Utah Bankers Association Compliance Conference
See us at the Utah Bankers Association Compliance Conference at Park City, UT September 29 – October 1.
http://myemail.constantcontact.com/UBA-Compliance-Conference.html?soid=1102717540719&aid=iSr4GVh9kGI.
Spreadsheet’s Aren’t Free
Most financial institutions rely on a patchwork of spreadsheets and documents to catalogue compliance activity. This people-driven system adds untold hidden costs to the compliance process—costs in labor, time, and lost opportunity. Sometimes you have to spend to save, and compliance is one area ripe for dividends. It’s time to automate…for the sake of the bottom line.
More People
As reported in Deloitte’s 2007 Global Banking Industry Outlook, compliance is demanding an ever larger percentage of an institution’s operating budget. As regulations increase, most organizations are responding with additional human resources rather than technology.
In fact, 95% of the financial institutions surveyed said their executives were much more involved in compliance management than in the past, with 40% saying that the time devoted to compliance had increased by more than 25%.
More regulations mean more people—exponentially more people. As regulations increase and as the institution expands, the management task grows larger.
Already compliance costs are growing faster than net revenue. Unless organizations can find a way to automate, they can only expect to allocate increased time and energy to compliance, further eroding financial returns.
Spreadsheets Add Cost
Examiners want to see a consistent and repeatable approach to risk management that’s integrated into daily operations. But processes that rely on spreadsheets are a poor choice because they are usually “owned” by part-time compliance officers who can’t easily pass the system on to others. Spreadsheets aren’t easily managed by multiple parties, and as a result several versions often propagate throughout an organization.
What’s more, spreadsheets lack an audit trail—who changed what, when, and why—that could otherwise provide ready-proof that an organization has made risk management a thoughtful, year-round activity.
Spreadsheets become veritable data silos. Without automation, users must cut and paste information from one data source to another. Without integration, the organization lacks an enterprise-level view of risks, costs and opportunities. Either way, the process is limited and inefficient.
Organizations that automate, on the other hand, control these costs. They streamline processes, eliminate duplication of effort, and trim expense. With automation, organizations use technology—not additional staff—to accomplish risk assessments and track compliance activity.
Remember when email first came on the scene? Andy Grove, former chairman of the board for Intel, prognosticated, “There are two kinds of businesses: those that use email and those that will.” And so it goes with compliance automation; it’s just a matter of how much money you’ll burn on those spreadsheets before you get there.
Here are five hidden ways spreadsheets add costs:
- Built From Scratch. It takes a good deal of time just to figure out what information to collect and how to best record it. Software systems eliminate that learning curve with built-in FFIEC guidance. Users can choose from ready-to-go templates or edit information to suit their needs.
- Everything (and we mean everything) is Manual. Copy, cut, paste. Toggle back and forth between worksheets and narrative documents. Scroll, search, and search some more. The whole process is labor intensive and prone to errors in both data entry and analysis. Software systems automatically update associations between interrelated assets and controls, track user changes, send reminder notices, highlight high risk areas, and generate reports.
- Extended Examinations. Spreadsheets = examiner headaches. The harder it is to pull information for the examiners, the more your costs go up. Lengthy exams are costly as valuable employees are pulled away from their regular jobs. Automated tools deliver commonly requested compliance reports, and users can choose to give examiners direct access to the system.
- Duplication. Duplicate information means duplicate effort. GBLA, BSA, Red Flags, vendor management, your own institution best practices—they’re all interrelated. Now multiply that across all your locations and business divisions. Spreadsheets can’t integrate that information. Software creates a common framework to manage all those requirements in a consistent, connected format.
- Mistakes & Lost Opportunities. With spreadsheets the responsibility for analysis lies solely with the individual. It’s a Herculean task to synthesize all that data. And while human analysis will always be critical, it cannot match software for efficiency, accuracy and depth. The right automation tool will demonstrate which assets are most vulnerable and where new security controls will provide the highest return on investment. Automation provides the institution transparency in both its strengths and weaknesses. Spreadsheets, on the other hand, add layers of confusion.
