2015 was a groundbreaking year for business continuity regulators and that makes 2016 a key year for compliance modifications.
What happened? Well, 2015 was the culmination of many variables:
Threats increased. Weather it’s our awareness or the actual activities themselves, there is more responsibility and accountability to guard against threats to operations risk than ever.
Marketplace tolerance exceeded the breaking point. The bar had been raised so high for banks that many vendors were noticeably below standard. So far that when the dam broke (literally) the regulators got involved, resulting in documents like Appendix J and the Cybersecurity Assessment Tool.
Time to revise the FFIEC Handbooks was up. The previous edition was beyond end of life. The industry had advanced beyond what the previous editions covered. Several have been updated and more are to come. Changes include incorporation of cybersecurity concepts as a part of information security, advancement of management-related concepts and IT risk-management as a part of enterprise-wide management.
Here’s where to put your resources in order to maintain compliance and create value in 2016
Leadership Denotes Character
The old saying goes, “the fish stinks from the head down” and examiners are more than casually aware of this. There is no one more accountable than the board of directors. Unfortunately, there is often no one less clued in. Fiduciary relationships – those where the board member must act in the best interest of the bank before himself- are not taken lightly in the eyes of the regulators. If your employees aren’t demonstrating healthy business behavior, the responsibility lies squarely in the shoulders of the board. This is a big jump up from what’s been enforced in the past.
Don’t expect your board to know it all right now but do find resources for coaching and basic training immediately. Work with your board to build their capacity and understanding so that they will have the resources to make the best decisions for the clients to which they are held responsible. There’s no plea of ignorance as a board member. Those who don’t take fiduciary seriously have gone to prison and paid hefty fines. 2015’s fines were in the billions.
In case you missed it’s release, the FFIEC developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness. While you’ll probably be fine not acing the test on the first go around, you must have a working knowledge that exceeds “familiar with the Assessment”. Where do you currently score and how are you working to upscale your security? Take the time to find out. Give the executive officers and directors the Overview and get to work on the profile. You’ll be glad you didn’t wait!
Lest you confuse all this work for a waste of time, think again! You’re actually securing the value of your organization. The FFIEC has released several statements to help clarify the threats and best practices.
Supply Chain Management
Move over Vendor Management. Banking is a business and it knows how it creates value. In order to maintain those performance indicators, banks know what and who it depends on to get the job done. Vendor relationships go far beyond handshake these days. Trust must be proven and a relationship that will make it through any storm is a must and Appendix J gives you four specifics. Though it outlines details for technology service providers (TSPs), it’s smart to apply this document to all critical service providers.
2016 calls for forms that standardize processes, develop information, measure impact and progress and are regularly used. What you don’t measure you can’t manage and evidence of that measuring is always in writing. Whether you have a top level software package with pre-populated templates or 3-ring binders and loose leaf paper, the value comes from keeping all that data organized and accessible. As long as you’re thorough and consistent, you’re doing it the right way.
Plan for the Future
Keep your vision clear – compliance is a small part of a bigger picture. Don’t shrink your standards by confining the scope to small parts. The planning process is an investment in the future value of the institution. It brings vision and hope. Have a vision and Plan for long term congruence in 2017 and beyond and share it with everyone from the tellers at the drive thru to the board as often as possible.
You’ve got something important you’re protecting! When you require more assistance don’t forget there are specialists who have traveled this road before. Give us a call and we’ll guide you in the right direction.