Posted by: David Schneier
assessment, Audit, bcp, business continuity plan, disaster recovery, DR, FDIC, GLBA, NCUA, regulations, regulatory, Regulatory Compliance
Something happened within our practice this past week that made me recall a story from the very beginning of my audit and compliance career. Way back in 1998 when I was first transitioning from being an application developer/manager to a compliance/audit professional, my first long term engagement was working on a Y2K project for an international company. As part of a team that assessed each of the business units (BU) on their Y2K readiness, I quite literally circumnavigated the globe. Each BU was measured based on where their assessment and remediation efforts were relative to where the parent company expected them to be. Early in that year there were only a few BU’s that were considered on-schedule and I had the good fortune to be assigned to two of them.
Each of them had all of their inventories prepared, documentation created and project teams busily working away to get everything Y2K-ready. Their project stakeholders were all forthcoming and willing to share information and made the assessment process flow smoothly. As part of the approach we used, it was common for the person conducting the assessment to meet with the Y2K project leadership and share findings before issuing the report to the local CEO and CIO. For each of these assessments I was asked point-blank what I thought in terms of their being able to successfully manage through the Y2K challenge. For one BU I shared that they were really on top of things and were in good shape to wrap everything up well before they needed to. For the other BU I cautioned that while their answers were all the right ones and they had appeared to have everything in place there was something off that I couldn’t quite explain. I cautioned that they shouldn’t be dissuaded into thinking the BU was in good overall shape and defer their next assessment. As a matter of fact I recommended that they keep close tabs on how the BU progressed.
It wasn’t until a few years later that I came to understand what was wrong and I why I detected it. While both BU’s presented well on the surface, the one I was concerned about exhibited no pain or stress from the experience. One of them not only provided all the right information but also discussed in detail how they came to gather it and struggled to leverage it. The other one simply provided the information but didn’t have much to share about how they captured it or what they were doing with it. Six months after my first assessment, the local CIO was transferred and in his absence it was revealed that much of the work being reported as completed either wasn’t or wasn’t done adequately to meet the overall project standards. Because the CIO was a forceful personality, his direct reports and their staff weren’t as forthcoming as they should have been and focused more on providing the “right” answers even if they weren’t completely honest ones. Fortunately with guidance from the Y2K project team they eventually caught up to where they should have been.
And so I learned a valuable lesson early on in conducting audits and assessments. I learned to sort out answers that sound right from the right answers. Which brings me back to this week…
A senior IT executive was asked about their overall compliance initiatives and his reply was that they had a good handle on everything, that the work was properly distributed and things were current. When this exchange was shared with me it took me back thirteen years and to the lesson I learned during Y2K. Regulatory compliance is not easy to obtain and it’s even harder to maintain. When someone throws out a statement like the one above, I can feel the professional hairs on my neck stand razor straight. My first thought was that he didn’t really know if that was true or if he did believe what he said, then he’s due for a rude awakening at some future point in time.
I talk to enough C-level executives each year to know that no institution that takes compliance seriously ever feels like they truly have a handle on everything. They all struggle to keep everything current, find the resources to get the necessary work done and make sure that everyone who plays a role is doing their part. And that’s true whether it’s a small credit union or a large community bank (their issues are all roughly the same, just scaled based on size). I have yet to audit or assess any financial institution that has everything current, functioning properly and organized in such a way that examiners can validate. There’s always something outdated, missing, or poorly designed; always. In the best organizations I’ve encountered there’s always something that needs fixing (e.g. business continuity and disaster recovery plans are almost always in need of TLC).
So when I hear someone offering the equivalent of the old “all is well, there’s nothing to see here” rhetoric it makes me want to pull out our GLBA risk assessment methodology and start hammering away to dispell that myth. Or even better, I’d love to invite the executive to a round table with his peers from some of our better organized clients and have them dissect his assertion because they always know where the bodies are buried.
On a different note, the Friday after I observed that bank closings seemed to be slowing to a trickle, the FDIC announced four banks failed and followed that today by announcing that another four banks failed. So in the ten days since I made that statement there are eight fewer banks in our country. I suppose I stand corrected.