The attachment to spreadsheets is clear. Microsoft Excel is widely popular and most financial professionals have a strong working knowledge of the application. And yes, it has some powerful analysis capabilities. But it can’t support the depth and breadth of information an organization needs to manage compliance activity.
You don’t use a putter to get out of a sand trap. It’s simply not the right tool for the job.
Switch to an automated risk management tool, like Scout, and suddenly the institution gains. You get efficiency, actionable business intelligence, and better security. And much, much easier examination days.
The cost savings are near immediate. Scout users report drastic reductions in time spent on compliance management. That frees up valuable time to refocus on revenue building initiatives.
Don’t waste another dollar. Organizations that rely on spreadsheets will experience a continued escalation of costs, time consuming examinations and possible fines. Failure to automate will jeopardize your competitive position. And that, certainly, is the most costly risk of all.
HIPAA security rule = risk assessment
HIPAA security rule = risk assessment required by institutions that protect health information. Watch for updates on how Scout can help!
More to come on this topic soon.
Vendor Management Best Practices
Nine Simple Steps to Vendor Management
Using a third-party vendor naturally subjects an institution to risks outside its control. From a data breach to an unexpected shutdown, banks and credit unions are subject to a variety of vendor-related events that could lead to loss of revenue, loss of service or reputation damage.
That’s why FFIEC standards for vendor management have become a significant part of regulatory examinations. Examiners are putting a stronger focus on the guidelines, pushing organizations to better prepare themselves for the unexpected.
Notably, outsourcing does not remove an institution from liability should vendors fail to meet information security requirements. An effective vendor management program protects an institution by ensuring its vendors are making all necessary efforts to safeguard information.
Don’t Sweat the Small Stuff
Vendor management can seem like a tall order, especially when you consider that many banks and credit unions work with more than 100 outside vendors. But oftentimes, institutions make the process harder than it actually is by tackling too many vendor reviews and collecting too much information.
The regulations ask you to look at vendors who have access to customer information or processing systems and those that potentially pose critical risks. For most institutions, that’s usually no more than a dozen vendors. Focus your attention there. Examiners only expect you to concentrate on those relationships that pose critical risks.
Step-by-Step
We’ve analyzed the FFIEC vendor due diligence guidelines and consulted examiners to break the process down into nine simple steps. Here’s how to get started…
Step 1: Start with a list of your vendors.
List anyone you’re doing business with—anyone you outsource to in some function, whether it’s mowing the lawn, cleaning, credit card processing, public relations, or IT.
Step 2: Rate each vendor on criticality
Ask yourself, ‘If this vendor stops providing this service tomorrow, what will it do to my organization.’ If you’ll have to shut your doors or stop providing a service, the vendor is critical. If you might not even notice for a while (gosh that grass is getting long), then that’s a low criticality vendor.
Step 3: Rate each vendor on confidentiality
Identify what each vendor has access to in terms of customer information—account numbers, names, addresses, account info. As with criticality, rank this access high, medium or low.
Step 4: Sort the vendors by rank
Sort your list of vendors by both criticality and confidentiality. A high-ranking in either category means you need to pay attention to that vendor. Naturally, 12 to 20 vendors will float to the top in either category. If you have more than two dozen in either group, you’ve scored them too heavily.
Step 5: Normalize your rankings
This is a cross check of sorts. Take a look at all your rankings collectively and make sure they make sense as a group. Is it logical that your high risk vendors are really more critical than the ones below? You’ll often find minor adjustments when you take a high level overview.
Step 6: Identify risks for high-ranking vendors
According to the regulations, you need to rate all your vendors. But once that’s done, you only need to focus on the high criticality and high confidentiality providers. Remember these should be relatively short lists.
Identify what risk each of the vendors may pose and what controls they should have in place to temper those risks. For example:
- This vendor is critical to my operations. What if there’s a fire, flood, or power outage? Do they have a disaster recovery plan? A business continuity plan?
