By: Bryan T. Newlin, CPA.CITP, CISA
Last week I had the privilege of participating on a panel at the Virginia Banker’s Association’s annual Operations & Technology Conference. The focus of the panel was discussing what to expect from regulators in the coming regulatory cycle at financial institutions, so in this week’s newsletter I thought we’d highlight the anticipated areas of focus and scrutiny by the banking regulators. Even if your company is not a bank or financial institution, valuable information can be gleaned from the conversations, so keep reading!
First of all, any discussion about what to expect from a regulatory body, especially banking regulators, must begin with the huge qualification that we cannot conclusively say what to expect. A particular area of focus depends on the bank, the regulating agency, the examiner in charge, the experience of the field examiners, and a host of other variables for which we cannot account. So, like they say in investing, past performance does not necessarily predict future results. But that won’t stop us from trying.
Risk assessments are not going away anytime soon. We expect risk assessments to continue to be boiled up into enterprise risk management requirements. Examiners want to know that management and the Board of Directors accurately recognize and understand the risks within their organization. Five years ago a risk assessment was completed to assess risk at a product level (or asset, or process level), we expect those results to inform the overall risk of the company. For some bank, that is accomplished through a COTS tool. For others, like small banks, it could be as simple as a series of spreadsheets and KPIs that gauge risk.
We’ve spoken on it before, but we see continued focus on project management for banks of all sizes. Historically, project management would not become necessary until a bank hit the $1 Billion+ mark. But recently we’ve seen exams prompting much smaller institutions to implement a project management program.
IT Strategic Planning
The rapidity with which technology is outpacing itself is stunning. After you’ve implemented a project management program and completed your first project, the technology you’ve just installed will be outdated. So an IT strategic plan will be paramount to keeping focused on the business goals of your organization. The plan must be aligned with the overall company’s strategic plan, and look forward at least 1-3 years.
Talent and Succession Planning
Finding and keeping talent will come up during the conversation around IT strategic planning. This is especially true in environments with in-house core banking systems. In many of these environments there are one or two “franchise players” who started as a teller, worked their way up and into the operations role, began administering the IBM AS400, and have been in that position for 20 years. Those folks have a lot of knowledge and, in our observation, don’t successfully transfer that knowledge to another generation of workers. Not only that, but millennials are becoming the largest segment of workers in the US, and we are a very transient group who don’t stay in a job for long. Losing that institutional knowledge without transferring it between teams and people will become very challenging and should be planned for.
Disaster Resiliency Planning
It was noted that “disaster recovery planning” is old news. The new lingo is Disaster Resiliency Planning. Sure, it’s got a bit more of a ring to it, but we’re achieving the same goal; keeping the lights on and business running during adverse events. DRP is now expected to include maintaining business during a cybersecurity event like DDOS, website attack, or other cyber type event. It’s been a few years since examiners have taken a hard look at DR, so there’s reason to believe it might be coming back around again.
You’ll notice we did not include cybersecurity separately in this list. Based on our research and conversations with clients, there has been a “cyber undertone” during exams, but not a lot of reported comments. Our takeaway is that although the FFIEC Cybersecurity Assessment Tool is not “required,” it is “strongly encouraged”. And we know what that means. So the assumption is that cyber should be underpinning the risk management conversations, but is baked into regular conversations and not silo’d as its own separate area of focus.
Financial institutions have their work cut out for them-we get it. But stay focused on protecting information and customer assets, and you’ll fly through the next exam cycle.
Bryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.