The Examiners Are Coming!!

CIO Cal has just called an impromptu staff meeting. After receiving the request for pre exam information from his federal examiner he has scanned it quickly and decides he needs to call in the troops.

CIO Cal: Okay Folks, we have a problem. We just received the pre-examination request kit from the feds for our upcoming IT Exam. (He continues while holding up the 17 page document.) It looks like they want us to answer all of these questions, put it on a CD and get it back to them by the end of the month. Now as you know, I will be off on a cruise down the Danube River while they are going to be here. So it’s all the more important that we rally around this. Can I count on you?

Development Deb: Well sure you can! Of course there is that little problem of the new Branch Capture rollout we are in the middle of. And oh, by the way, we never got that Change Management policy updated since they poked holes in it on the last exam. But we’re here for you!

 

Tech Services Tim: Hold up here big guy! We know for a fact that they didn’t like our vendor management policy on their last visit. We still haven’t gone through all of our contracts and rated them for risk. For that matter, I’m not sure we even know where they all are.

Data Center Dave: Do you think they’re going to be okay with the fact that we haven’t written up the results from our last Disaster Recovery test yet?

Security Officer Sandra: You did read the results from the last vulnerability assessment didn’t you? It looks like we don’t have supporting documentation for all of our user administration for the last year. That’s bad, right?
 
CIO Cal: Listen folks. We need a can do attitude here. These regulators aren’t going to have a sense of humor about this exam. We have got to get our act together quickly. The examiners are planning on being here in a month!!! (Pounds table at same time as his head starts pounding!!)

Development Deb: How about we assign Leftover Lou to it. He isn’t helping out on the Branch Rollout and he just wrapped up the planning for the football fantasy league. Surely he can handle a little task like writing some policy and procedures and assembling some documentation.

Tech Services Tim: We’ll do our part. I’ll have one of the staff get a database going and a central repository for all of the information set up. Lou shouldn’t have any problems filling in the blanks once we get all the technology in place. I’m thinking a cool little Access database here. Better yet, maybe this can be an opportunity to get a little SharePoint gig going here. (starts to drool)

CIO Cal: (starts to smile) Okay, now it’s starting to all come together. Let’s make this happen, folks! You’ll make sure I’m kept in the loop right? I’m counting on you.

The scene ends as Cal leaves for his tanning appointment (gotta look good for a cruise, right?). Wailing is heard over Leftover Lou’s cube walls as he hears his latest assignment.

Okay, can you tell I’ve been in on the receiving end of an exam? Let’s not understate the challenge. An exam can rock your world even if you are prepared for it. If you are not, oh boy, life can get bad fast. The list of policies and procedures that we are supposed to have in place seems endless: Information Security Program, Incident Response Plan, Vendor Management Program, Red Flag Program, yada yada yada. Who needs the disturbance of preparing all of this documentation crap, right when we are in the middle of solving real business needs??? Why oh why are the regulators so hung up on coming in and reviewing all of our policies and procedures? What’s that all about anyway?

Maybe it’s time to try a little bit of that paradigm shifting thing and look at this from a regulator’s viewpoint. Let’s go out on a limb and assume that the regulators are good at what they do and have the best interests of the banking public at heart. Perhaps there are even a few Gonzo regulators out there? (A big call out to examiner JoAnn here.) What would be their goals? I would think they would include continued ability to serve the banking needs of the public at large and safekeeping of customer information. Conservative practices aimed at keeping and retaining the public’s trust. If this is starting to sound familiar, it should. These should be our goals as well. So, if these are our goals, and these are the examiners’ goals, then why should a visit from the examiners be considered unproductive and somewhat scary?

It’s generally scary because most of us don’t pay the continuous attention to these myriad policies all year long and we rush to do it at the last minute before the exam. Then we end up taking our best shot at fixing the worst gaps. It wouldn’t be scary, of course, if we shut down what we were doing and worked on a policy once we discovered the need for one. But sadly, my Gonzo friends, I would say it’s a big old case of conflicting priorities. There is more demand on our limited IT resources than we have supply. The front line business units are desperately in need of new functionality to get a competitive advantage. The back office is in desperate need of operating efficiencies. The accountants need more and more information on all of those complicated investment vehicles they ended up owning. Everyone has a need, and you run into your peers in the hallways where they eloquently lobby you for resources. But the regulators, they don’t stop you in the hall and lobby for anything. The regulators sit out there like a big old mountain lion watching their prey just waiting … … … sorry, wrong analogy … I’ll start over …

The regulators develop best practices for sound operating procedures and expect you to be familiar with them. Then they expect you to prioritize the implementation of them. Then they expect you to follow up and document them. Then after you’ve done all of that they will stop by and have tea and cookies once a year and you can show them that you have it all firmly in your grasp and that you “get it”.