- What happens if they make an error? Do they have liability insurance?
- They have access to customer information. What security measures are they taking? What is their response plan if a data breach occurs? Does it work with my response plan?
Identify the controls (i.e. risk mitigation efforts) they should have in place to a) secure information and b) minimize the impact on your organization.
Step 7: Begin your due diligence
Start collecting evidence of those control and risk mitigation processes. Create a file. You want to verify the vendor has a plan in place. See if it meshes with your plan and sounds reasonable. Get a copy of their disaster recovery plan and liability policy. Ask for pertinent staff bios to determine if they have qualified personnel. Check references and be sure other clients report satisfaction.
Step 8: Request improvements or switch vendors
If the vendor doesn’t have adequate controls in place, you need to have a dialogue and convince them to meet your standards. If you can’t find resolution, you may need to select a different vendor.
Step 9: Reevaluate
Annually, go through your list of vendors and decide if their risk rating needs to be changed. Also, reevaluate your high risk vendors to make sure their controls are appropriate for the current risk environment. Has your relationship changed in the last year? Have security threats evolved? Are their certifications up-to-date and contracts current? Continue to manage your risks and relationships.
Prepare for the Unexpected
The vendor management process helps your organization plan for the unexpected. As you identify the risks, you need to make sure controls and protocols are in place so that should something happen, neither you nor your vendor has a disastrous outcome.
Understand the relationship up front, and make plans to deal with any damaging events. The last thing you want to do in a crisis is spend time figuring out what to do next. And when it comes to public relations, any crisis is better contained when you can show that due diligence was both thorough and thoughtful. Simply put, you don’t want to fail because you forgot to plan.
Evaluating Specialist Providers
You may feel overwhelmed when it comes to evaluating an IT firm, credit card processor or other complex service provider. Don’t be intimidated.
The examiners don’t expect Herculean review efforts. You don’t need to send in your own security testing team. What you do need is assurance the vendor is following industry best practices.
When an examiner asks why you feel comfortable with a certain vendor, provide a rational argument and documentation demonstrating you’ve done your due diligence.
You might request the following:
- SAS 70 audit report (credit card processors)
- PCI compliance (credit card processors)
- Third party certifications
- Staff experience & education
- Customer recommendations
- Industry awards
You don’t have to understand the intricacies of a vendor’s business. You can secure reasonable proof of quality by relying on third-party certifications and other logical evaluation measures.
Scout for Vendor Management
Scout manages the vendor environment in much the same way it tracks your organization’s risk assessment process. Use Scout to:
- Rank vendor criticality, confidentially and performance.
- Schedule and be reminded of due diligence reviews based on identified risks and FFIEC guidelines.
- Attach supporting documents.
Right from initial use, Scout automates and simplifies vendor management. It guides users through the process, including prompts to request relevant information and conduct reviews.
Scout’s vendor management module was built using FFIEC guidance and includes the agency’s 12 recommended due diligence considerations. Institutions can customize the application, adding their own due diligence criteria.
Users report that consistency and organization improve dramatically with Scout. It helps institutions set consistent review criteria and provides a central storage system for contracts, insurance policies and other essential documentation.
Scout is a risk assessment dashboard that also includes modules for GBLA, Red Flags, and BSA.
Woodland Bank Secures New Loan Production Office
Woodland Bank is a family owned institution with a 90-year history of service to the families and businesses of Minnesota. With six branch locations throughout the north central region of the state, the bank has established itself as a modern, forward-thinking organization. Woodland Bank opened a separate loan production office, supporting increased residential and commercial development in their area.
The Bank’s Challenge
Woodland Bank was planning to open a loan production office and needed to initiate proper security measures that would protect its customers and comply with regulatory requirements. Even though the office wouldn’t process cash, the bank still needed to secure customer information stored on the server and desktops. Chief Operations Officer, Jenn Spartz, understood the security challenges but needed to communicate this unique environment to her board. She turned to Scout to create a hypothetical risk scenario that would not only double-check her own risk expectations but then help the board decide whether or not to make a deeper investment.
