Cybersecurity-related attacks on the financial sector are increasing at an alarming rate, and a recent IMF estimate suggests that “…average annual potential losses from cyber-attacks may be …around $100 billion”. Another study indicates that “…financial services firms also fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries.” These two metrics make cybersecurity a critical issue for banks and credit unions, and in fact, we consistently find this issue in the top 3 concerns for financial institution CEOs, boards, and senior management.
What is the best way to approach this critical issue? We think there are three important questions the CEO and senior management should be asking about cybersecurity:

How much cyber risk is “acceptable” to my institution?

“Acceptable” risk levels are also referred to as “risk appetite”, because if management determines that residual risk levels are within their pre-established risk appetite, those residual risks are, by definition, acceptable.

Risk appetite is broadly defined as the amount of risk an entity is willing to accept in pursuit of its strategic mission. According to the FFIEC Cybersecurity Assessment Tool (CAT), the Board and senior management should establish a risk appetite level consistent with their strategic goals and objectives. Risk appetite is clearly an important concept to regulators, as the term is repeated 17 times in the CAT.

But is it reasonable that a single risk appetite level should apply to the entire enterprise? Institutions offering products and services online are willing to accept a higher level of cyber risk then those who don’t. Even among online services, some might be riskier than others. For example, offering simple online access to account information vs. offering funds management services like investment accounts. For this reason, we recommend risk appetite levels be established at the business process level. These individual levels can then be rolled up to an overall composite risk appetite.

How do I determine my current level of cyber risk?

To determine an institution’s cybersecurity posture, the CAT provides a regulator designed and approved, repeatable methodology that utilizes a two-step process. First, establish an Inherent Risk Profile, and second, determine your Cybersecurity Control Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Control Maturity includes domains, assessment factors, contributing components, and individual declarative statements across five maturity levels to identify specific controls and practices that are currently in place.

By reviewing your institution’s inherent risk profile and control maturity levels across the enterprise, management can conduct a gap analysis to determine whether its maturity levels are acceptable in relation to its risk. In other words, are our residual risks within pre-established risk appetite levels? If they’re not, the institution must either reduce the level of risk, or (more commonly) increase the levels of control maturity.

One more thing about cyber risk; of the 3 categories of controls (preventative, detective, and corrective/responsive), often preventive and detective controls aren’t applicable, leaving only corrective/responsive measures. That’s why testing is so critical, which brings us to the final question…

When was the last time we conducted a cyber incident response test?

The answer should be recently. Here’s why: Not all traditional disasters have a cyber element to them, but many cyber events have a system recovery element that may impact your ability to deliver products and services to your customers. Cyber incidents can also often indicate a violation or deviation from your security policies and best practices, for example if an employee or third-party either intentionally or inadvertently caused the incident. This may lead to policy changes, or at least the need for additional internal training.

Senior management must ensure their institutions have adequate incident response capabilities so they can detect incidents (whenever possible), contain and control the impact, and ultimately recover. Testing is the only way to definitively verify that your institution has effective cyber incident resilience and recovery capabilities. Periodic testing also helps to ensure an incident response plan is being maintained in a state of constant readiness so that you can react quickly. Unlike a natural disaster which will often provide at least a short window of warning, a cyber event typically does not. In fact, recent studies indicate that more often than not, it is the customer that first detects a cyber event, not the institution.

Lastly, financial institutions should conduct testing based on the probability and impact of the event or incident being simulated. Since it is far more likely that you’ll be impacted by a cyber event as opposed to a catastrophic natural disaster, incident response capabilities should be tested at least as often as your BCP, or at least annually.

Final Thoughts

New types of security-related incidents are constantly emerging. Consequently, CEOs and senior management of financial institutions must be prepared to keep IT resources ahead of the current threat environment. When we address Boards on cybersecurity matters, we often get asked why cybersecurity spending should increase even if our risk profile hasn’t. The threat environment is increasing and evolving, so even if your inherent risk profile isn’t changing you must still increase control maturity levels over time to maintain your residual risk within your risk appetite levels. As the FFIEC IT Handbook’s Information Security Handbook states,

There are many other areas related to cybersecurity that CEOs and senior management should be considering. To gain more insight into those areas, as well as other key topics for CEOs to be aware of, download our white paper, Top IT Areas Where CEOs of Financial Institutions Should Focus: Important Questions and Answers.

In today’s business environment, cyber threats are constantly evolving, and financial institutions are among the most highly targeted industries. Financial institutions are considered part of the critical national infrastructure, and protecting NPI (non-public information) and financial transactions is a high priority for banks and credit unions as they strive to address ransomware, account takeovers, mobile banking exploitation, and other cybercrimes.

