Posted by: David Schneier
assessment, Audit, controls, GLBA, NCUA, regulatory, Regulatory Compliance, risk assessment
I was in the midst of writing my weekly blog post focusing on threadbare thin compliance efforts when I was distracted by news of a potential terrorist incident. As you likely know by now, it appears that Al-Qaeda was either attempting to send explosive devices onto airplanes or was conducting a dry run to see if it would be able to do so at some point in the future. Either way, authorities had reached the conclusion fairly quickly that something was definitely amiss and found packages containing explosive materials on two separate airplanes.
Honestly? Bombs on airplanes? How could this even be possible? Anyone who has traveled in the past decade knows all too well exactly how insane airport security has become. I’ve had nail files broken off of nail clippers, toiletries confiscated, water bottles thrown away and have had to empty the contents of my laptop bags so often I wouldn’t dare even attempt to count the number of times. But a bomb makes it through?
Sadly it’s the perfect example of why controls and their related activities aren’t nearly as effective as any of us would like to believe. They’re a starting point and not much else. Just like in any controlled environment, we try to identify as many risk factors as is possible and then design controls to either manage or mitigate them. But risk factors continue to change, evolve, mature and move on. And those who would exploit them to their advantage understand this and seek to identify the opportunities that are created in that gap between when they emerge and the world catches on to them.
It’s why compliance by itself is never enough. It’s why risk assessments are vital to the security and soundness of your institution. You can’t manage what you can’t measure and when it comes to risk factors the only way to measure them is via an assessment process. Ever wonder why just about every piece of banking guidance makes reference to your “most recently completed risk assessment”? And trust me, ignorance isn’t bliss; it’s a bloody nightmare when it comes to the financial domain.
While financial institutions don’t typically have to worry about bombs, they do need to understand threats presented by the ever shifting technology and business landscape. They need to monitor their employees activities and assess risks presented either by newly emerging business practices (e.g. mobile banking) or growing dependencies on existing ones (e.g. ACH). Waiting for your regulator to tell you what to do will definitely result in there being a gap that someone is poised to exploit. Are you OK with that? As a banking customer, I know I’m not.