Risk Management Software Solutions Encierro Solutions
Challenge • Bank operations pose the greatest risk to bank failure and is the subject of increasing regulation • The challenge to a bank is to provide comprehensive, integrated, easy to use tools to department managers to capture their knowledge and enlist their support for improving the safety and soundness of operations • Goal is to move an organization’s approach from compliance to operations risk management
Maturity Model • Where is your organization on the maturity spectrum? • Where do you want your organization to be? • How can IT lead the way, involve others, without bearing all the responsibility and cost?
Maturity Categories • Level 1: Ad-hoc process, disjointed, no management of data, task force oriented, done before regulators arrive, annually, only done to comply, no special software • Level 2: Ad-hoc process, defined roles, disparate electronic documents, reviewed by management, annually, only done to comply • Level 3: Process is understood, roles are defined, documentation is distributed across the organization, need to improve efficiency is recognized, still only done to comply • Level 4: Process is understood and efficiency is a central focus, data management is critical, roles are honed, management regularly reviews analysis and reports (at least quarterly), operations risk responsibilities are understood by each department manager • Level 5: Organization uses an integrated approach to managing the many regulations, capturing data once, analyzing once, leveraging multiple times, in a distributed use, centrally managed system. The system is a useful tool to each department manager. Management views risk management reports weekly. New regulations do not pose major burden.
FFIEC IT Handbooks • How do you plan to comply with all these guidelines? How can you leverage them for operational efficiency and soundness? How do you deal with so many overlapping topics? • Audit • Management • Business Continuity Planning • Operations • Development and Acquisition • Outsourcing Technology Services • E-Banking • Retail Payment Systems • FedLine • Supervision of Technology Service Providers • Information Security • Wholesale Payment Systems
Matador Supervision of Tech Serv Provider FFIEC Guidelines Bus Cont Planning Info Sec Risk Mgmt Operations ……… Third Parties Key Entities Information Systems Business Processes / Functions Key Topics Risk … Confidentiaiity Controls Integrity Management Availability Threats
Topic: Availability Information Security RM Summary Technology Service Providers E-banking, Wholesale Payment Most Detail Business Continuity Planning Think it through once, document it once, use it many times
Topic: Controls Analysis and documentation effort 20% Human and Process Tasks 20% Business Continuity Planning 60% Information Security RM
Matador’s Information System Information Systems – power Business Functions ( Criticality, Sensitivity, Risk, Mitigation ) ( Info Sec RM, Bus Cont Plan, Internal Controls, … ) Software Hardware Service Providers Physical Records Facilities Threats, Vulnerabilities, Controls, Probability, Impact, Risk, Mitigation
Matador Product Architecture Third Party Risk Management Internal Controls Risk Management Business Continuity Risk Management Information Security Risk Management
Focus by module Business Process Business Continuity Business Sub-Process(es) Business Function Information Security Business Function Business Sub-Function(s) Business Tasks Internal Controls Business Tasks
Matador • Matador helps banks achieve Level 5 efficiencies by focusing on three key entities • Information Systems • Business Process / Business Functions / Business Tasks • Third Parties • In the process of evaluating these, topics such as Information Security, Management, Operations, Fedline, etc. are considered, minimizing the effort, maximizing the results, moving the organization from compliance to operations risk management
Matador’s Business Process Hierarchy Business Processes – inter-departmental activities ( Bus Cont Plan, Internal Controls ) Business Function – intra-departmental activities ( Bus Cont Plan, Internal Controls, Info Sec Risk Mgmt ) Business Task – intra-departmental activities ( Internal Controls )
Who are We? • Encierro is an Operations Risk Management software company for banks • Encierro offers software modules for • Information Security Risk Management • Third Party Risk Management • Business Continuity Planning • Internal Controls Risk Management
What We Do • Encierro Solutions provides software and services appropriate for banks of various sizes • For small banks • Pre-scripted policies, procedures, and risk analysis for common bank assets • Cost effective approach • Easy to use • For mid-sized banks • Scalable, comprehensive, flexible system • Enterprise wide • Easy to use • Highly efficient and cost-effective
Our Software – The Matador System • A formal risk management system that enables banks to: • Create risk assessment and risk mitigation plans utilizing pre-scripted policy and Information Security analysis of commonly found bank entities • Information Systems • Software/Hardware • Facilities/Physical Records • Service Providers • Implement a risk management program that is integrated into a bank’s operations • Meet the demanding requirements of the regulators, management, and customers • Demonstrate a MERIT worthy risk management system
