I’ve written about the importance of this before, and from many different angles, but I want to recap and explain why I think management (both IT and enterprise) will be an area of increased regulatory focus in the year ahead. To recap my criteria for inclusion in the “2012 Trends” list, it must have a basis in:
- Recent audit and examination experience,
- Regulatory changes, and/or
- Recent events.
Management, or as it is sometimes referred, governance, is defined by the FFIEC in the IT Examination Management Handbook as;
“…an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”
“Due to the reliance on technology, effective IT management practices play an integral role in achieving many goals related to corporate governance.”
So regulators have always considered IT management critical, and most institutions address that obligation by assigning responsibility for day-to-day management of IT to a committee, such as a technology or IT Committee. In recent examinations we have seen regulators ask specifically to see committee minutes, looking for things such as discussion of vendors before they are approved, and discussion of new technology before it is implemented. They want to know that the institution considered the strategic value of the vendor and the new technology prior to approval. Was the decision to approve consistent with (in alignment with) the overall goals and objectives of the strategic plan? Can you document that?
Effective management of IT has significance way beyond just IT and strategic alignment though, after all…
“…IT management is an essential component of effective corporate governance and operational risk management.”
An institution that fails to demonstrate that they can adequately manage technology (and do so at all levels of management, from the Board of Directors down) may have fundamental management issues enterprise-wide. I further explained this here, and examiners agree. Consider this…the two most often repeated statements in FDIC enforcement orders this year is for the institution to “have and retain qualified management”, and for the Board of Directors to “increase its participation in the affairs of the Bank”.
For all these reasons I believe the CAMELS “M” will be in the minds of examiners. So how can you prepare? In a word, reporting. Take a look at the following illustration:
Once the overall strategy has been communicated top-down (left side), reporting (right side) will document that the strategy has been successfully incorporated into the policies and procedures of the organization, and (most importantly) that day-to-day practices abide by those policies and procedures. Implementing an internal self-assessment program can be a very effective way of both communicating strategy and documenting compliance. Use automated controls and monitoring (like this for example), and employ outside expertise whenever possible.