Banking on Change: GRC Lessons from a Financial Journey
I’m not sure if there’s been a time where banking hasn’t been in my life. My mom worked for a local bank where we lived, and my step-father currently works for a bank. I worked as a bank teller during college and went to work for a financial technology company after graduating.
Needless to say, banking is fairly ingrained in my blood, even though I work in the technology space now.
While some consider it slow, the financial industry does change, and I feel fortunate to have witnessed some of that change first hand. When I started working, I wrote checks and balanced my checkbook daily. Now, I don’t even have checks. I “balance” my checkbook by looking over my transaction history daily in my bank’s mobile application. I haven’t maintained a checkbook register for years. I went from installing ATMs that only distributed cash to ones that could take deposits and capture check images. I saw the Patriot Act implemented—what felt like overnight—in the aftermath of September 11th.
Borrowing a Standard Approach from the Financial Industry
The one constant during my banking career has been the FFIEC, the Federal Financial Institutions Examination Council. The FFIEC was established by the Financial Institutions Regulatory and Interest Rate Control Act of 1978 and founded in 1979. The FFIEC is a government agency that sets standards and guidelines for regulating and supervising banks, credit unions, and other financial institutions. They establish procedures and guidance that financial institutions must follow. And yet, even the FFIEC undergoes change. I saw the expansion of the FFIEC to include a new member, the CFPB (The Consumer Financial Protection Bureau) in 2010.
A key goal for the FFIEC is to bring a standard approach to how they examine financial institutions and those that partner with them. As such, they have made their handbooks and examination procedures public and available to any one who would like to review them.
Now, if you go to the FFIEC’s home website, you’ll get a chuckle as that website doesn’t look like it’s been updated since I used Netscape to check email in my first Hotmail account. Their IT Examination Page provides an up-to-date user friendly website that provides the current versions of their resources.
When I first started auditing, I had to download and print these versions. I’m pretty sure the download to Excel wasn’t even an option. Today, you can view everything online and download the procedures only if you want to. We used these programs frequently to assist with developing our audits. The booklets are written in clear, easy-to-understand language and the work programs are structured with clear objectives, action steps and items to consider. An archive is even maintained so that you can review how you were audited previously.
Even though I’ve transitioned out of the financial industry, I go back to FFIEC guidance. I reference them for everything from finding a good definition (“tabletop exercise” for Business Continuity Management is one I have often used) to jump-starting an audit work program or adapting the parts that I need, and even jogging my memory for when topics became important.
Fun fact: The financial industry has been auditing vendor management programs since 1996.
What I Learned from FFIEC Work Programs
If you’ve stayed with me this long, you may be wondering why I’m touting the virtues of these work programs.
The first is from a cost and quality perspective.
Even in larger companies, my audit departments had small budgets for purchasing frameworks and audit programs. To this day, I have not seen what a full SIG questionnaire nor an ISO27001 program looks like. Resources like this gave me an easy way to learn about a topic and “plug-and-play” as needed. An example here is using their Audit Booklet and supporting procedures to help you in performing a QAIP (Quality Assurance and Improvement Program) for your internal audit group. This work program is how the FFIEC reviews an internal audit shop at a financial institution and aligns with IIA expectations for internal audit groups. It’s a solid resource for a group that doesn’t have the funds but wants to demonstrate they do review their performance.
The second is a bit more personal.
If I ever mentioned that I used these programs, even as a supplement, I was often met with criticism and told, “We aren’t a bank.” I was told this by many who at that time didn’t realize how agnostic industry regulations and processes are. We all need to minimize loss, recover and return to generating revenue; business continuity is for everyone, not just banks.
Anyone else feel like that needs to be a sticker?
The key to remember here is I always adapted to the risk and industry that I was in. If a part of the work program wasn’t applicable, I removed it and didn’t test it. Or, if it was close, I used it as a draft and updated the step to what I needed. Always treat frameworks as baselines; I’ve seen people try to use frameworks cut-and-paste only to aggravate their business partners. Hence the reason I’d get challenged for using a financial industry work program by colleagues.
I highly recommend that GRC professionals outside of the financial industry monitor the industry and use its changes as a lens into your potential future. By keeping a close eye on the financial sector, GRC professionals can gain valuable foresight into emerging trends and best practices that may soon become relevant to their own fields. In fact, third-party management, business continuity, and pandemic planning were a part of the financial industry’s risk and control discussions before they filtered down to the rest of us.