The quality and involvement of the Board and senior management is probably the single most important element in the successful operation of a financial institution. While senior management (and certainly the Board) may not typically be involved in day-to-day IT operations, they must be knowledgeable about what is happening in the department and what the institution needs to be successful and to meet regulatory expectations.
The Role of the Board
The Board of Directors plays a crucial role in setting the tone and direction for an institution’s use of IT. In fact, board engagement is now more important than ever as both the FFIEC Management Handbook and the Information Security Handbook focus specifically on the responsibility and accountability of the Board as it relates to information technology oversight. Boards that do not heed these new standards run the risk of penalties, lowered CAMELS Scores and audit rankings, and in extreme circumstances, individual director financial accountability. In a recent conversation with an examiner, we learned that 80% of the deficiencies they are now seeing are management-related. The Board of Directors and senior management cannot just simply “delegate-and-forget” their responsibility when it comes to IT, just as they can’t for lending, deposit operations, funds management, or any other banking activity. They (especially the Board) are expected to be a vocal participant in the process and provide a “credible challenge” to management. This means the Board must be “actively engaged, asking thoughtful questions, and exercising independent judgment”. And to do that requires accurate, timely, relevant, and ultimately actionable, information.
Developing a Strategic Vision
The success of any institution begins with a solid shared understanding of the institution’s mission, vision, business model, risk profile, risk appetite, positive influences (strengths, opportunities) and adverse influences (weaknesses, threats). Once the Board of Directors establishes the strategic vision, it is shared with senior management who develops the policies and procedures. All policies and procedures must align with the strategic plan and vision of the organization. These written policies and procedures are passed on to a steering committee, who implements them into the institution, monitoring and managing to assure that actual day-to-day practices adhere to the written plan.
Along the way, the management team and Board of Directors must stay abreast of any necessary regulatory changes that may require adjustments to policies, or policy deviations that may require modifications to practices. This process is often provided by a steering committee, and this committee may be managements only window into IT. To be effective, the committee requires accurate and timely reporting and an understanding of how any changes and/or deviations may negatively impact the institutions ability to achieve its shared objectives. If adjustments are required, management must not only know what it takes to get back on (and remain on) course, they must also understand the consequences of inaction. Once again, all of this requires accurate, timely, relevant, and actionable information.
Financial institution management is bombarded with data from all sides, and this trend will continue (and accelerate) in 2019. The challenge is to sift through that data to extract the information which, when combined with knowledge, are necessary to manage the institution to the satisfaction of shareholders, customers, and regulators. Reports alone are no longer sufficient; they must be combined with an understanding of what the reports actually say, what conclusions can be drawn, and what actions should be taken. And along the way, the board and senior management must be kept informed and involved.