CIO Cal has just called an impromptu staff meeting. After receiving the request for pre exam information from his federal examiner he has scanned it quickly and decides he needs to call in the troops.
CIO Cal: Okay Folks, we have a problem. We just received the pre-examination request kit from the feds for our upcoming IT Exam. (He continues while holding up the 17 page document.) It looks like they want us to answer all of these questions, put it on a CD and get it back to them by the end of the month. Now as you know, I will be off on a cruise down the Danube River while they are going to be here. So it’s all the more important that we rally around this. Can I count on you?
Development Deb: Well sure you can! Of course there is that little problem of the new Branch Capture rollout we are in the middle of. And oh, by the way, we never got that Change Management policy updated since they poked holes in it on the last exam. But we’re here for you!
Tech Services Tim: Hold up here big guy! We know for a fact that they didn’t like our vendor management policy on their last visit. We still haven’t gone through all of our contracts and rated them for risk. For that matter, I’m not sure we even know where they all are.
Data Center Dave: Do you think they’re going to be okay with the fact that we haven’t written up the results from our last Disaster Recovery test yet?
Security Officer Sandra: You did read the results from the last vulnerability assessment didn’t you? It looks like we don’t have supporting documentation for all of our user administration for the last year. That’s bad, right?
CIO Cal: Listen folks. We need a can do attitude here. These regulators aren’t going to have a sense of humor about this exam. We have got to get our act together quickly. The examiners are planning on being here in a month!!! (Pounds table at same time as his head starts pounding!!)
Development Deb: How about we assign Leftover Lou to it. He isn’t helping out on the Branch Rollout and he just wrapped up the planning for the football fantasy league. Surely he can handle a little task like writing some policy and procedures and assembling some documentation.
Tech Services Tim: We’ll do our part. I’ll have one of the staff get a database going and a central repository for all of the information set up. Lou shouldn’t have any problems filling in the blanks once we get all the technology in place. I’m thinking a cool little Access database here. Better yet, maybe this can be an opportunity to get a little SharePoint gig going here. (starts to drool)
CIO Cal: (starts to smile) Okay, now it’s starting to all come together. Let’s make this happen, folks! You’ll make sure I’m kept in the loop right? I’m counting on you.
The scene ends as Cal leaves for his tanning appointment (gotta look good for a cruise, right?). Wailing is heard over Leftover Lou’s cube walls as he hears his latest assignment.
Okay, can you tell I’ve been in on the receiving end of an exam? Let’s not understate the challenge. An exam can rock your world even if you are prepared for it. If you are not, oh boy, life can get bad fast. The list of policies and procedures that we are supposed to have in place seems endless: Information Security Program, Incident Response Plan, Vendor Management Program, Red Flag Program, yada yada yada. Who needs the disturbance of preparing all of this documentation crap, right when we are in the middle of solving real business needs??? Why oh why are the regulators so hung up on coming in and reviewing all of our policies and procedures? What’s that all about anyway?
Maybe it’s time to try a little bit of that paradigm shifting thing and look at this from a regulator’s viewpoint. Let’s go out on a limb and assume that the regulators are good at what they do and have the best interests of the banking public at heart. Perhaps there are even a few Gonzo regulators out there? (A big call out to examiner JoAnn here.) What would be their goals? I would think they would include continued ability to serve the banking needs of the public at large and safekeeping of customer information. Conservative practices aimed at keeping and retaining the public’s trust. If this is starting to sound familiar, it should. These should be our goals as well. So, if these are our goals, and these are the examiners’ goals, then why should a visit from the examiners be considered unproductive and somewhat scary?
It’s generally scary because most of us don’t pay the continuous attention to these myriad policies all year long and we rush to do it at the last minute before the exam. Then we end up taking our best shot at fixing the worst gaps. It wouldn’t be scary, of course, if we shut down what we were doing and worked on a policy once we discovered the need for one. But sadly, my Gonzo friends, I would say it’s a big old case of conflicting priorities. There is more demand on our limited IT resources than we have supply. The front line business units are desperately in need of new functionality to get a competitive advantage. The back office is in desperate need of operating efficiencies. The accountants need more and more information on all of those complicated investment vehicles they ended up owning. Everyone has a need, and you run into your peers in the hallways where they eloquently lobby you for resources. But the regulators, they don’t stop you in the hall and lobby for anything. The regulators sit out there like a big old mountain lion watching their prey just waiting … … … sorry, wrong analogy … I’ll start over …
The regulators develop best practices for sound operating procedures and expect you to be familiar with them. Then they expect you to prioritize the implementation of them. Then they expect you to follow up and document them. Then after you’ve done all of that they will stop by and have tea and cookies once a year and you can show them that you have it all firmly in your grasp and that you “get it”.
So how do we meet the demands of our business units and still get our policies in order so we can meet the demands of the examiners?
First, by understanding that the goals of the examiners do not necessarily conflict with yours. IF the goal of the examiners is to support the banking public through getting us to use best practices, and IF the examiners have really specified best practices, and IF they effectively communicate these best practices to us and IF they are flexible in how they let us apply these best practices, THEN there is not a conflict in goals between them and us. There is just a shortage of resources. And unfortunately, when there is a shortage of resources, implementing the policies and procedures required by the examiners needs to be done right along with all of your projects. They may not be more important than your other challenges during the course of the year, but they certainly aren’t less important.
Which brings us to the second point. You need to be familiar with the four P’s required by the examiners: programs, plans, policies and procedures. You need to understand which ones are optional and which ones are not. And since these are always changing, a certain part of someone’s time needs to be spent becoming familiar with and monitoring the examiners’ expectations on the FFIEC.gov site. If you don’t have it in your favorites list, here is your opportunity:
Finally and most important, we need to get more effective at developing and implementing policies and procedures. The truth is that most technologists in banking today are not good at authoring and implementing policies and procedures. The skills that make us good at implementing technology do not necessarily make us good writers. But, IF we are going to be able to keep up with our “real” work of supporting the lines of the business and ‘fit’ in the implementation of new policies and procedures to support the ever changing regulatory expectations, I maintain that we need to get as productive at implementing policies as we are at implementing technologies. How do we do this?
And here are a few bonus tips for making an exam go well:
Since we all know the scrutiny the regulators are under in today’s banking environment, we should assume they are going to be in our hip pockets, and here for a bit. If there is ever a good time to over prepare, it is now. And remember … … … there is nothing like a happy examiner to take the stress off of a true GonzoBanker.