Did you know that in the year 2015, the FFIEC released eight regulatory updates? Five of these updates focused solely on operational risk management. It can be difficult to keep abreast of the growing importance of operational risk management in the financial industry. Staying current with all compliance regulations can be a full time job, a job that becomes even more daunting when added to an already long list of duties. As a result, many institutions have turned to outsourcing their technology as a cost-effective approach to managing their operational risk management. These institutions have found this approach to be a double-edged sword: on one hand they are minimizing the burden of manually managing tasks, but on the other they are utilizing several different systems that do not work together. The solution is to look for one vendor that can centralize all systems onto one platform.
Regulators are not going away, and they are not letting up. The five most current FFIEC updates included changes to Appendix J, updated cybersecurity priorities, updated cybersecurity mitigation tasks, release of the Cybersecurity Self-Assessment tool, and revision to the IT Technology Examination Handbook, emphasizing the importance of managing enterprise-wide risk management. These five regulatory updates highlight disaster recovery planning, vendor management, and cyber incident response. The FFIEC along with all regulatory agencies are creating correlations between areas of operational risk in more ways than one. How can anyone possibly hope to keep up?
A common problem found in this industry is the vicious cycle of the “Band-Aid” approach. Implementing quick-fix systems and processes that will cover only these five regulatory updates is not economical or sensible. Perhaps these fixes will provide coverage for one year, but what happens when the FFIEC rolls out five new regulations? Continually seeking short-term solutions for current problems can leave one vulnerable to fines, penalties, and system inadequacies. A Band-Aid is useful small and short term issues but will not fix a bullet hole. The best solution for the long-term is to ensure continued compliance and to be proactive to regulatory agencies. The only solution is to centralize all operational risk management onto one platform.
Centralizing operational risk management onto one platform will allow your institution to breathe a sigh of relief. Vetting one vendor to handle all areas of operational risk will not only minimize your third party risk, but will also integrate all data into one area. For example, if your vendor management program is advising you that Vendor X is a high-risk vendor, while your disaster recovery program tells you that the processes completed using the technology of Vendor X have a low recovery time objective, there is certainly something amiss. If these two systems do not speak to each other, then these correlations will remain unseen. All areas of operational risk management are intertwined together, and they should be treated as such. Centralizing operational risk management can eliminate double data entry, reduce the amount of resources needed to manage the systems, and put you ahead of the regulators with a new and proactive approach.