Tag: Control Self-Assessment

  • Home
  • Control Self-Assessment
11 Nov 2014
From the Field Tom Hinkel 1 Comment

Guru Briefs – OCC on Cybersecurity & MRA’s, FFIEC on Cybersecurity Assessments

(NOTE:  Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.)

In this edition:

  • The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC is also the Chairman of the FFIEC.  I comment on 3 recent OCC pronouncements.
  • The FFIEC has completed the cybersecurity risk assessments, and issued some observations.

First up, the OCC recently updated their guidance on Matters Requiring Attention, or MRA’s.  Classified generally as examination “findings”, MRA’s are the most severe type of findings, as they require the immediate attention of senior management and timely (i.e. rapid) corrective action.  While it’s good to see this process standardized (at least among OCC examiners, other agencies have yet to follow suit), what struck me was how the “open” items (those items that have yet to be corrected) were classified.  Particularly one that I haven’t seen before…”Self-identified”.  A “Self-identified” MRA is defined as:

“A significant unresolved concern that the bank initially discovered.  A bank’s action to self-identify concerns is an important consideration when the OCC assesses the adequacy of the bank’s risk management system.

So in other words, you discovered a deficiency first, and then either brought it to the attention of the regulator or they found it.  Instead of counting against you. this actually strengthens the regulator’s view of your risk management system.  Essentially this is an MRA that has a positive impact on your institution!  I’ve discussed this “control self-assessment” process before.  Don’t be afraid of finding problems, it’s much better that you find them then the regulator!

Next up from the OCC, the Chairman (Thomas J. Curry) gave a speech on cybersecurity to the 10th Annual Community Bankers Symposium recently.  Here are a few of my observations:

  • Smaller institutions may be more at risk from cybercrime because of their lack of internal resources compared to larger institutions, so collaboration with information sharing organizations is particularly important.
  • Management is encouraged to incorporate cyber-incident scenarios into their business continuity and incident response planning.
  • It’s “extremely important” for management to understand their risk exposure to cyber-threats and vulnerabilities.
  • Because of the high degree of connectedness among institutions and their third-party providers, managing those relationships is vital.  Curry states that “third-party relationships have been a significant area of concern for years, and not just in the area of cybersecurity.”  The agency has, and will continue to, play a role in watching over these providers, but they stress that their supervision “does not take the place of due diligence or ongoing monitoring” on your part.

Lastly from the OCC, could we see merchants held to the same security standards as financial institutions?  Consider this statement from Chairman Curry in the same speech:

“…we need to level the playing field between financial institutions and merchants. The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions. And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.”

This is long overdue in my opinion, merchants are considered the weakest links in the cybersecurity chain.  The challenge will be enforcing it.  Until merchants are under the same regulatory burden as financial institutions, they will have no incentive to comply.  PCI-DSS has been proven ineffective, after all both Target and Home Depot claimed to be PCI compliant prior to their breaches.

Finally, the FFIEC has concluded their cybersecurity assessments and issued some general observations.  Summarizing:

  • Management must understand their own cybersecurity exposure (see OCC Chairman comments above).
  • Key to this understanding your cybersecurity status is understanding who connects to you, and how.
  • Manage your third-party relationships, and understand how your vendors are managing their third-parties.
  • Expand your disaster recovery and incident response processes to incorporate cyber incident scenarios (again, see Chairman Curry’s remarks above).

…and last but not least…

  • “As a result of the Cybersecurity Assessment,  FFIEC members are reviewing and updating current guidance to align with changing  cybersecurity risk.”  In other words, new guidance is on the way!
04 Apr 2011
From the Field Tom Hinkel 8 Comments

The Control Self-Assessment (CSA)

If there was a process that was mentioned 43 times in 7 of the 12 FFIEC IT Examination Handbooks, (including 12 times in the Information Security Handbook alone!), would you consider implementing it?  How about if it virtually assured better audits and examinations?  OK, you’re interested, but the last thing you need is to implement another complicated process, right?  What if the framework is probably already in place at your institution, and all you need to do is fine-tune it a bit?

I’m referring to the Control Self-Assessment (CSA), and let’s first make the regulatory case for it.  The FFIEC Operations Handbook says:

Periodic control self-assessments allow management to gauge performance, as well as the criticality of systems and emerging risks.
And…
Senior management should require periodic self-assessments to provide an ongoing assessment of policy adequacy and compliance and ensure prompt corrective action of significant deficiencies.

If you’re familiar with “FFIEC-speak”, then you know that “should” really translates to “must”.  But the Information Security Handbook makes the most compelling argument for utilizing the CSA in your risk management program:

Control self-assessments validate the adequacy and effectiveness of the control environment. They also facilitate early identification of emerging or changing risks.