The role of the Information Security Officer (ISO) is an important strategic IT and business role with a high level of visibility, responsibility, and associated accountability. The Information Security Officer is required to interact with the IT steering committee, board of directors, auditors, examiners, and others to provide periodic status updates on the institution’s information security program. To date, we have identified 7 distinct areas of responsibility for the ISO, consisting of 35 individual metrics requiring reporting and documentation.

Qualities for this role include leadership skills, political influence, thorough knowledge and understanding of regulatory requirements, the ability to work with internal management and third parties, and an in-depth understanding of the organization’s technology infrastructure and operations. This is a tall order for any organization much less a community financial institution that may lack individuals with expected qualifications, bandwidth, and experience. The vast majority of community financial institutions do not have dedicated ISO’s, but instead add the title (and associated responsibility and accountability) to someone that may already wear multiple hats.

To assist those taking on the role of an ISO at a community financial institution, we’ve provided five areas of focus for success:

Ensure the Protection of Information

The ISO’s primary responsibility is to safeguard the security and confidentiality of nonpublic information (NPI) as well as the institution’s financial transactions. In doing so, the ISO must lead efforts to ensure adequate administrative, technical, and physical controls based on risk are in place. Information assets encompass everything from hardcopies archived in a file cabinet, to information stored in a computer system to data being transmitted over the internet (including remote deposit capture and mobile banking transactions).

Understand Key Regulations and Requirements for Compliance

The ISO must adhere to the Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Modernization Act of 1999. The GLBA, which requires financial institutions to explain how they share and protect their customers’ private information, provides a strong framework for information security. So does the Federal Financial Institutions Examination Council (FFIEC). The FFIEC is a five-member agency responsible for establishing consistent guidelines and uniform practices and principles for financial institutions. They have published, and periodically update, 12 handbooks for information security requirements and best practices. The ISO must understand the regulatory expectations of both GLBA and FFIEC.

Be Proficient in Cybersecurity and the Cyber Assessment Tool (CAT)

Cybersecurity, according to the FFIEC, is the evolving process for protecting consumer and bank information by preventing detection and responding to attacks. The FFIEC outlines specific cybersecurity standards within the CAT, which is designed to help institutions determine their cyber risks and control maturity levels. Although financial institutions are not required to use the CAT to conduct their annual cyber assessment, they are expected to annually assess their cyber posture and report that status to the Board. Since the CAT is the defacto standard for cybersecurity measurement, it is the most common methodology. ISO’s must also be familiar with the FFIEC IT Examination Handbook and cybersecurity standards, which cover business continuity planning, IT/information security policies, audit, incident response planning, and other important topics.

Perform Duties Beyond Overseeing and Coordinating Proactive Security Efforts

Since no environment is ever 100% secure all the time, the ISO is also responsible for responding to attempted/actual cyber-attacks in a timely manner which may include potential involvement in legal proceedings; interacting with the cyber insurance coverage carrier; accountability for commercially reasonable security controls; strategic planning for internal infrastructure change; growth/acquisition; overall IT/cyber risk appetite; risk assessments for new technology; and customer-facing online banking services.

Review Periodic Tasks That Include Effective Systems Management and Security

The institution’s ISO needs to have visibility and accountability into existing technology driven security measures, including implementing approved software, anti-malware efforts, software patches, encryption, and multi-factor authentication to prevent unauthorized access to information. The ISO should also ensure the financial institution has adequate intrusion detection and intrusion prevention systems in place; review back up failures; and evaluate activities for high-risk online banking customers (ACH/wires).

Cybersecurity is a constant challenge for financial institutions, especially smaller banks and credit unions with limited resources. Because of the ever-expanding expectations for the role, institutions often struggle with hiring and retaining individuals with the extensive expertise needed to fill the ISO’s shoes. However, financial institutions that require assistance are increasingly turning to trusted third-party providers to ensure that information security requirements are properly addressed on a periodic basis.

Succession planning is crucial to business continuity planning and maintaining an organization’s growth, longevity, and legacy. A succession plan is essentially a strategy for transferring key roles when individuals leave due to retirement, resignation, or whenever circumstances such as Pandemic or natural disaster impact the availability of your key employees. While a typical succession plan may focus on the transition of senior executives, such as the CEO, CFO, COO, executive director, or bank president or manager, it is also important to include other key employees in which you may have a concentration of duties, such as the Information Security Officer (ISO).