Woodland Bank’s Scout Solution
Woodland Bank had already been using Scout for risk assessments across its six existing locations. That meant COO Jenn Spartz had a strong head start on evaluating the new office’s needs. Scout streamlined the process, enabling her to copy common asset features (such as network information) from existing branches to a risk assessment for the new office. After that it was a matter of simple edits to create a risk assessment consistent with the new facility’s intended design and purpose.
While management understood the loan production office would be different than a full service branch, going through the Scout risk assessment clarified the differences. Not only did Scout help document the risks that were atypical of a traditional branch, it allowed the risk team to test the impact of various security controls and refine facility design.
Highest ROI. Using Scout as a ‘what if’ tool helped the team assess and evaluate additional security measures such as a stronger server room door and more locks. Because the risk assessment revealed vulnerabilities that meant the bank would have to allocate more money, the team wanted to find those security upgrades that would provide the highest return on investment.
Board Approval. Once the risk assessment was complete and recommendations established, the COO used Scout’s graphical reporting tools to present her case to the board. Scout allowed her to illustrate the risk environment and security options in a visual format the board could readily understand.
Upon review, the board agreed that additional controls were required. Scout gave them the information they needed to step back before build-out plans were complete and implement additional security controls that would address the uniqueness of the new loan production facility.
Scout also assisted the bank in meeting a basic regulatory requirement for board oversight. Once the board understood the risk environment, members opted to accept certain risk elements instead of mitigation. The risk environment was understood, communicated, and acknowledged—as required—giving the bank a strong foundation for future security planning.
“The board wasn’t thinking about all the information that’s housed on our networks. Scout helped me put it in perspective for them, and they allocated funds to put additional security in place.” – Jenn Spartz
After implementing Scout, Woodland Bank realized numerous benefits including the following:
Spent less administrative time compiling the risk assessment. Woodland Bank’s risk officer spent approximately eight hours on the entire risk mitigation process from initial risk assessment, to risk team meetings and board reporting. This is a fraction of what the process would have required under their old spreadsheet system.
Increased facility security by identifying vulnerabilities and presenting the board with a clear picture of the risk environment.
Minimized security spending by focusing on those controls that would provide the biggest impact for the dollars invested.
Earned examiner approval during an annual audit of the bank’s primary branch locations and established a strong foundation of risk assessment information for the new production office.
Capture Your Risk with Scout
Scout is a web-based risk assessment dashboard that automates the risk assessment process, tracks security controls, and simplifies the compliance process.
Compliance requirements are increasing. Stop trying to piece together information from a collection of unconnected spreadsheets. Get best practice templates, create clear proof-of-compliance logs and receive automated review schedules.
Scout gives you these competitive advantages:
- Reduce time spent on compliance
- Eliminate costly duplication of effort
- Spend less by identifying the highest ROI
- Gain useful business information for meaningful security
- Meet compliance requirements and enjoy smoother exams
The end result is better information security and business continuity—anything less can cost your institution untold amounts in reputational damage, fines and crisis response costs. Proactive mitigation is essential to longterm success.
Scout includes integrated modules for GBLA, controls audit, Red Flags, Vendor Management and BSA.
To learn more about Scout,
call 608.785.7101 or visit
La Crosse, WI – May 18, 2010 – Supernal Software unveiled Scout 2.0, the newest version of its risk management dashboard. Headlining the new features is a BSA (Bank Secrecy Act) component, helping financial institutions be compliant with anti-money laundering regulations.
Now organizations can manage their risk scenarios and track compliance with GLBA (Gramm-Leach-Bliley Act), Red Flags, vendor management, and BSA requirements all from one integrated application.