So how do we meet the demands of our business units and still get our policies in order so we can meet the demands of the examiners?

First, by understanding that the goals of the examiners do not necessarily conflict with yours. IF the goal of the examiners is to support the banking public through getting us to use best practices, and IF the examiners have really specified best practices, and IF they effectively communicate these best practices to us and IF they are flexible in how they let us apply these best practices, THEN there is not a conflict in goals between them and us. There is just a shortage of resources. And unfortunately, when there is a shortage of resources, implementing the policies and procedures required by the examiners needs to be done right along with all of your projects. They may not be more important than your other challenges during the course of the year, but they certainly aren’t less important.

Which brings us to the second point. You need to be familiar with the four P’s required by the examiners: programs, plans, policies and procedures. You need to understand which ones are optional and which ones are not. And since these are always changing, a certain part of someone’s time needs to be spent becoming familiar with and monitoring the examiners’ expectations on the FFIEC.gov site. If you don’t have it in your favorites list, here is your opportunity:

https://www.ffiec.gov/ffiecinfobasendex.html.

Finally and most important, we need to get more effective at developing and implementing policies and procedures. The truth is that most technologists in banking today are not good at authoring and implementing policies and procedures. The skills that make us good at implementing technology do not necessarily make us good writers. But, IF we are going to be able to keep up with our “real” work of supporting the lines of the business and ‘fit’ in the implementation of new policies and procedures to support the ever changing regulatory expectations, I maintain that we need to get as productive at implementing policies as we are at implementing technologies. How do we do this?

1. Project methodologies. Once you determine a need for designing or revamping a new policy or procedure, you should treat it just like any other technology project. This means using the same project tracking processes and methodologies you would for any other project. If we have heard it once in Gonzo land we have heard it a bazillion times: Building and implementing policies takes large amounts of labor and focus. If this is true, why aren’t we asking for approval and tracking them like we would any other project? 
2. Project sponsorship. The surest way to kill an effort to get a new policy or procedure implemented is to delegate it. This is a call to CIOs, IT directors and IT managers out there to sponsor these types of projects yourself. And I’m not talking about getting people started and heading for your next meeting. I’m talking about being involved, making a rough outline, helping your people become better writers, helping them understand why the procedures are necessary from a thirty thousand foot level, proofing the final policies, etc. Who better understands the need for the policies and procedures than you? And quite frankly, your writing skills should be as good as or better than those of your staff, and this is an area in which you can actually help them.
3. Assign your best people to the effort. Your best technicians are also going to be the most knowledgeable about your infrastructure and the most prepared to develop a policy. When you exclude them from developing policies and procedures you send a signal right out of the gate that developing policies isn’t important to you.
4. Encourage your people to follow the same steps they do on any other project. In particular, don’t skip the research phase. Part and parcel of having a successful outcome at your exam is to make sure that the authors of your policies understand what the examiners are looking for. The expectations of the examiners couldn’t be clearer since they have their examination guides out on their Web site. Anyone assigned to write a policy and procedure in IT these days needs to head to FFIEC.gov before starting to write.

And here are a few bonus tips for making an exam go well:

1. Set the examiners up in nice digs. They’re on the road, away from home. Putting them in a broom closet isn’t going to help your outcome. Set up a printer and phone and get them a secure Internet connection before they arrive.
2. Pretty up your Pre Exam Request Kit response. Get it on a CD, and use their table of contents. Create hyperlinks to your policies and procedures so they can easily navigate through your responses. This will pay dividends in future years as you can use the same format and just replace your updated policies.
3. Stop by and visit with the examiners each day during the audit. There are many exam findings that can be headed off just by talking and clearing up misunderstandings. If I talk to a CIO and he/she says that the examiners are in and everything is going well, I immediately ask, “How do you know?” If the answer is “Everything must be okay since I haven’t heard anything,” then I think the CIO should be very, very nervous. Standard routine for the examiners is to notify you of their findings in the exit exam. If you want to head off miscommunications prior to that, the burden is on you.
4. Prepare your staff before the examiners come in. Train them to be helpful, and to provide requested info in its entirety. Also they should know to NOT volunteer anything not asked for. Then, turn them loose to work with the examiners. Trying to channel everything through the CIO is unproductive and also can be seen as lack of transparency by the examiners.

Since we all know the scrutiny the regulators are under in today’s banking environment, we should assume they are going to be in our hip pockets, and here for a bit. If there is ever a good time to over prepare, it is now. And remember … … … there is nothing like a happy examiner to take the stress off of a true GonzoBanker.
-br