Why plan for transitions?

While everyone has a part to play in supporting an institution’s information security, compliance processes, and cybersecurity activities, no one is more central to this endeavor than the ISO. Those taking on the role of ISO assume a wide range of responsibilities, as well as the associated accountability. Financial institutions should be prepared and know how to proceed should the ISO leave or be unavailable or unable to perform their job duties. This means not only identifying alternate personnel for this key position, but also having those folks properly trained in advance.

In addition, regulators are increasingly requiring financial institutions to have a formal succession plan for key employees, and we’ve seen an uptick in findings related to this issue. The Federal Financial Institution Examination Council’s (FFIEC) IT Examination Handbook requires financial institutions to include cross-training and succession planning in the business continuity plan to ensure back-up personnel are identified for key operational positions. In addition, the FFIEC guidance also states that institutions should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program. ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.

Yet many institutions approach ISO succession planning in general, let alone for the ISO, as an afterthought (if at all) and are ill-prepared to address and manage the ever-growing list of ISO responsibilities. Studies show that while a succession plan is crucial, less than half of banks have a long-term and emergency succession plan in place, according to research by Bank Director. Also, approximately 37 percent of banks identified succession planning among their top three board composition challenges, reported the 2018 Bank Director survey. Another 25 percent of those surveyed expressed dissatisfaction with their bank’s succession planning efforts.

Regardless of the situation, planning (and cross training) ahead of time can help minimize uncertainty, prevent unnecessary stress and assure continuity in the information security/cybersecurity process. Considering that the ISO is responsible for oversight and coordination of the security and confidentiality of Non-Public Information (NPI) , as well as FFIEC compliance and regulatory requirements, a misstep or lack of guidance in these areas can cause operational, regulatory, and reputational risks to the financial institution.

Creating a succession plan for the ISO

Succession planning generally entails identifying and developing successors who can replace vital roles. Strategies for succession planning vary based on the size, type, and goals of the organization, but there are some basic steps to follow:

• Assess requirements and responsibilities — A good place to begin the planning process is to understand the primary responsibilities, expertise, and requirements of the ISO position. Although this continues to evolve, to date we’ve identified 35 distinct elements in 7 categories ranging from information security to BCP, Vendor Management, and Strategic IT planning.
• Evaluate internal talent — Identify which employees may be the most qualified to take on these tasks, bearing in mind that in all likelihood you may need multiple resources. Commit to cross training these individuals through hands-on training, classroom education, and mentorship.
• Recruit externally — If there is a shortage of internal talent to fill the ISO role, institutions might consider identifying potential resources outside their organization, such as a virtual ISO service.

Succession planning for the ISO is a matter of information security continuity, and any gaps in this area may impact the entire enterprise, including the senior management, employees, customers, shareholders, and other stakeholders. Banks and credit unions should keep in mind that succession planning in general is not a one-and-done undertaking. Because of the evolving nature of information security, it is an ongoing exercise, and succession plans should be reassessed regularly and updated as needed. Effective succession planning and cross training will make transitions (planned or unplanned) a more positive experience for everyone in the organization.

Banks and credit unions alike have grown accustomed to the frequent and often strenuous regulatory exams and audits that have become a large part of their day-to-day life. Perhaps not surprisingly, according to our third annual report, “2019 IT Outlook for Community Banking,” compliance issues remain a big concern for these institutions, especially in terms of meeting examiner expectations. Financial institutions continue to struggle across critical areas such as: vendor management, business continuity planning, cybersecurity, audits, and exams. Risk assessments, which according to survey results, is a big struggle as 65% of respondents claim it is currently their greatest IT challenge.

Continuously changing interpretations of guidance that is already in place, along with new guidance, has made the exam process — starting with the preparation all the way through to accurate documenting steps taken to remediate findings — an extremely time-consuming and stressful endeavor.

At the beginning of the exam process, the examiner typically sends a list of items they want to review; certain areas they plan to examine; and items they plan to discuss. This list normally includes a number of reports and documents the financial institution must prepare ahead of the review and subsequently provide to the reviewing agents before the on-site visit. While some exams only require a handful of reports to prepare up-front, others can request more than 60 different reports, including:

• Organizational Charts
• Financial Reports
• Business Continuity Plans
• Disaster Recover Plans and Test Results
• Vendor Management Policies
• Security Policies

In addition to gathering and preparing the reports and documents the examiner requests, there are certain steps banks and credit unions can do before the exams to help streamline the process, feel more confident and prepared, and better meet examiner expectations:

Review All Relevant Guidance and Significant Changes

The management team and compliance officers should familiarize themselves with all relevant guidance for their institution, and make sure they are up-to-date on any changes that might affect them. In addition, they should review recent significant changes to internal technology infrastructure, risk assessments for customer or member facing electronic banking services and as well as the financial institution’s cyber risk appetite statement.

Review Previous Examination Reports 


Review the previous exam reports for any comments or matters that required attention. It is critical that all exam findings from previous examinations be addressed, with corrective actions documented.

Review Any Non-Finding Comments (If There Have Been Any)

If the institution received any comments from the examiner that did not rise to the level of a finding, they should be prepared to discuss how (or if) the institution plans to address these items in the future. In some cases, management may decide these items do not require corrective actions. However, they should still be discussed, and any rationale (action or inaction) documented.

Review the Compliance Plan

Each financial institution needs to be able to show examiners how they identify, track and respond to compliance issues. Often referred to as a Compliance Management System (CMS), this typically includes everything from how they introduce new initiatives and new vendors, how they implement and manage the initiatives, and how they respond and prepare for expansions and organizational changes, to how they track audit and exam findings.

Automate Compliance Tasks

Finding the time to collect all the requested reports and adequately prepare for exams can be a challenge. In fact, 55% of survey respondents admit to struggling with finding the time to work and focus on compliance-related activities. This struggle has led banks and credit unions alike to search for a more efficient way to manage compliance tasks and leverage automation to manage compliance responsibilities. Approximately 33% of survey respondents outsource their compliance needs, and 59% have increased their compliance spending in the past 18 months.

Regardless of location and size, banks and credit unions are all subject to largely the same regulations. Working with a managed services provider who works exclusively with financial institutions and understands the unique challenges of the exam process, greatly increases the chances that you are not only prepared for an exam, but can confidently meet all examiner expectations both before, and after, the exam.

To gain more insights into the key challenges, goals and opportunities facing banks and credit unions today, please download the full report here.

For financial institutions to be successful today, they must have — and implement — a comprehensive IT strategic plan. The IT strategic plan must align with the overall strategic plan, outline future goals and objectives, and identify the steps needed to achieve such in a three-to-five-year timeframe.

The institution’s board of directors is directly responsible for developing the overall, or enterprise-wide, strategic plan, but they will most likely delegate the responsibility of the IT strategic plan to a board or management level committee (typically the IT Steering Committee). The board is still responsible for reviewing and approving it to ensure it aligns with the overall business strategy.

To understand the difference between the 2 plans, it’s important to note that the overall plan is where the broad goals and objectives of the organization are defined. This could mean many things like achieving certain revenue gains and financial ratios, but almost always includes adhering to current guidance and best practices relating to information security. The plan must include an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity. The IT strategic plan adopts the broad goals and objectives of the overall plan, and connects the specific day-to-day practices to those broader objectives. For example, the overall plan might have a broad objective to keep information secure. The IT strategic plan will identify each of the practices and proposed initiatives that align with that objective. Simply put, the IT strategic plan provides the linkage between the specific actions of the IT committee, and the broader goals and objectives of the organization.

Components of an IT Strategic Plan

Since the IT strategic plan is the document that outlines specific activities required to overcome challenges, there must be a solid understanding of the institution’s goals, business model, and objectives. In addition, there are three main components that all strategic plans should include:

Mission and Vision Statement

The mission statement is the summary or explanation of an organization’s overall purpose, as well as the goals, values, and objectives. Having a solid mission statement ensures employees understand the direction and purpose of the financial institution and helps create a sense of identity. The vision statement will often be more concise and is designed to paint a picture of what a bank or credit union aspires to be in the future. While these components of the strategic plan may seem time consuming to develop initially, they are the necessary foundations for a successful organization, and unless the organization is experiencing a high pace of change, they are not difficult to maintain going forward.

Risk Appetite Statement

Risk Appetite is defined as the amount of risk a financial institution is prepared to accept when working to achieve its objectives. In other words, risk appetite is a decision by the Board and Senior Management that the residual risk level, or risk remaining after controls have been applied, is within their pre-defined acceptable range. Failure to have a risk appetite statement could result in a financial institution improperly managing its risk, or misallocating its resources.