“Regulations are getting tougher, and banks are responding by throwing more people at the issue. That’s why financial institutions are increasing their compliance spending faster than net revenue growth,” said Peter Griffith, President of Supernal Software. “That’s a problem.”
“Scout stops this money drain by automating the compliance process,” Griffith continued. “Our clients are spending less, but getting more benefit from all required compliance activity.”
The latest Scout version goes further to eliminate duplication and streamline the risk management process. Following step-by-step templates, users receive clear risk intelligence that meets the needs of small and medium-sized financial institutions—and their auditors—all within a single application.
The latest version also includes improved usability and added features such as check boxes for quicker updating, calendar pop-ups, and user override reports.
As always, Scout updates are automatically available to Scout subscribers through the web-based interface, at no extra cost.
Supernal is offering online webinars, introducing Scout users to the new features, at 2:00 p.m. on May 27 and at 9:30 a.m. on May 28, CDT. While the webinars will be geared to existing users, prospective users can request an introductory demo.
For more information contact Maria Norberg at 608-785-7101.
Scout – the beginning
History Lesson 101: How Scout came to be named Scout.
Reconnaissance is a military term denoting a mission to obtain information about the activities and resources of an enemy or the characteristics of a particular area. Primarily, this is done as preliminary reconnaissance (also known as scouting). A commander will employ a scout to gather information about an enemy’s composition, layout, and capabilities in their current environment.
Now take risk assessments. The very definition of a risk assessment is a determination of the value of risk related to a recognized threat or hazard. Under this situation, Scout is doing the preliminary reconnaissance on the risk factors affecting the financial institution.
As per post #1, Scout is a risk assessment dashboard for financial institutions. It helps institutions manage GLBA, vendor management, red flags, and BSA risk assessments. Why do most institutions do risk assessments? Well, the regulations say so (Section 501(b) of the Gramm-Leach-Bliley Act of 1999). However, besides completing a risk assessment just to satisfy the examiners, there are also several other reasons why completing a risk assessment on your institution is beneficial – primarily the business aspect of banking. Any type of banking is risky business. Any time your institution lends money, extends credit, or processes a transaction, you are accepting some risk – which is okay, because some risk is acceptable, but exposing your institution to some types of risk could cause failure.
We here at Supernal want you to have a good, solid risk assessment that will pass examinations, and will help the board make decision on the risk environment when needed.
Don’t do a risk assessment and leave it in your file cabinet until next years examination rolls around. Make it something useful. A living, breathing, document that at any time, reflects the current risk environment your institution faces everyday. Use Scout as that preliminary reconnaissance tool that can help you be prepared for the risk ahead.
Hello world! Meet Scout, a risk management dashboard from Supernal Software.
Scout was developed by a former state examiner and executive vice president of a large financial institution. The idea was to create a simple approach to risk assessments that gave more detail and more accuracy without the headache of figuring out spreadsheets. Now, here we are, two years later and Scout has grown to be a highly effective tool at helping both large and small institutions carry-out and understand their risk assessment processes. We have also expanded our capabilities immensely over the years to include modules for GLBA, controls audit, vendor management, red flags, and now bank secrecy act risk assessments.
The fact of the matter is, well, let’s face it – risk assessments are often a tedious and cumbersome job that make compliance officers miserable. Too often, they provide little insight for management and boards into the risks your institution faces and the steps you’re taking to mitigate them.
Risk assessment and risk management activities don’t have to be so frustrating and confusing. Our website offers some helpful advice and insight on the risk assessment challenges banks and credit unions face today, including tips and best practices for making the process more effective and valuable to your institution.
Okay, already – enough about Scout and on to the information, regulatory and compliance news. We will be blogging about new risks in the financial environment; recent litigation that you should be made aware of; what the crooks are up to; new regulations that might affect your risk management activities; conventions that we will be attending; Lunch n’ Learns that we will be sponsoring; enhancements that we are considering adding to Scout; and what ugly tie Tom might be wearing today… All very important stuff.
So, stay tuned and we hope you enjoy our blog 
~Maria
