When it comes to risk management, there’s a big difference between thorough and redundant. Thorough is a unified, top-down approach to risk management—one where all decisions and discoveries originate from a central place. Redundant is everything else.
It may sound dramatic, but it’s true. As regulatory guidance has expanded the scope of regulations over the past few years, the overlap between different areas of risk management has grown significantly. Enterprise risk management, business continuity planning, compliance, cybersecurity and vendor management can no longer be thought of as stand-alone elements of the bank’s operational risk management program—they are intertwined.
Consider security breaches of critical vendors, a regulatory hot topic. It’s so hot, in fact, that it touches five areas of risk management:
1. Vendor management.
Regulators want banks to know if critical vendors are required to provide notice if there’s a security breach.
The FFIEC’s Cybersecurity Assessment Tool specifically asks if all critical vendors are required by contract to notify the financial institution when there is a security breach.
3. Business continuity planning.
A bank should know how long it will take critical vendors to notify the institution of a security breach.
The Gramm-Leach-Bliley Act specifically mentions that vendors with access to protected data should be required to notify the financial institution of a security breach.
5. Enterprise risk management.
A bank needs to determine if critical vendors are required to notify the institution of a security breach.
In theory, overlapping requirements like these should make risk management simpler for banks—one person or team can address these concerns and report back to everyone who needs the information.
But that’s not always what happens.
Too often banks rely on a decentralized approach to risk management. The IT department handles cybersecurity, compliance tackles vendor management and someone else in IT oversees business continuity planning. The result is silos. Each team meticulously follows regulatory requirements and best practices for risk management—never considering the possibility that someone else at the bank might be tackling a similar task.
While this might have worked in the past when there was less overlap, today a siloed approach to risk management results in redundancies, inefficiencies and discrepancies.
In the security breach example, there may be as many as five different groups compiling lists of third-party vendors, assessing the criticality of individual vendors and determining which vendors should report breaches and when. When it comes time to test controls, each control is tested five times instead of simply testing it once and sharing the findings with everyone involved. This repetition isn’t thorough—it’s just a waste of time and resources.
There can also be as many as five teams monitoring and setting policy for security breaches of critical vendors. Instead of working cooperatively to maximize knowledge and resources, each group starts from scratch. The compliance department doesn’t benefit from IT’s knowledge of cybersecurity. The vendor management and contract teams don’t necessarily understand the expectations of business continuity planning. Enterprise risk management isn’t providing the overall leadership needed to make the process function smoothly. It’s a waste of expertise.
When different groups unknowingly have overlapping responsibilities, it can create conflict as each group sets different standards and notification times. For instance, the IT team may require breach notification within one hour, while compliance may say 24 hours. These kinds of discrepancies are red flags for regulators.
Banks can avoid these complications with a unified approach to risk management—developing systems that connect all areas so that every requirement can be studied from multiple perspectives.
It begins with enterprise risk management, which should serve as an umbrella for all other areas of risk management—including compliance. Not only does this ensure the bank’s business strategies are integrated into every risk decision, it creates a central hub, so risk management can be viewed holistically. Compliance also acts as an umbrella uniting cybersecurity, business continuity planning and vendor management.
With silos eliminated, risk management becomes more effective with departments building on and leveraging each other’s work—resulting in better oversight, greater efficiency and lower costs.
It’s the very definition of thorough.