web filtering and never enforce it. Or why policy and web-filtering both prohibit access to Facebook yet the institution has a Facebook page to support its marketing efforts. It’s how so many modest sized banks wind up having requirements to rely on a rigorous change management process despite its being a two man IT shop that is just about always out of compliance. No one bothered to determine what they really needed before committing to it. A risk assessment would have helped.
None of the requirements are intended to be literal. Your regulators want you to measure twice before cutting once. They want you to gain an understanding of where you’re at risk, where you’re not and than do something about it. Finally, they want you to periodically repeat the process. One of the sharpest people I ever worked for and who has since ascended to become the companies CIO was fond of asking “If you can’t measure it, how can you manage it” and she was right. That’s exactly what risk assessments do, they allow you to measure the problem so you can design the appropriate solutions to manage it. This is why we hear Enterprise Risk Management (ERM) used increasingly in conversation and how it’s matured from some sort of seemingly mystical voodoo magic into the boardrooms and C-suites.
Honestly, it’s difficult enough to keep up with everything these days; why do more than you need to? Why commit to conducting work without first knowing that you need to? The banking industry wants you to work smarter, not harder (measure twice, cut once) so why not embrace it?