Tag: risk management

  • Home
  • risk management
01 Feb 2011
Hot Topics Tom Hinkel 1 Comment

Top 5 Compliance Trends for 2011 – Part 4

According to the FFIEC IT Examination Management Handbook, many institutions choose to delegate responsibility for monitoring IT activities to an IT Steering Committee.  I also addressed this here.  One of the most important roles of the IT Steering Committee is to ensure that the IT strategy is aligned with the overall business strategy.  And the best way to do that brings me to my next trend:

The IT Strategic Plan

Although the FFIEC Management Handbook came out in June 2004, we first saw this appear in FDIC examinations in 2009.  Since then it sort of faded away, but now it’s back, and at least one other primary federal regulator is asking for it…the OTS.  (Whether or not this makes the transition to the OCC remains to be seen.)

According to the FFIEC:

Strategic IT planning focuses on a three to five year horizon and helps ensure the institution’s technology plans are consistent or aligned with its business plans. If effective, strategic IT planning can ensure delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace.

Since IT is often the largest single investment (not to mention the largest concentration of risks) a financial institution has, regulators recognize that managing this process is vitally important.  The IT Strategic Plan can demonstrate that you are managing effectively.

There is no one single template for this, but in general the plan should contain the following elements:

  • A mission statement.  This should establish the basis for the plan, and the broad goals and objectives.
  • Coordination with the overall Strategic Plan
  • Organizational structure
  • Agenda
  • A list of IT initiatives

Many institutions choose to manage the plan in their IT Steering Committee…it simply become another agenda item.  As the FFIEC states:

The information technology steering committee’s cross-functional membership makes it well suited for balancing or aligning the organization’s IT investment with its strategic and operational objectives.

However you choose to do it, since the IT Strategic Plan is so critical operationally, you may not want to wait until the examiners ask for it (and they will).  And if you need to get senior management buy-in, mention this:

Well implemented technology plans provide the capability to deliver business value in terms of market share, earnings, and capital growth to the organization.

23 Dec 2010
Hot Topics Tom Hinkel 0 comment

New FDIC Survey Results and Third-Party Providers

The new FDIC Supervisory Insights Winter 2010 newsletter addresses several issues of interest to bankers, including Trust Preferred Securities, Managing Agricultural Credit, and Senior Life Settlements.  But there was also a section that analyzed the results of a survey that was conducted by FDIC examiners over the past year.   The more than 2,100 responses are producing some interesting results, especially when correlated with other financial reports like call reports, but of particular interest to me were the findings examining how financial institutions are “responding to the recent period of economic and competitive challenges”. One of the trends identified in the survey results was how financial institutions are increasingly “…making use of third-party providers to offer new and innovative products”, and particularly, “how effectively bank safety-and-soundness and compliance risk management systems are keeping pace with these changes.”

Community financial institutions are no strangers to vendor management, particularly the importance of addressing privacy and security issues, but the article makes reference to the risk of Unfair or Deceptive Acts and Practices (UDAP).  This is not a traditional risk category in and of itself, and may not be a consideration in your current vendor management program, but based on recent enforcement cases, maybe it should be.  The article makes reference to FDIC guidance here, and the FFIEC provides additional guidance here and here, but none of the existing guidance specifically mentions the significant financial liabilities and increased reputation risk that can result from a lawsuit based on UDAP.

The conclusion states:

Overall, Survey results show that banks are responding to ongoing economic and competitive challenges in a variety of ways, for example, by tightening underwriting standards and making use of third-party service providers to offer new and innovative products. These operational changes can affect an individual institution’s risk profile and its ability to effectively manage the resulting consumer compliance risks. The analysis of data gathered through this Survey will continue to help the FDIC understand how effectively bank safety-and-soundness and compliance risk management systems are keeping pace with these changes.

I suggest you incorporate UDAP risk into your existing vendor management risk assessment by assuring that it is identified as one of the potential contributors to reputation risk (along with privacy and security breaches), and that the  legal risks are assessed along with standard regulatory/compliance risks.

30 Nov 2010
From the Field Tom Hinkel 1 Comment

5 Key Elements of Risk Management

As a financial institution, it sometimes seems that everything you do requires a risk assessment.  Information security, disaster recovery, ID theft, remote deposit capture, outsourcing, in fact the term “risk assessment” appears 215 times in the FFIEC IT Examination Handbooks.  But a risk assessment is only one step of a five step risk management process…and it’s not even the first step.

I think the regulators unnecessarily confuse the issue by conflating “risk assessment” with “risk management”.  Sure it’s important to assess risk, but unless you’ve correctly identified the assets to be protected, you’re assessment will be off target.  And once you’ve correctly identified the assets, and assessed the risk to those assets, you must design a system of controls to avoid, reduce and transfer the risk down to an acceptable level.  And then, because the environment in which the risks and controls exist is not static,  you’re still not done managing.  You must constantly repeat the process.

The process is further complicated by the fact that there is no one standard for documenting risk management.  Although it would be so much easier for both the institution and the regulator if there were a standard checklist or matrix.  Easier for the institution to implement, and much easier for the regulator to follow.  (In fact, in my opinion a standardized risk management process would have been a mutually beneficial outcome from Dodd-Frank…it would benefit institutions, regulators, and the public.)

So, lacking a universal standard for risk management, how do you proceed? Again, the FFIEC handbooks provide guidance here.  I mentioned earlier how often the term “risk assessment” appeared in the handbooks, but the term “risk management” appears even more often…303 times total.  The essential elements of an effective risk management program are:

  1. Identify the assets to be protected.  What are you protecting (i.e. customer information, critical business processes, etc.), and why (privacy, security, etc.)?
  2. Identify the threats to those assets.  What could happen to the assets identified in step 1?  Rank the threats by both impact and probability.  (This is the traditional risk assessment step.)
  3. Apply controls in a layered, overlapping way until the risks are reduced to an acceptable level.
  4. Test the adequacy and effectiveness of the controls.
  5. Monitor the program and periodically repeat the process.

Remember, exactly how this is documented is up to the institution.  Most choose to utilize a matrix, others use a narrative, but regardless of how it’s done the process should include all 5 of these elements.

So next time you hear an auditor or regulator ask for a risk assessment, what they are really asking for is one step in your overall risk management program.  Deliver it to them as part of the program and you’ll never come up short.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy