FFIEC Issues Guidance on IT Safety and Governance
The Federal Financial Institutions Examination Council ("FFIEC") provided new guidance in the form of a booklet titled Management. The guidance is intended to assist examiners in their evaluations of information technology ("IT") governance at financial institutions and service providers. The revised booklet is part of the FFIEC Information Technology Examination Handbook.
The FFIEC Management booklet includes examination procedures and has been revised substantially. It outlines the principles of sound governance, specifically, IT governance. It also explains how IT risk management relates to enterprise-wide risk management and governance.
Other relevant changes include the following:
-
the incorporation of cybersecurity concepts as part of information security;
-
the incorporation of management-related concepts from other booklets in the IT Handbook; and
-
the augmentation and further delineation of the stages of the IT risk management process, including risk identification, measurement, mitigation, monitoring and reporting.
This guidance applies to FDIC-supervised institutions offering online banking services.
Clearfield Comment: The revised FFIEC guidance is clear and operationally oriented. Unfortunately, it also takes an approach to the complexity of modern IT that focuses on hierarchy, inventory and the use of controls without paying sufficient attention to human interactions.
To identify risk, for example, the guidance recommends that:
"Management should maintain inventories of assets (e.g., hardware, software and information), event classes (e.g., natural disaster, cyber, and insider abuse or compromise), threats (e.g., theft, malware, and social engineering) and existing controls as an important part of effective risk identification. . . ." It also reports that "[r]isk mitigation is the process of reducing risks through the introduction of specific controls."
Yet we know from high-profile technology failures (for example, NASDAQ's handling of the Facebook IPO, or the trading errors made by Knight Capital) that the risk of technology failure often comes from unexpected interactions between different components. These so-called emergent risks, which have the potential to do tremendous damage, do not lend themselves to the list-and-control-based approach to risk management.
Instead, an effective IT risk management program might implement a system to track near misses - incidents in which things almost go wrong before catastrophe is averted by luck or coincidence. Such incidents offer valuable insights into what might go wrong and cause real harm one day.
An effective program also would focus on ways for managers to minimize the effects of hierarchies, and empower employees to speak up when they see something wrong, by eschewing punishment, praising employees' discovery of errors and rewarding those who come forward with concerns.
Finally, such a program would emphasize the importance of incident response by allowing designated skeptics or outsiders to challenge and stress-test the realism of crisis response plans. Usually, the problem is not that organizations lack a crisis response plan; it is that their plan rests on assumptions that prove to be too optimistic when disaster strikes (for an example from another sector, see this ProPublica account of hospital generators failing).
As the FFIEC guidance considers the risk management of complex IT infrastructure, it also should consider the challenges that inventories and controls do not solve when implemented without sensitivity to operations, the role of humans, or the ways in which hierarchy and management can suppress employees' voices and leave senior leaders surprised when a complex chain of events causes a catastrophic failure.