MERIT FIL-13-2004 February 4, 2004 MAXIMUM EFFICIENCY, RISK-FOCUSED, INSTITUTION TARGETED (MERIT) EXAMINATIONS TO: CHIEF EXECUTIVE OFFICER SUBJECT: Expanded Use of FDIC's Streamlined Examination Program Called "MERIT" - Maximum Efficiency, Risk-Focused, Institution Targeted Examinations The Federal Deposit Insurance Corporation (FDIC) has expanded the use of its streamlined examination program begun in April 2002. The "MERIT" program - for Maximum Efficiency, Risk-Focused, Institution Targeted Examinations - applied to banks that met basic eligibility criteria, which included having total assets of $250 million or less and satisfactory regulatory ratings. Under the expanded MERIT program, well-rated banks with total assets of $1 billion or less will now be eligible. MERIT Examination Procedures During a MERIT examination, the examiners will use procedures that focus on determining the adequacy of an insured depository institution's internal control systems, and that focus on reviewing the internal and external audit programs. Examiners will devote significant attention to an overall assessment of the institution's risk-management processes. They will review an institution's lower-risk activities primarily through discussions with management and by monitoring the activities through various off-site analytical programs.
Why a Formal Risk Management System? • Regulators are placing a greater emphasis on a formal, comprehensive operations risk management program • The ability to manage and the ability to demonstrate easily how to manage ongoing operational risk is more important than annual risk assessment results • Regulations require program to be comprehensive, continuous, integrated, collaborative, involved, timely, historical, testable, and repeatable • Proof of a formal system assures those who are ultimately responsible, the Board and Senior Management, that a safe and sound system is operational in the bank • Proof of a formal system reduces a bank’s legal and compliance liability if a threat is successful
Why the Matador System? • It provides pre-scripted analysis of typical bank Information Assets that can be easily customized by department managers • Easy to use • Saves time • Cost effective • It is the only tool on the market that enables banks to implement a formal risk management program that is integrated into a bank’s operations • It is the only tool that addresses all Information Security areas: • IT, facilities, records, information systems, and third party service providers • It is has been discussed with banking regulatory agencies
Matador Meets the Regulatory Requirements of a Formal System • The Matador system is: • Comprehensive – covers the full spectrum of information security issues • Continuous – respond to new threats quickly • Integrated – part of the decision making process • Collaborative – involves all departments • Involved – requires critical thinking • Timely – responds effectively to events • Historical – shows trends, enables drilling • Testable – works in real world situations • Repeatable – procedure that can be followed by all • Matador system provides assurance • Provides confidence and knowledge that the bank is implementing best practices to protect bank and customer data and information systems
Features of the Matador System • A web-based, relational database driven software system • Leads the bank through the risk management process • Step 1. Information Security Risk Management Program definition • Step 2. Information Asset / Entity definition • Step 3. Personnel Assignments • Step 4. Risk Assessment • Step 5. Risk Mitigation Planning • Step 6. Reporting • Is available with additional modules for • Third Party Risk Management • Business Continuity
Customer Comments: Enterprise Bank & Trust “Encierro’s Matador system for Information Security Risk Management has enabled us to implement a well-thought out approach in a formal way with a flexible software system that can grow and change as our bank grows. Providing us an end-to-end solution, covering the information security concerns from the development of an Information Security program, to the risk management of software, hardware, physical records, service providers, facilities and information systems, the Matador system enables us to get the departmental managers across the company involved in managing risk, while enabling us to meet the regulatory compliance needs of the bank. Having a system that is a true management tool, above and beyond a way to be compliant, is important for the bank to operate in a safe and sound manner.” Steve Irish, CIO and Executive VP for Enterprise Bank. EBTC is a community bank headquartered in Lowell, MA with approximately $800M in assets.
Contact Us For more information view: • Our corporate website at: • www.encierro.biz • Matador information at: • http://www.encierro.biz/infosecurity/matadorannounce.doc • http://www.encierro.biz/infosecurity/matadordescription.doc • Information Security related documents at: • http://www.encierro.biz/infosecurity/formalapproach.doc • Or email us at: • firstname.lastname@example.org