Regulatory Reality:


December 19, 2012  1:51 PM

CFPB: Dodd-Frank at its best.

Posted by: David Schneier
bank, banking, banking crisis, banks, compliance, compliant, Dodd-Frank, economy, exam, examination, examinations, examiner, examiners, exams, Federal Reserve Bank, FFIEC, financial, financial institutions, FRB, mortgage, regulation, regulations, regulations audit, regulatory, regulatory guidance, requirements, risk, SOX, third party management, third party oversight, too big too fail, vendor, Vendor Management, vendor risk, vendor risk assessment, vendor risk rating

The campaign season that ended with last month’s presidential elections generated more debate and rhetoric than any other in my lifetime.  As I'm an outspoken person who has never shied away from a good argument I routinely found myself engaged in exchanges with a remarkably broad range of...

April 29, 2012  7:43 PM

Internal Audit: Whose side are they on anyway?

Posted by: David Schneier
assessment, assessments, Audit, compliance, control, control owners, controls, findings, GLBA, internal audit, NCUA, regulations, regulatory, Regulatory Compliance, risk, risk assessments, risks

My first encounter with an auditor was back in the mid-90's while working as an application project manager for a Fortune 100 company.  The group responsible for change management was going through an audit of their process and one of the changes that was selected for review happened to belong to...

March 23, 2012  3:24 PM

GRC presents a broad spectrum; is it too broad?

Posted by: David Schneier
assessment, Audit, compliance, GRC, HIPAA, PCI, regulations, regulatory, Regulatory Compliance, risk, risk assessment, SOX

In early 2004 I co-authored my first Sarbanes-Oxley (SOX) controls framework for a client.  Just about the entire thing required manual testing that, if everything worked as planned would require a full-time resource to support.  About thirty seconds after submitting the framework draft to the...

February 3, 2012  5:58 PM

Governance, risk and compliance – related but not the same.

Posted by: David Schneier
Audit, auditor, compliance, controls, exam, examiner, FFICE, GLBA, governance, GRC, internal controls, NCUA, regulations, regulatory, Regulatory Compliance, risk

I was sitting in a meeting this week listening to a group of very bright people talking about an initiative centered on installing a software solution and I realized something rather disturbing; somewhere along the way in our industry governance, risk and compliance has started melting together and...

January 8, 2012  9:27 PM

Maintaining compliance is often the Missing Link.

Posted by: David Schneier
assess, assessment, Audit, compliance, exam, examination, examiner, FDIC, GLBA, NCUA, regulations, regulatory, Regulatory Compliance, risk, risk assess, risk assessment

I've been in the solutions selling business on and off for about a decade but exclusively so over these past four years.  Up until becoming a partner in my current practice I pretty much was always only involved in helping sell the solution and usually implementing it before moving on.  Seldom...

December 22, 2011  9:44 PM

Why I don’t trust hosted or SaaS solutions.

Posted by: David Schneier
assessment, Audit, compliance, GLBA, NPPI, PCI, PII, regulatory, Regulatory Compliance, risk, risk assessment

Let me begin by sharing a story from the way back files.   In the mid 80’s when I was first starting out in my career I was working as a junior programmer in Manhattan.  Courtesy of playing on the corporate softball team I became acquainted with a fairly diverse group of...

December 5, 2011  11:54 PM

The trouble with GRC.

Posted by: David Schneier
assessments, Audit, compliance, governance, GRC, regulations, regulatory, Regulatory Compliance, regulatory guidance, risk, risk assessments

I love GRC, at least the concept.  I've gotten way more than my fair share of print time expounding on its many virtues and how it continues to make inroads into so many organizations.  It's the next and necessary step in the evolution of audit and compliance, a fact (yes, fact) of which I'm...

November 18, 2011  12:22 PM

Why vendor management is a big GLBA deal.

Posted by: David Schneier
assessment, Audit, compliance, FDIC, Federal Reserve Bank, FRB, GLBA, NCUA, OCC, OTC, regulations, regulatory, Regulatory Compliance, risk, risk assessment, vendor, Vendor Management, vendor risk, vendor risk rating

I don't think I'm due to post about vendor management again at least until January 2012 (I try to limit topics to twice a year) but I've had something kicking around my head for a few days now and it needs a proper vetting. Does anyone know why vendor management is such a big issue for banking...

October 26, 2011  8:36 PM

Who examines the examiners?

Posted by: David Schneier
assessment, bcp, business continuity plan, GLBA, NCUA, NCUA Part 748, regulations audit, regulatory, Regulatory Compliance, risk, risk assessment, Vendor Management

I remember conducting a risk assessment a few years back for a credit union in which they were missing just about every artifact necessary to prove compliance with NCUA Part 748 (if you're not already aware, thats GLBA for credit unions).  It was, for lack of a better term, a...

September 14, 2011  6:27 AM

A new twist on regulatory guidance.

Posted by: David Schneier
assessment, Audit, bcp, business, business continuity, business continuity planning, compliance, disaster recovery, DR, GLBA, NCUA, regulation, regulatory, Regulatory Compliance, risk, risk assessment, vendor, Vendor Management

One of the oddity's of my career is how some issues present themselves in a wide range of my clients despite the fact that there's often no meaningful way to compare them in size.  Some have a single compliance person who is part Compliance Officer and part Information Security Officer and some...

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: