Of course the truth is much more complicated.  I don’t just focus on computers, my scope expands to include anything that involves sensitive information.  While that always includes a variety of devices it also includes paper-based and people processes as well.  I frequently share stories about the enormous amount of printed content that’s to be found throughout an institutions physical locations.  I occasionally tell stories about how careless people can be when on the phone or in conversation and sharing all manner of sensitive information.  It’s never just about computers, it is however always about information and how it needs to be protected.

Truthfully though what I really do is search for controls that protect information, identify those that I find and try and measure their effectiveness and more importantly identify where controls are missing and work with my clients to remedy that.  At the heart of the regulatory requirements I focus on it’s all about the risk introduced by the presence of information, from personally identifiable (PII) to non-public personally identifiable (NPPI).  Risk: It’s what drives every single project I work on, it’s what drives every product and process I help develop.  And really, if you take the time to read through the literature, it’s what’s behind just about every piece of regulation known to the banking world.  Risk, risk, risk and risk.

One of the reasons I’ve enjoyed spending so much time working with the community banking and credit union sector over the past few years is that it’s a simple enough argument to make with fewer people to convince; everything you do to comply with the regulations should be risk-based.  It doesn’t really make a difference if it’s complicated to do or time consuming, you prioritize based on where they are found and make decisions accordingly.  But that gets much more difficult to do as the institutions grow in size and complexity.  Over the fifteen years I’ve been building and supporting compliance initiatives I’ve worked with Fortune 50′s, 100′s and 500′s and a whole lot of financial institutions that merely read Fortune magazine.  But while their overall size varies widely risk is still risk and that never changes.

I wish more practitioners embraced this simple concept.  While some do, many still don’t.  There’s often a rush to come up with a standard set of decision criteria to drive the work based on factors not necessarily aligned with risk factors.   Those who have worked with or for me will tell you that when presented with questions about which vendors or applications to assess or what to look for when conducting any type of assessment my first line of logic is to try and figure out where the greatest possible exposures to be found.   Assessing a low risk application yields little value  no matter how complete it may be.  And reviewing a vendor where the dollar spend is high but the risk factors are low does little to protect the institution.

Beware the practitioner who wields a hammer for they only know to look for nails.

Your regulator doesn’t want you to blindly implement compliance programs, they want you to identify and manage risks, real risks.  They want to be able to understand the logic and approach being used and find credible evidence that you’re focusing your efforts on the right things.   Go back and read through the library of FFIEC documentation and pay close attention to the hooks inserted throughout where they talk about conducting assessments and talk about using approaches which are appropriate for the size and complexity of your institution.  Then scan through your related program inventory and figure out if you’ve designed things accordingly.  Are they actually protecting your institution from credible threats and risks or are they just filling binders on your compliance officers shelves?

For me, professionally I’d prefer to always only do meaningful work and in the audit and assurance world meaningful is code for risk-based.

One of the files I downloaded reminded me of an exercise I participated in two years ago focused on vendor management.  I was asked to develop a “how to” webinar on establishing a new program and created a Power Point stack that encapsulated the approach I’ve been using successfully for years.  Much like everything I’ve had a hand in developing, I spend considerable time up front firming up on what’s required minimally, what makes sense for the organization, and designing the various tasks so that it reflects on the capabilities of the staff.  Telling a community bank that they need to conduct an on-site audit of their hosted platform provider or review a software vendor’s SDLC methodology is both irresponsible and unrealistic; they typically don’t have the staff or expertise to do so.  And so my presentation didn’t attempt to boil the ocean but rather boil vendor management down to something effective and manageable.  The owner of the sponsoring website rejected my final draft because he felt it wasn’t detailed enough and would fall short of audience expectations.  He wanted the Shared Assessment rehash; I provided something simpler and realistic that was much more likely to appeal to the audience and was unwilling to compromise my standards, so I decided to separate from the project.

Popular vendor management rhetoric tends to inspire inertia for  too many financial institutions.  Some admit that they’re delaying pursuing vendor management activities for sizable periods of time (anywhere from six months to five years – no joking).  Some claim they’re only managing their critical vendors and are using spreadsheets or hard-copy documentation to prove compliance (possible but unlikely).  And a frighteningly high number simply defer making any plans or decisions at all because their examiners don’t pay it any attention at all.  Let me run that last one by you again: Their examiners don’t actually examine their vendor management programs (you know, the ones that don’t exist).

So on one hand we have a group of regulatory industry leaders shouting from the roof tops that third-party oversight is critical and needs to address a suffocating amount of information, and on the other hand no one really seems to care if anything is being done.  Anyone else see the problem with all of this?

As with all compliance initiatives, only your organization can determine what makes sense.  Almost all FFIEC guidance specifies that your program needs to take into consideration the size and complexity of your institution.  So what might work for Citigroup or Bank of America would never make sense for 1st Community National Bank with its two branches and $100 million in assets.  There will certainly be commonalities  – you still need to risk rate each vendor, you still need to perform a periodic review – but the depth and breadth of the program will vary wildly.  However, one thing is certain: You have a fiduciary responsibility to protect your customers’ personal data and that extends to any business relationship you maintain in which it’s exposed.  Doing nothing isn’t an option as is doing too little not just because it’s the law but because it’s the right thing to do.

The industry pundits are right that the threats in conducting business with third-party vendors are real and increasing every day.  Where they go wrong is in not educating you on the many options available to manage those threats.  One size does not fit all in the regulatory space and that’s a concept you need to hear more frequently.

But trust me on this: Doing nothing is not an option. Waiting until the examiners force the issue is not a strategy, and being caught without a viable program in place after your institution has been involved in a breech is a train wreck waiting to happen.  Don’t be scared off by what you don’t know or can’t manage; start simple and move from there.  No matter what, do something and do it now!