New Year's Resolution: Assess Your Risk
Getting people on the phone this time of year can be quite a challenge. Between getting ready for the holidays, celebrating the holidays and trying to wrap up everything outstanding before year end there's simply a shortage of available time. And so as we work on building out the project schedule for the first quarter of 2009, I stress knowing that we have clients that have work that needs to get done, but who aren't ready to commit.Â
Part of the problem is that not every financial institution can wrap their minds around the fact that there is work that needs to be done. They view activities such as risk assessments and vulnerability testing as best practices, rather than requirements. So, when I say you "have to" get this work done because it's been more than a year since the last assessment, many hear "should" and see options where they don't exist. There's a huge leap of faith between "have to" and "should" because, depending on your examiner and the overall state of your institution, it may also be the difference between a decent rating and perhaps a Memo of Understanding/Document of Resolution.
The source of the problem is no mystery. The way GLBA is worded and the content of the guidance provided via FFIEC can cause such confusion. Here's one example taken from the FFIEC Handbook focusing on Management: "Operational IT planning should identify and assess risk exposure to ensure policies, procedures, and controls remain effective." There's that word "should" again.
Open up the section in that same booklet that discusses the IT Risk Management Process, and you're further greeted with "Senior management should identify, measure, control, and monitor technology to avoid risks that threaten the safety and soundness of an institution. The institution should (1) plan for use of technology, (2) assess the risk associated with technology, (3) decide how to implement the technology, and (4) establish a process to measure and monitor risk that is taken on. All organizations should have:" which was followed by a list of various related risk assessment activities.Â
So when I tell a client they need to conduct the risk assessment, many are savvy enough to go to the source and read through what the various agencies publish in the way of guidance. They're seeing what they want to and focusing on the flexibility provided via the suggestive nature of the word "should".
This very topic surfaced earlier this week during a management call, and I'd shared my frustrations in getting the message delivered to our clients. The managing partner of my firm almost instantly started pulling up documents on the screen that were from the pages of a variety of exams in which the institution was written up for either not having a recent risk assessment or not having one properly conducted. There was no confusion as far as the examiners were concerned; they expected to find a recently (and properly) conducted risk assessment. I'm sure some of the clients involved tried to establish a management response based upon their interpretation of the regulations, but in the end it doesn't matter very much. You need to conduct the work that's expected of you by the examiners and which is supported by the agencies. Besides, how do you form and maintain a compliance framework without understanding and measuring your risks (that's a rhetorical question, by the way)?Â
I can't think of a better time of the year to bring this up than right now. As you reflect back over this past year and start building out plans for the new one about to begin, take an inventory of what work you've completed and figure out what remains to be done. Have you conducted a risk assessment that takes into account the changing economic and business conditions? Do you know that all your required compliance activities are functioning as expected? Have you accounted for the risks posed by the new technologies and the business partners your organization is contemplating for 2009? I always advise our clients that in lieu of having done all that's required or expected, the next best thing is to have a concrete plan on how you'll close the gap should one exist. Examiners can be quite reasonable on that front.  Â
And speaking of the time of year, I'd like to take this opportunity to wish everyone a healthy and prosperous New Year. We leave behind a year that will likely retain its reputation and notoriety much as 1929 has, but which also allows us to look forward to the promise and potential of the new one. I for one look forward to it.