In a recent survey conducted with our customers, we asked them to tell us (anonymously) what their FDIC IT composite scores were after their last IT examination, and whether those scores increased (got worse), or decreased (got better). The average score was 1.8 on the 5 point scale. Of course the results could be attributed to the fact that by virtue of their relationship with us, they demonstrate a higher level of awareness of IT and IT risks, resulting in a kind of reverse “adverse selection”, but regardless anything better than 2 is considered much better than average. And slightly more institutions saw their score increase (or get worse) than stay the same…almost none saw their scores decrease.
So is the FDIC issuing any 1’s in IT anymore? Not many, as far as I can see. But for those institutions looking to maintain, or even enhance, their IT scores, it’s critical to review the components in each category…particularly the differences…between 1 and 2. And since there are significant similarities between the two, the difference is all in the details.
The full list with all details is here, but this is a condensed version of how the FDIC IT Examination Composite Ratings break out by component:
One (1) – “Risk Management processes provide a comprehensive program to identify and monitor risk relative to the size, complexity and risk profile of the entity.”
Two (2) – “Risk Management processes adequately identify and monitor risk relative to the size, complexity and risk profile of the entity.”
The difference between a 1 and a 2 in risk management is a “comprehensive program”…very subtle, but using the IT Steering Committee to manage IT could be the difference.
One (1) – “Strategic plans are well defined and fully integrated throughout the organization. This allows management to quickly adapt to changing market, business and technology needs of the entity”.
Two (2) – “Strategic plans are defined but may require clarification, better coordination or improved communication throughout the organization. As a result, management anticipates, but responds less quickly to changes in market, business, and technological needs of the entity”.
This distinction is the most significant between the 2 categories, and in my opinion, seems to be the critical factor. I addressed the IT Strategic Plan in detail here. Often the difference between a 1 and a 2 in IT is in how well you manage, and communicate, your strategic plan.
One (1) – “Management identifies weaknesses promptly and takes appropriate corrective action to resolve audit and regulatory concerns”.
Two (2) – “Management normally identifies weaknesses and takes appropriate corrective action. However, greater reliance is placed on audit and regulatory intervention to identify and resolve concerns“.
Both have the ability to identify and correct weaknesses, but the key difference here is that the stronger organization handles it internally. The key to this is the control self-assessment process. The FFIEC mentions “control self-assessment” 43 times, and in 7 of the 12 IT Examination Handbooks. This is not a new concept, nor is it particularly difficult to implement, but for some reason it is under-utilized by most financial institutions.
I intend to address the self-assessment process more completely in a future post, but until then here are some of the benefits:
- Early detection of risks
- Improved internal controls
- Assurance to top management that you are doing what you say you’re doing, and of course
- Improved audit and examination ratings!