Risk Management Risk Management Software Software Solutions Solutions Encierro Solutions Encierro Solutions
Dec 19, 2015
Risk Management Risk Management Software SolutionsSoftware Solutions
Encierro Solutions Encierro Solutions
22
ChallengeChallenge Bank operations pose the greatest risk to bank Bank operations pose the greatest risk to bank
failure and is the subject of increasing regulationfailure and is the subject of increasing regulation
The challenge to a bank is to provide The challenge to a bank is to provide comprehensive, integrated, easy to use tools to comprehensive, integrated, easy to use tools to department managers to capture their knowledge department managers to capture their knowledge and enlist their support for improving the safety and enlist their support for improving the safety and soundness of operationsand soundness of operations
Goal is to move an organization’s approach from Goal is to move an organization’s approach from compliance to operations risk managementcompliance to operations risk management
33
Maturity ModelMaturity Model
Where is your organization on the Where is your organization on the maturity spectrum?maturity spectrum?
Where do you want your organization Where do you want your organization to be?to be?
How can IT lead the way, involve How can IT lead the way, involve others, without bearing all the others, without bearing all the responsibility and cost?responsibility and cost?
44
Maturity CategoriesMaturity Categories Level 1: Ad-hoc process, disjointed, no management of data, task force Level 1: Ad-hoc process, disjointed, no management of data, task force
oriented, done before regulators arrive, annually, only done to comply, no oriented, done before regulators arrive, annually, only done to comply, no special softwarespecial software
Level 2: Ad-hoc process, defined roles, disparate electronic documents, Level 2: Ad-hoc process, defined roles, disparate electronic documents, reviewed by management, annually, only done to complyreviewed by management, annually, only done to comply
Level 3: Process is understood, roles are defined, documentation is Level 3: Process is understood, roles are defined, documentation is distributed across the organization, need to improve efficiency is distributed across the organization, need to improve efficiency is recognized, still only done to complyrecognized, still only done to comply
Level 4: Process is understood and efficiency is a central focus, data Level 4: Process is understood and efficiency is a central focus, data management is critical, roles are honed, management regularly reviews management is critical, roles are honed, management regularly reviews analysis and reports (at least quarterly), operations risk responsibilities are analysis and reports (at least quarterly), operations risk responsibilities are understood by each department managerunderstood by each department manager
Level 5: Organization uses an integrated approach to managing the many Level 5: Organization uses an integrated approach to managing the many regulations, capturing data once, analyzing once, leveraging multiple regulations, capturing data once, analyzing once, leveraging multiple times, in a distributed use, centrally managed system. The system is a times, in a distributed use, centrally managed system. The system is a useful tool to each department manager. Management views risk useful tool to each department manager. Management views risk management reports weekly. New regulations do not pose major burden. management reports weekly. New regulations do not pose major burden.
55
FFIEC IT HandbooksFFIEC IT Handbooks How do you plan to comply with all these guidelines? How can
you leverage them for operational efficiency and soundness? How do you deal with so many overlapping topics?
– Audit– Management– Business Continuity Planning– Operations– Development and Acquisition– Outsourcing Technology Services– E-Banking– Retail Payment Systems– FedLine– Supervision of Technology Service Providers– Information Security– Wholesale Payment Systems
66
MatadorMatador
Third Parties
Information Systems
Business Processes / Functions
KeyEntities
Managem
en
t
Inte
gri
ty
Confidenti
aiit
y
Availa
bili
ty
Th
reats
Contr
ols
Ris
k
…
KeyTopics
Bus C
ont P
lann
ing
Info
Sec
Risk
Mgm
t
FFIEC Guidelines
Supe
rvisi
on o
f Tec
h Se
rv P
rovide
r
Opera
tions
……
…
77
Topic: AvailabilityTopic: Availability
Summary
Most Detail
Information Security RM
Business Continuity Planning
E-banking, Wholesale Payment
Technology Service Providers
Think it through once, document it once, use it many times
88
Topic: ControlsTopic: Controls
Information Security RM
Business Continuity Planning
Human and Process Tasks
60%
20%
20%
Analysis and documentation effort
99
Matador’s Information SystemMatador’s Information System
Information Systems – power Business Functions ( Criticality, Sensitivity, Risk, Mitigation )( Info Sec RM, Bus Cont Plan, Internal Controls, … )
Software
Hardware
Service Providers
Physical Records
Facilities
Threats, Vulnerabilities, Controls,Probability, Impact, Risk, Mitigation
1010
Matador Product ArchitectureMatador Product Architecture
Information Security Risk Management
Third PartyRisk
Management
Business Continuity
Risk Management
InternalControls
RiskManagement
1111
Focus by moduleFocus by module
Business Process
Business Sub-Process(es)
Business Function
Business Function
Business Sub-Function(s)
Business Tasks
Business Tasks
BusinessContinuity
InformationSecurity
InternalControls
1212
MatadorMatador Matador helps banks achieve Level 5 efficiencies Matador helps banks achieve Level 5 efficiencies
by focusing on three key entitiesby focusing on three key entities
– Information SystemsInformation Systems– Business Process / Business Functions / Business TasksBusiness Process / Business Functions / Business Tasks– Third PartiesThird Parties
In the process of evaluating these, topics such as In the process of evaluating these, topics such as Information Security, Management, Operations, Information Security, Management, Operations, Fedline, etc. are considered, minimizing the Fedline, etc. are considered, minimizing the effort, maximizing the results, moving the effort, maximizing the results, moving the organization from compliance to operations risk organization from compliance to operations risk managementmanagement
1414
Matador’s Business Process Matador’s Business Process HierarchyHierarchy
Business Processes – inter-departmental activities ( Bus Cont Plan, Internal Controls )
Business Function – intra-departmental activities ( Bus Cont Plan, Internal Controls, Info Sec Risk Mgmt )
Business Task – intra-departmental activities ( Internal Controls )
1515
Who are We?Who are We?
Encierro is an Operations Risk Encierro is an Operations Risk Management software company for Management software company for banksbanks
Encierro offers software modules forEncierro offers software modules for– Information Security Risk ManagementInformation Security Risk Management– Third Party Risk ManagementThird Party Risk Management– Business Continuity PlanningBusiness Continuity Planning– Internal Controls Risk ManagementInternal Controls Risk Management
1616
What We DoWhat We Do
Encierro Solutions provides software and services Encierro Solutions provides software and services appropriate for banks of various sizesappropriate for banks of various sizes– For small banksFor small banks
Pre-scripted policies, procedures, and risk analysis for Pre-scripted policies, procedures, and risk analysis for common bank assetscommon bank assets
Cost effective approachCost effective approach Easy to useEasy to use
– For mid-sized banksFor mid-sized banks Scalable, comprehensive, flexible systemScalable, comprehensive, flexible system Enterprise wideEnterprise wide Easy to useEasy to use Highly efficient and cost-effectiveHighly efficient and cost-effective
1717
Our Software – The Matador SystemOur Software – The Matador System
A formal risk management system that A formal risk management system that enables banks to:enables banks to:
– Create risk assessment and risk mitigation plans Create risk assessment and risk mitigation plans utilizing pre-scripted policy and Information Security utilizing pre-scripted policy and Information Security analysis of commonly found bank entitiesanalysis of commonly found bank entities
Information SystemsInformation Systems Software/HardwareSoftware/Hardware Facilities/Physical RecordsFacilities/Physical Records Service ProvidersService Providers
– Implement a risk management program that is Implement a risk management program that is integrated into a bank’s operationsintegrated into a bank’s operations
– Meet the demanding requirements of the regulators, Meet the demanding requirements of the regulators, management, and customersmanagement, and customers
– Demonstrate a MERIT worthy risk management Demonstrate a MERIT worthy risk management systemsystem
1818
MERIT MERIT FIL-13-2004 FIL-13-2004 February 4, 2004 February 4, 2004 MAXIMUM EFFICIENCY, RISK-FOCUSED, INSTITUTION TARGETED (MERIT) MAXIMUM EFFICIENCY, RISK-FOCUSED, INSTITUTION TARGETED (MERIT) EXAMINATIONS EXAMINATIONS
TO: CHIEF EXECUTIVE OFFICER TO: CHIEF EXECUTIVE OFFICER
SUBJECT: Expanded Use of FDIC's Streamlined Examination Program Called "MERIT" - SUBJECT: Expanded Use of FDIC's Streamlined Examination Program Called "MERIT" - Maximum Efficiency, Risk-Focused, Institution Targeted ExaminationsMaximum Efficiency, Risk-Focused, Institution Targeted Examinations
The Federal Deposit Insurance Corporation (FDIC) has expanded the use of its streamlined The Federal Deposit Insurance Corporation (FDIC) has expanded the use of its streamlined examination program begun in April 2002. The "MERIT" program - for Maximum Efficiency, Risk-examination program begun in April 2002. The "MERIT" program - for Maximum Efficiency, Risk-Focused, Institution Targeted Examinations - applied to banks that met basic eligibility criteria, Focused, Institution Targeted Examinations - applied to banks that met basic eligibility criteria, which included having total assets of $250 million or less and satisfactory regulatory ratings. which included having total assets of $250 million or less and satisfactory regulatory ratings. Under the expanded MERIT program, well-rated banks with total assets of $1 billion or less Under the expanded MERIT program, well-rated banks with total assets of $1 billion or less will now be eligible. will now be eligible. MERIT Examination Procedures MERIT Examination Procedures
During a MERIT examination, the examiners will use procedures that focus on determining the During a MERIT examination, the examiners will use procedures that focus on determining the adequacy of an insured depository institution's internal control systems, and that focus on adequacy of an insured depository institution's internal control systems, and that focus on reviewing the internal and external audit programs. reviewing the internal and external audit programs. Examiners will devote significant Examiners will devote significant attention to an overall assessment of the institution's risk-management processesattention to an overall assessment of the institution's risk-management processes . They . They will review an institution's lower-risk activities primarily through discussions with management and will review an institution's lower-risk activities primarily through discussions with management and by monitoring the activities through various off-site analytical programs.by monitoring the activities through various off-site analytical programs.
1919
Why a Formal Risk Management System?Why a Formal Risk Management System?
Regulators are placing a greater emphasis on a formal, Regulators are placing a greater emphasis on a formal, comprehensive operations risk management programcomprehensive operations risk management program
– The ability to manage and the ability to demonstrate easily The ability to manage and the ability to demonstrate easily how to manage ongoing operational risk is more important how to manage ongoing operational risk is more important than annual risk assessment resultsthan annual risk assessment results
– Regulations require program to be comprehensive, Regulations require program to be comprehensive, continuous, integrated, collaborative, involved, timely, continuous, integrated, collaborative, involved, timely, historical, testable, and repeatablehistorical, testable, and repeatable
Proof of a formal system assures those who are Proof of a formal system assures those who are ultimately responsible, the Board and Senior ultimately responsible, the Board and Senior Management, that a safe and sound system is Management, that a safe and sound system is operational in the bank operational in the bank
Proof of a formal system reduces a bank’s legal and Proof of a formal system reduces a bank’s legal and compliance liability if a threat is successfulcompliance liability if a threat is successful
2020
Why the Matador System?Why the Matador System?
It provides pre-scripted analysis of typical bank Information It provides pre-scripted analysis of typical bank Information Assets that can be easily customized by department managers Assets that can be easily customized by department managers – Easy to use Easy to use – Saves timeSaves time– Cost effectiveCost effective
It is the only tool on the market that enables banks to It is the only tool on the market that enables banks to implement a formal risk management program that is implement a formal risk management program that is integrated into a bank’s operationsintegrated into a bank’s operations
It is the only tool that addresses all Information Security areas:It is the only tool that addresses all Information Security areas:– IT, facilities, records, information systems, and third party service IT, facilities, records, information systems, and third party service
providersproviders
It is has been discussed with banking regulatory agenciesIt is has been discussed with banking regulatory agencies
2121
Matador Meets the Regulatory Matador Meets the Regulatory Requirements of a Formal SystemRequirements of a Formal System
The Matador system is:The Matador system is:– Comprehensive – covers the full spectrum of Comprehensive – covers the full spectrum of
information security issuesinformation security issues– Continuous – respond to new threats quicklyContinuous – respond to new threats quickly– Integrated – part of the decision making processIntegrated – part of the decision making process– Collaborative – involves all departmentsCollaborative – involves all departments– Involved – requires critical thinkingInvolved – requires critical thinking– Timely – responds effectively to eventsTimely – responds effectively to events– Historical – shows trends, enables drillingHistorical – shows trends, enables drilling– Testable – works in real world situationsTestable – works in real world situations– Repeatable – procedure that can be followed by all Repeatable – procedure that can be followed by all
Matador system provides assurance Matador system provides assurance – Provides confidence and knowledge that the bank is Provides confidence and knowledge that the bank is
implementing best practices to protect bank and implementing best practices to protect bank and customer data and information systemscustomer data and information systems
2222
A web-based, relational database driven A web-based, relational database driven software systemsoftware system
Leads the bank through the risk management Leads the bank through the risk management processprocess– Step 1. Information Security Risk Management Step 1. Information Security Risk Management
Program definitionProgram definition– Step 2. Information Asset / Entity definitionStep 2. Information Asset / Entity definition– Step 3. Personnel AssignmentsStep 3. Personnel Assignments– Step 4. Risk AssessmentStep 4. Risk Assessment– Step 5. Risk Mitigation PlanningStep 5. Risk Mitigation Planning– Step 6. ReportingStep 6. Reporting
Is available with additional modules forIs available with additional modules for– Third Party Risk ManagementThird Party Risk Management– Business ContinuityBusiness Continuity
Features of the Matador SystemFeatures of the Matador System
2323
Customer Comments: Customer Comments: Enterprise Bank & TrustEnterprise Bank & Trust
“Encierro’s Matador system for Information Security Risk Management has enabled us to implement a well-thought out approach in a formal way with a flexible software system that can grow and change as our bank grows.
Providing us an end-to-end solution, covering the information security concerns from the development of an Information Security program, to the risk management of software, hardware, physical records, service providers, facilities and information systems, the Matador system enables us to get the departmental managers across the company involved in managing risk, while enabling us to meet the regulatory compliance needs of the bank.
Having a system that is a true management tool, above and beyond a way to be compliant, is important for the bank to operate in a safe and sound manner.”
Steve Irish, CIO and Executive VP for Enterprise Bank.
EBTC is a community bank headquartered in Lowell, MA with approximately $800M in assets.
2424
Contact UsContact Us
For more information view:For more information view:
Our corporate website at:Our corporate website at:– www.encierro.bizwww.encierro.biz
Matador information at:Matador information at:– http://www.encierro.biz/infosecurity/matadorannounce.dochttp://www.encierro.biz/infosecurity/matadorannounce.doc– http://www.encierro.biz/infosecurity/matadordescription.dochttp://www.encierro.biz/infosecurity/matadordescription.doc
Information Security related documents at:Information Security related documents at:– http://www.encierro.biz/infosecurity/formalapproach.dochttp://www.encierro.biz/infosecurity/formalapproach.doc
Or email us at:Or email us at:– [email protected] [email protected]