Tag: Strategic Risk

  • Home
  • Strategic Risk
31 May 2011
Hot Topics Tom Hinkel 0 comment

Time to re-think the role of the network administrator?

Traditionally, the network administrator needed to operate at “ground-level”. Network maintenance was highly specialized and problematic, requiring a constant hands-on approach. And in the very early days (when the Guru started… “he who speaks of floppy disks”…) there were few formal training classes, most of what you learned was by trial and error…lots of error!

Today’s network administrator still has plenty of trial and error learning, but there is much less of it then there used to be. Consider this:

  • How important is the Internet to your problem resolution process? Can you even imagine doing your job without the Internet?
  • Colleges, universities and technical schools have had formal degree programs for training network administrators for years, assuring that even the most inexperienced admin has a broad base of knowledge to draw from starting on day one.
  • Although server and desktop operating systems and applications are more complex today, they are also much (somewhat?) more stable than they used to be, with much more mature, feature-rich, administrative interfaces.
  • Largely because of the first three items, there are a lot more resources available for support today. It’s often more cost effective to reach out to an expert in a particular area then it is to spend hours on trial and error.
  • Most importantly though, many of the routine administrative tasks can now be automated and/or outsourced (patch management, AV updates, etc.), removing not only the drudgery of the task, but also removing the uncertainty of the human element as well. And as I’ve written about here, both auditors and examiners prefer automated controls for that very reason.

So the focus of the network administrator’s job has really evolved from a hands-on, high-touch, ground-level role, into more of a higher-level, managerial role. They still have primary responsibility in their traditional role of (as the FFIEC states), “…implementing the policies, standards, and procedures in their day-to-day operational role”, but they now often assist in the development of those policies as well. Most admins also sit on the IT steering committee, and in that capacity they also have the shared responsibility to coordinate the IT strategic plan, and by extension, the overall strategic plan. But it’s difficult to have an enterprise-wide view if you’re stuck in the trenches unlocking a user account or struggling with AV or patch updates.

Given the right tools, today’s network administrator is able to add value in many ways. Furthermore I don’t know of a single one that wouldn’t jump at the chance to assume a higher profile in their organization (with the associated increase in net value). If you are a network administrator, here are 3 ways you could get the conversation started:

  1. “You know, regulators are increasingly focusing on reporting to verify that we are following our procedures. Give me the tools I need to gather, analyze and report, and I’ll be able validate that we’re doing what we say we’re doing, the way we say we’re doing it. This should reduce our exposure to future regulatory findings.”
  2. “Recent experience has shown that auditors and examiners really prefer automated tools for routine repetitive tasks. An added advantage is that this will free me up to manage the process from a slightly different perspective, allowing me to not only apply controls, but assess their effectiveness as well.”
  3. “Effectively managing strategic risk means providing management with timely, actionable information that will allow them to rapidly respond and react to changes in the information landscape. Include me in the strategic planning process and I’ll be able to better understand the mission, and deliver the right information in the right format at the right time.”

And if you manage a network administrator and you haven’t had this discussion yet, don’t wait for them to approach you…ask them what you can do to elevate them above the drudgery, and get them more involved in managing the process instead of drowning in it. I’ll bet you’ll find a source of value you never knew you had!

20 Apr 2011
Hot Topics Tom Hinkel 0 comment

A Recurring Theme in FDIC Consent Orders

If you look at any of the recent FDIC Consent Orders, you will quickly see a common theme.  I randomly pulled a few off the top of the list, and the verbiage was very similar, and in many cases identical:

  • …the Board shall enhance its participation in the affairs of the Bank
  • …the Bank’s board of directors shall increase its participation in the affairs of the Bank
  • …the Board shall participate fully in the oversight of the Bank’s compliance management system
  • …the Board shall participate fully in the oversight of the Bank’s Compliance Management System
  • …the Board shall increase its participation in the affairs of the Bank
  • …the Bank shall have and retain qualified management
  • …Bank’s board of directors shall increase its participation in the affairs of the Bank
  • …the Bank shall have and retain qualified management.
  • …the Board shall increase its participation in the affairs of the Bank
  • …the Bank’s board of directors (“Board”) shall increase its participation in the affairs of the Bank

In almost every case, regardless of the main thrust of the Consent Order, this was usually the first requirement.  In other words, although the Order may have been imposed because of financial weakness, or lending policy non-conformance, or some other reason, the examiners want to establish up front that the Board and Senior Management are at fault for failing to prevent, detect, and/or correct the problem ahead of time.  Furthermore, regardless of their past participation, in every case they are expected to increase their oversight in the future.

Of course, not only must this occur, but it must also be documented.  If recent examination experience has taught us anything, it is that if you don’t have it documented, it didn’t happen.  The challenge is this; typically the Board defines the broad goals and objectives of the institution in the strategic plan, and delegates the day-to-day responsibility of implementing those goals to committees.  In a perfect world, the mandates flow down from the Board to the committees, and status reporting flows back up from the committees to the Board.  (Graphic illustration) In reality, there are multiple points of failure in this top-down, bottom-up model:

  1. Does the Board have a well-defined, 3-5 year Strategic  Plan?
  2. Has this plan been communicated to all stakeholders?
  3. Have committees been formed, staffed, and tasked with implementing the details of the plan?
  4. Are there well-defined objectives and benchmarks in place to measure alignment between strategic goals and actual performance?
  5. Does the Board have access to adequate, timely information (reporting), and the necessary expertise, to determine if their strategic goals and objectives are being achieved?