So there is plenty of regulatory support for the CSA process, what about the audit and exam benefits?  All of the major auditing standards bodies (IIA, AICPA, ISACA) address the importance of internal control reviews.  Indeed most auditors say that institutions with an internal CSA process in place generally demonstrate a much more evolved risk management process, resulting in fewer, and less severe, audit findings.  This stands to reason, as they tend to identify, and correct, control weaknesses prior to audit, as opposed to waiting for the auditor to identify them.  And since one of the first things the examiner wants to see when they come in is your most recent audit, this often results in fewer examination findings as well.

One more reason to implement a CSA process from the examination perspective is something I touched on here…for those institutions trying to maximize their CAMELS IT composite ratings, one of the biggest differentiators between a “1” and a “2” is that in institutions rated a “1” “…management identifies weaknesses promptly (i.e. internally) and takes appropriate corrective action to resolve audit and regulatory concerns”.   Conversely, in those institutions rated a “2” “…greater reliance is placed on audit and regulatory intervention to identify and resolve concerns”. A CAMELS “3” rating speaks directly to the CSA, stating that “…self-assessment practices are weak…“.

OK, so there are certainly lots of very good reasons to implement a CSA process in your institution.  How can this be done with minimal disruption and the least amount of resource overhead?  Chances are you already have a Tech Steering Committee, right?  If the committee consists of members representative of all functional units within the organization, it has the support of senior management, and is empowered to report on all risk management controls, all that’s needed is a standardized agenda to follow.  The agenda should address the following concerns:

  • Identification of risks and exposures
  • Assessment of the controls in place to reduce risks to acceptable levels
  • Analysis of the gap between how well the controls are working, and how well management expects them to work

As you can see, this is not substantially different from what you are probably already doing in your current Tech Steering Committee meetings.  In fact, this list is really only a sub-set of your larger agenda…the only possible difference is that any and all findings in the gap analysis must be assigned to a responsible party for remediation.

In summary; the FFIEC strongly encourages it, the auditors and examiners love it, and for most institutions it’s not too difficult to implement and administer.  But if you only need one good reason to consider the CSA process, it should be this:

Improved audit and examination ratings!

23 Mar 2011
From the Field Tom Hinkel 1 Comment

IT Composite Ratings: 1 vs. 2

In a recent survey conducted with our customers, we asked them to tell us (anonymously) what their FDIC IT composite scores were after their last IT examination, and whether those scores increased (got worse), or decreased (got better).  The average score was 1.8 on the 5 point scale.  Of course the results could be attributed to the fact that by virtue of their relationship with us, they demonstrate a higher level of awareness of IT and IT risks, resulting in a kind of reverse “adverse selection”, but regardless anything better than 2 is considered much better than average.  And slightly more institutions saw their score increase (or get worse) than stay the same…almost none saw their scores decrease.
So is the FDIC issuing any 1’s in IT anymore?  Not many, as far as I can see.  But for those institutions looking to maintain, or even enhance, their IT scores, it’s critical to review the components in each category…particularly the differences…between 1 and 2.  And since there are significant similarities between the two, the difference is all in the details.

The full list with all details is here, but this is a condensed version of how the FDIC IT Examination Composite Ratings break out by component:

Risk Management:

One (1) – “Risk Management processes provide a comprehensive program to identify and monitor risk relative to the size, complexity and risk profile of the entity.”
Two (2) – “Risk Management processes adequately identify and monitor risk relative to the size, complexity and risk profile of the entity.”

The difference between a 1 and a 2 in risk management is a “comprehensive program”…very subtle, but using the IT Steering Committee to manage IT could be the difference.

Strategic Planning:

One (1) – “Strategic plans are well defined and fully integrated throughout the organization.  This allows management to quickly adapt to changing market, business and technology needs of the entity”.
Two (2) – “Strategic plans are defined but may require clarification, better coordination or improved communication throughout the organization.  As a result, management anticipates, but responds less quickly to changes in market, business, and technological needs of the entity”.

This distinction is the most significant between the 2 categories, and in my opinion, seems to be the critical factor.  I addressed the IT Strategic Plan in detail here.  Often the difference between a 1 and a 2 in IT is in how well you manage, and communicate, your strategic plan.

Self Assessment:

One (1) – “Management identifies weaknesses promptly and takes appropriate corrective action  to resolve audit and regulatory concerns”.
Two (2) – “Management normally identifies weaknesses and takes appropriate corrective action.  However, greater reliance is placed on audit and regulatory intervention to identify and resolve concerns“.

Both have the ability to identify and correct weaknesses, but the key difference here is that the stronger organization handles it internally.  The key to this is the control self-assessment process.  The FFIEC mentions “control self-assessment” 43 times, and  in 7 of the 12 IT Examination Handbooks.  This is not a new concept, nor is it particularly difficult to implement, but for some reason it is under-utilized by most financial institutions.

I intend to address the self-assessment process more completely in a future post, but until then here are some of the benefits:

  • Early detection of risks
  • Improved internal controls
  • Assurance to top management that you are doing what you say you’re doing,  and of course
  • Improved audit and examination ratings!
© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy