Regulatory Compliance: It's Not Enough to Plan; You Must Test
Beyond the obvious issues of achieving compliance, typically missing required controls (e.g. vendor management programs, incident response plans, etc.) and not conducting routine audit and assessment activities, there's a much greater risk lurking in the shadows. It's not unknown to me, but while out conducting fieldwork last week its enormity dawned on me. What if you have your programs and related controls in place, but they don't really work?
We see it quite a bit with vendor management, where at a high level everything looks fine, but you come to realize that only a few vendors are being managed by the program. Probe and ask the client why, and the typical response is "Those are our most critical vendors." Ask them how they arrived at this conclusion, and ask for supporting information, and the conversation often ends right there.
What if you have your programs and related controls in place, but they don't really work?
Or with Incident Response Plans, you'll see multiple references to filling out either a Suspicious Activities Report (SAR) or a similar template, but the plan either doesn't include the template, or if it does, it doesn't tell you who to send it to. My favorite follow-up to that one is to request all reported incidents from the previous year. Care to guess how many actually had any to share with me? And yet, many of these institutions have all their documentation in order, and examiners, pressed for time, review the program and never are able to move beyond it to see if it's working properly.
Before I go any further, I want to offer a disclaimer. Since I've been blogging here, I've been very careful to never tip my hand and provide any indication of which of our many clients I'm referring to in my posts. Sometimes I'm sure that when they read the post they recognize themselves, although no one else ever would. But before continuing, I feel compelled to point out that what I'm discussing addresses a fairly high percentage of our clients, and not the ones I've most recently worked with. Just the same, after reviewing their dense Business Continuity Plan (BCP), I was amazed by how much was missing, how out of date it was and, of greater significance, how unlikely it was to be a true help should they ever need to rely upon it. But there was something dÃ©jÃ -vu-like about this. After I returned to the office, I spent a few days pouring over my notes and reports for the past 12 months to confirm my nagging suspicion: Only an estimated 15 percent of our clients had functional plans in place based on our fieldwork. Of those that did not have their plans properly completed, current and tested, all but one of them were relying on a popular BCP software package that offers the promise of a complete, functional and compliant plan. And after having worked with this program directly for several of our clients, I can tell you firsthand that it's phenomenal, it has everything in there that you could want or need and is something I wish I had access to a decade ago when I worked on BCP during my Wall Street years. However asking small and mid-sized financial institutions to use this platform to cover what they need to is akin to trying to kill a fly with a shotgun; it's just too much. And very few of these institutions that we've worked with have the knowledge, skill sets or resource bandwidth necessary to pull this all together to begin with. Business Continuity Planning is somewhere between an art and a science, and asking an IT manager or compliance officer or auditor to build one is not likely to get it done. So, you have a very big, comprehensive solution combined with a general lack of knowledge on how to use it properly, and the results are often bloated documentation that has the right weight physically, but fails in varying degrees under any real scrutiny.
So where's the value in purchasing or creating a solution that doesn't work? I often point out to our clients that you build out the regulatory programs for one of two reasons: to keep the examiners happy, or to actually manage the associated risks. I'm an advocate of the latter because if you need to do the work, do it right and make it work for you. But how many of you out there have your programs in place, have passed examiner scrutiny and still don't know for certain that it's functioning as expected? Here's a freebie to conduct your own mini-self assessment: How many recorded events do you have so far from your Identity Theft Red Flags program after three months? Does your vendor inventory from your BCP match the vendor inventory in your Vendor Management Program? If you don't have good answers to either of these, you should do something about it. If you're not sure if you have good answers to either of these or don't understand the questions, drop me an email and I'll be happy to help you work through it.
The old clichÃ© works just fine here: Anything worth doing is worth doing right. The best time to know for certain that your controls are functioning as expected is before you need to rely on them. If you haven't already done so, add tests to the schedule for all of your key compliance activities this year; that way you'll have a higher degree of certainty that your hard work will not go to waste. Whatever you do, though, don't let those risks remain in the shadows.