A “No” answer at any point in this process causes the whole process to break down.  And even a “Yes, but we didn’t document it…”, is not enough to satisfy the examiners.  So how best to document each step?  Taken in order from above:

  1. Make sure the institution has a valid, up-to-date, Strategic Plan, and…
  2. …the plan has been communicated to all stakeholders.  This isn’t as onerous as it sounds…the plan shouldn’t change that often.
  3. The mission statement for all committees should reinforce their alignment and coordination with the Strategic Plan, and any risk assessments conducted by the committees must measure strategic risk.
  4. Evaluate each new product, service and vendor against its ability to further the objectives of the Strategic Plan, and…
  5. …make sure this information is summarized and presented to the Board at a frequency commensurate with the pace of change within the institution.

As I’ve mentioned before, the Tech Steering Committee is the ideal committee to report all things IT to the Board.  If you utilize a standard agenda, which includes discussion of on-going or proposed IT initiatives (and their alignment with Strategy), document the meetings, and report progress to the Board periodically, you will satisfy the IT oversight requirement.  Once the top-down and bottom-up process is in place for IT, simply duplicate it across the enterprise!

16 Mar 2011
Hot Topics Tom Hinkel 1 Comment

Risk Managing Social Media – 4 Challenges

Twitter, LinkedIn, Facebook, Google+…the decision to establish an on-line presence is a very popular topic these days, and it is extremely easy to do, but effectively managing social media risk can be frustratingly complicated.  In many ways. it just doesn’t lend itself to traditional risk management techniques, so the standard pre-entry justification process is much more difficult.  And because you are expected to assess the risks before you jump in, many of you may already be accepting unknown risks.

I see 4 big challenges to managing social media risk:

  1. Strategic Risk – If you determine that engaging in social media would be beneficial to achieving the goals and objectives of your business plan, you’ve made a strategic decision.  But even if you decide NOT to engage, you’ve still made a strategic decision because strategic risk exists if you fail to respond to industry changes.  (“If you choose not to decide, you still have made a choice”*.)  And you are expected to justify your strategy by periodically assessing whether or not you have achieved the goals you anticipated when you made the decision  to engage in social media, which leads to challenge #2:
  2. Cost / Benefit – This is closely related to strategic, but relates to the difficulty of quantifying both the costs (strategic and otherwise) and the tangible benefits.  Most institutions decide to engage in social media as a “me too” reaction, but 1 or 2 years later they can’t go back and validate their decision on business grounds because they didn’t have well defined, quantifiable, expectations going in.  Anchor your decision on a set of specific goals, which could include increased brand or product exposure, but which should ultimately be defined  in terms of an increase in capital and earnings.  And although there is a very small financial barrier to entry, there are other costs which leads to my next challenge;
  3. Reputation Risk – This is where the decision to not engage in social media really manifests itself, because reputation risk exists regardless…it cannot be avoided.  All it takes is one disgruntled employee or customer (or a competitor) to post a negative comment about you or your products or services on-line, and your reputation could suffer.  If you do have an on-line presence, you may be able to quickly respond to counter the comments, but if you decided to stay out you have no recourse.  Also, are your employees blurring the line between their professional lives as official (and controllable) representatives of your institution, and their (un-controlled) personal, on-line lives?  In a traditional risk management model, each risk identified would be accompanied by an off-setting control or set of controls.  In the case of reputation risk, there really in no way to off-set, or control,  the risk.  This brings me to the final, and perhaps biggest, challenge;
  4. Residual Risk – This is the end result of the risk management process; the amount of risk remaining after the application of controls.  Essentially, this is what you deem “acceptable” risk.  Since social media risk can never be completely avoided (see #3 above), you are already accepting some measure of risk.  The challenge is to quantify it.  Auditors and examiners expect you to have a firm grasp on residual risk, because that is really the only way to validate the effectiveness of your risk management program.  An uncertain or inaccurate level of residual risk implies to examiners an ineffective (or even non-existent) risk assessment.

So managing social media risk boils down to this:  You must be able to justify your decision (both to engage and to not engage) strategically, but to do so requires an accurate cost/benefit analysis.  Both costs (reputation, and other residual risks) and benefits (strategic) are extremely difficult to quantify, which means that in the end you are accepting an unknown level of risk, to achieve an uncertain amount of benefit. Ordinarily that would be a regulatory red-flag, but clearly many institutions currently have an on-line social media presence.  So at this point the question becomes not so much how did they arrive at that decision, but how will they justify their decision (and manage the risk) going forward?

 

*Lee, Geddy; Lifeson, Alex; Peart, Neil

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy