Done right, regulatory compliance can be a key business differentiator and a profit center. Using the Unified Compliance Framework, security and compliance expert, Erin Owens, was able to nearly triple the assets for one bank and uncover a redundant business process that, when addressed, saved the bank more than $3MM in annual operational expenses.
Willie Sutton denied saying he robbed banks, “because that’s where the money is.” But he did declare in his autobiography that criminals “go where the money is…and go there often.”
The past few years have seen a significant rise in the number and complexity of cyber security breaches as well as associated regulatory fines and litigation. Unsurprisingly, banks, credit unions and other financial institutions are a primary target for malicious hackers. This has led to the faster creation of new laws and regulations intended to pressure the financial sector into taking control of the problem.
“While well intended, this increased burden of compliance is significantly outpacing most company’s ability to balance privacy and data protection legal and regulatory requirements with internal performance expectations and budget constraints,” says Erin Owens, CEO of Variant, an information security consulting firm servicing the Midwest.
Team this pressure with the difficulties inherent in trying to keep a business in the black during what seems to be a never-ending economic slowdown and you have a situation that affects IT and executives’ digestive systems and sleep. Then, factor in the constant hammering at a business’ cyberdoor from competitors, insiders, malware, spam, phishing and other social engineering scams, and it’s easy to see why even best efforts to secure business assets, resources, customer data, and intellectual property can be such a daunting task.
In 2007-2008, FDIC-regulated banks examined and evaluated their security performance using a composite score called a CAMEL rating: C-Capitalization, A-Assets, M-Management, E-Earnings, and LLiquidity or Liability Management. Within this rating system, banks are ranked on a 1-5 scale, 1 being excellent and 5 being subject to immediate seizure. In 2007, for only a short while, IT was one of the core composite ratings.
This changed during the financial crisis to help banks shift their focus back to asset quality. But, during that brief moment that an IT score alone could, conceivably, cause bank seizure, U.S. banks took IT compliance performance very seriously and created one of the most secure digital financial infrastructures in the world.
During this era of rapid fire compliance changes, every regional Bank experienced a unique set of compliance challenges. United Central Bank was no exception.
United Central Bank had historically scored very well in IT composite score categories, but was notified by the FDIC that they needed to create a more mature Business Continuity Program. They engaged Owens to complete a Business Impact Assessment and create a framework for Business Continuity Management that would meet and exceed FDIC assurance objectives.
“I was tasked with completing the work prior to a pending examiner visit, which was scheduled to take place quite soon. This made time the most significant risk to project performance,” says Owens.
By leveraging the UCF, Owens was able to map all applicable compliance objectives, enabling a fully auditable, FDIC- compliant project framework in just twelve weeks. In addition, by combining the UCF with the authoritative sources, in this case FFIEC guidelines, he gained a measurable time edge in assigning the current maturity level and establishing metrics for a target maturity level for the program.
“This was the first time I used the UCF as a major component of my work, and the real world results were substantial,” says Owens. “Saving time has its advantages.”
Businesses that have yet to adopt GRC software rely heavily on the knowledge of the auditor, consultant, or management team charged with achieving compliance objectives. By leveraging the UCF on this engagement, Owens was able to efficiently and inexpensively map his client’s program compliance objectives with the project performance objectives. This allowed the company to speed the pace of compliance and improved their visibility to legal risks associated with their ongoing business operations.
The end result of the project, according to President of the Bank, Luke Livley, was “keeping the organization in the black during the banking crisis (which) resulted in a regulatory confidence boost that allowed the company to be selected by the regulatory authority for one of the largest asset acquisitions in the region. This nearly tripled the assets for the corporation and made the company one of the largest regional institutions in Texas. In addition, the engagement uncovered a redundant business process that, when addressed, saved the company more than $3MM in annual operational expenses.”
Owens’ Confidence through Compliance, Protection through Performance, Advanced Resiliency Method (ARM),
Countermeasure: Culture, and Beyond the Four Walls processes are all enabled by the UCF. These processes,
successfully leveraged by the business featured in this case study, have been the subjects of numerous white
papers, road shows, and publications, and have been independently reviewed for excellence.