Every year about this time, I’m asked to look ahead to the upcoming year and prognosticate on regulatory compliance trends. I intend to do just that in a future post, but today I wanted to do something very few other prognosticators do…look back at last years’ predictions and see which ones hit and which missed (and why).
Here was the list of 2010 trends as I saw them early last year:
- Risk Assessments –New standards and expectations
- Documentation–Who, What, How and Why
- Disaster Recovery –Compliant and Recoverable
- Vendor Management –Trust but Verify
Overall I scored 2 hits and 2 misses, although to be fair the misses are more along the line of “not yet hits”. Here is how 2010 actually shaped up:
- Risk Assessments – miss. This prediction was taken from the Winter 2009 FDIC Supervisory Insights Newsletter article entitled “Customer Information Risk Assessments: Moving Toward Enterprise-wide Assessments of Business Risk”. It described how examiners should start to evaluate risk on an enterprise-wide basis instead of simply focusing on information security risks. I predicted that examiners would start to adjust their examination procedures for the new criteria in 2010, but it hasn’t manifested itself in examination work papers yet. However, some of the enterprise-wide risk criteria has made its way into various risk assessment best practices. Criteria such as strategic risk, operational/transactional risk, reputation risk and legal/regulatory risk are now part of the vernacular for disaster recovery, retail payment systems and new technology risk assessments. We’ll call this a miss…for now.
- Documentation – hit. The vast majority of audit and examination findings I’ve seen this year we’re not related to missing or insufficient policies or procedures, they were due to the institutions inability to document (prove) that they were following their own procedures. Expect this trend to continue in 2011.
- Disaster Recovery – hit. Both auditors and examiners are finding fault with DR plans that do not strictly conform to the FFIEC guidance. Specifically, they must contain a business impact analysis, risk assessment, risk management and testing sections, and in that order. A non-compliant plan that may even be able to demonstrate (through testing) recoverability will still be written up. (More here.)
- Vendor Management – miss. With the increasing reliance of financial institutions on third-party vendors, I predicted that 2010 would be the year that the examiners started scrutinizing vendor management programs more closely. It hasn’t happened…yet. It may be because of the continued overwhelming emphasis on asset quality during the safety and soundness examination, but I’m leaving this on the list for 2011. Asset quality will undoubtedly still dominate in 2011, but there are indications that the pendulum is starting to swing back around. (More on that later.)
My next post will be my predictions for 2011. I’m also collecting survey responses from auditors and examiners on where they think the areas of focus will be, and I’ll report that in early 2011 as well.
All the best for a Happy and Compliant New Year!!