With the FFIEC’s November 2015 release of the organization’s IT Technology Examination Handbook, many financial institutions’ board members get a big surprise.
In section I.A.1 Board of Directors Oversight, under I.A – IT Governance, it requires FI boards of directors to take a more active role in understanding and managing their financial institution’s IT vendors, strategy, and risks. In fact, the board will be held responsible for reviewing third-party IT service provider (ISP) strategic planning and ensuring it is in alignment with the institution’s overall business strategy, participating in ISP risk assessments, and the oversight of the information security and resilience against cyber-threats of their ISPs. The board is now part of the approval process too.
Here are additional accountabilities FI boards are now required to share with their management teams:
- Active promotion of the institution’s IT governance
- Approval of critical IT projects and the expansion of mobile products
- Oversight of feasibility studies surrounding the financial, security, and business continuity soundness of ISPs
- Determine the adequacy and allocation of IT resources and the funding of implementation
- Holding internal business units accountable for identifying and measuring impacts of risks, and providing guidance on the mitigation of those risks
- Requiring and reviewing reports and analyses from all IT business units
- Provide comprehensive, independent audits of IT controls
Boards may elect to create steering committees to manage the FFIEC’s new stipulations for their involvement in their FI’s IT vendor management process, but this solution is not always a viable option for smaller organizations. As such, the board or board committee, management, and IT personnel are responsible for taking ownership over the tasks at hand and others listed in the governance.
Keep in mind, though, you are not alone. On December 10th 2015, we are presenting a vendor management webinar designed to show you how to address the FFIEC mandates and mitigate risk in your vendor relationships. You will learn a proven methodology that conserves valuable resources and alleviates unnecessary stress regulations place on all business units across your financial organization.
30 minutes of your time can make a difference in taking control of your vendor management process, secure your regulatory compliance, and provide auditors and examiners with the reports they require.