Posted by: David Schneier
assess, assessment, Audit, compliance, exam, examination, examiner, FDIC, GLBA, NCUA, regulations, regulatory, Regulatory Compliance, risk, risk assess, risk assessment
I’ve been in the solutions selling business on and off for about a decade but exclusively so over these past four years. Up until becoming a partner in my current practice I pretty much was always only involved in helping sell the solution and usually implementing it before moving on. Seldom did I ever have the occasion or opportunity to loop back to the client much beyond the initial six months after getting everything setup to find out how things were going and how well the solution was functioning.
But these past four years has allowed me more than ample opportunity to rectify that heretofore unknown blind-spot in my career. We don’t just sell a solution, we support it and that involves the establishment and maintenance of what can most aptly be classified as a relationship. While we have a large number of clients we seldom hear from there are some who call us all of the time. Often it’s to ask about how best to exploit functionality, sometimes it’s because they forgot how to do something (and we advocate calling to ask rather than reading through the user guides) and on more than one occasion it’s because they have an exam looming large on the horizon and they still haven’t quite finished setting everything up. It’s the latter that has proven to be a revelation.
The entire reason for purchasing a solution is so that you don’t have to first figure out what needs to be done. If the solution is designed right there should be a series of relatively basic steps that are clearly outlined and once followed have you up and running. Instead of wasting precious time and effort getting started you can pretty much start focusing on conducting the related work so that everything is kept current. That’s not to say that it’s easy, only simple. And because most compliance-based work is spread out over the course of a full year it should never require herculean efforts to maintain. Our vendor management solution pretty much requires a few hours of setup time then roughly a few hours per week going forward on average. And when properly supported it works, it actually works the way it’s intended to.
But here’s the problem: Developing or purchasing the right solution to comply with any regulation or mandate is just the very first part of what’s necessary. You actually have to properly implement and use that solution. All too often that part is missed.
It’s not just with my current collection of clients but also with those that I’ve provided consultative support to over the years. I have one client who has somewhere close to $2M in purchased software sitting locked in a file cabinet having never been implemented due to shifting prioritization by management. Shocking? Yes but also frustrating because some of the very problems that software was intended to address still existed. I have another client I conducted a risk assessment for that had multiple solutions that were near identical to each other but were subsequently replaced by something different because as management changed they wanted only those solutions they already knew. The result was hundreds of thousands of dollars per year being spent on maintenance costs because they needed to keep the data contained in each solution and there was no straight-forward way of extracting from one and merging with another.
Whatever solution you decide to go with from a simple spreadsheet all the way through to a seven-figure software package it makes little difference if nothing happens beyond setting it up. Our advice to clients is that when they purchase one of our solutions they can often get a one-year pass with their examiners as long as they can actually display the solution and provide a real and credible plan on how they’re going to be using it. Typically the examiner will give you points for taking a step in the right direction and will allow you the additional time necessary to get it up and running. But that’s Year One – Year Two you’d better be able to show progress.
It’s why when I’m engaged with any implementation be it one of our own solutions or when I’m serving in a pure consulting role I often caution that it’s a good first step but only the first of many needed to be successful. Everyone gets sort of caught up in the potential of the project and starts seeing their better selves once it’s fully implemented. But I’ve witnessed too many projects where after the initial success fades and resources start getting pulled onto newer initiatives momentum is lost and progress stalls. I was on one business continuity project where they all but had the plan updated to address an examination finding. I left right before they submitted the BCP for Board of Director approval and found out a year later that although that part had been properly completed they never actually deployed the plan. Someone in senior management felt that the plan itself would satisfy the examiners and because of resource constraints decided to delay the implementation and training necessary. Management gambled and they were tattooed by their examiner the following year. How frustrating is it to know that the hardest part of the project was already done but not enough so to make the finding go away? It happens all the time.
I understand the pressures in play for most institutions, honestly I do. Too few resources, too little time and trying to figure out the right balance between running a business and meeting regulatory requirements. But that doesn’t explain why you’d implement a solution but not maintain it. And does it ever make business sense to invest in anything but not leverage the benefits associated with that investment? Besides, who want to be the one standing in front of the CEO explaining that while it’s true that the money was spent to solve the problem the problem still exists?
Seriously, go the distance, finish what was started and then put someone in charge of keeping the thing current. In the end you’re going to have to anyway so why wait? Oh, and before you run out and purchase a brand new solution check the file cabinets and make certain you don’t already own one.