IT Roadmap

The IT Roadmap is where all current and proposed strategic initiatives are tracked. The roadmap is the beating heart of the IT Strategic Plan and should be reviewed and updated at each committee meeting. Each roadmap initiative should identify how it aligns with specific enterprise-level goals which, although they will differ from one institution to the next, should include the following:

• Institution growth and customer demographic targets — Inc. mergers and acquisitions
• Current technology standards — the ability to adopt and upgrade/replace systems and software and integrate new technology to remain competitive
• Regulatory requirements (e.g., privacy, security, consumer disclosures, and other reporting requirements)
• Cost containment, process improvement, and efficiency gains
• Customer service and technology performance quality
• Third-party relationship opportunities versus in-house expertise

The plan should also focus on specific interdependencies, personnel, tools, internal and external resources, and timetables to achieve the designated goals. This also includes hardware and software architecture, third-party providers, and budget estimates.

Technology evolves rapidly, requiring institutions to implement enhancements to existing systems, and prompting new investment in infrastructure, systems, and applications. IT strategic plans serve as a powerful tool, one that positions banks and credit unions to identify and achieve key goals and desired outcomes. As the FFIEC states in the Management Handbook, “A financial institution capable of aligning its IT infrastructure to support its business strategy adds value to the institution and positions itself for sustained success.” A comprehensive IT strategic plan will ensure delivery of IT services in a cost-efficient and effective way, while enabling financial institutions to meet the competitive demands of the marketplace.

The Board of Directors for any bank or credit union sets the tone and direction for the institution, including how the institution leverages information technology. While these Directors are generally not directly involved in the day-to-day operations, they are still responsible for ensuring that the institution operates in a safe and sound manner. The Board is expected to not only set strategy for the institution’s IT Risk Management program, but to also monitor how well the ITRM program is working and to provide a “credible challenge” to management.

Effective communication is crucial to this process but presenting complex information security and cybersecurity information to the Board can be challenging. Here are four common challenges you might encounter when reporting to your Board or Steering Committee, as well as some strategies to help overcome each:

Time Constrained

Board meeting agendas are jam-packed with important business, so you may not have much time to communicate your portion. Often, the Board cannot dedicate more than 15-20 minutes to ITRM, and this is precious little time to fully explain complex or nuanced topics.

• Focus on high-level summary information. Whenever possible, consider featuring charts and graphs to help visualize data.
• Highlight both the shortfalls and positives. Often a traffic-signal approach can be helpful here by highlighting positives in green and issues in red.
• Show your work! Information presented in a brief manner may minimize the importance of the topic or work involved. Explain why your topic is important to the bigger picture, and brag on your team for their hard work.

Over-Engaged

This type of Board is one that desires to know and understand every little detail. Deep engagement with IT is a wonderful problem to have, but it can quickly derail a presentation.

• Save questions for the end. If your Board is open to this, it will help you make it through all your material in the time allotted.
• Be open to follow-up discussions. When a discussion strays too far into the fine details, consider gently suggesting a follow-up meeting to discuss the topic in further detail.
• Anticipate likely questions. Be prepared for questions such as:
  • How did it get this way?
  • What are we doing about it?
  • Can we do this internally, or do we need to bring in a third party?
  • Why do we have to do this?
  • How do we compare to our peers?
  • What does that mean?

Laser-Focused Perspective

Some Boards tend to steer any discussion toward a certain topic or key metric near and dear to their heart. Regardless of if this topic is related to cost, culture, legal, customer service, or any other concern, if it matters to your Board then it matters to you.

• Frame your presentation in the Board’s terms. How can you fit your topic into the context of what resonates with the Board?
• Don’t bury the lead. Start your presentation with the topic that matters to your Board in order to capture their attention and make them more receptive to the rest of your presentation. If, for example, your Board is sensitive to costs, then don’t keep the Board waiting on the price tag for a new initiative.
• Seek Director assistance. If a Board member is a subject matter expert in an area, then ask for their (brief) input while planning your presentation. This approach helps streamline conversations during meeting, and may help your message resonate better with the rest of the Board.

Not Tech Savvy

Boards have a wide range of responsibilities and cannot be experts in every area. Your Board may not be well-versed in technology concepts, especially emerging technologies and cyber threats.

• Education is key. The Board meeting is not the right time for in-depth training, but you can throw in small reminders as to why metrics like patch status or backup success matter to the bottom line. ISO’s should also make educational materials available for the Board to review at their convenience or arrange separate training sessions for the Board on critical topics. Another option is to reserve training time on the standard agenda for a monthly topic or Q&A (if you can get it).
• Utilize subject matter experts. Experts may be better armed to explain a topic or field questions. Don’t be afraid to call on your coworkers or trusted third parties as reinforcements to help get the message across.
• Relate topics to real world examples. You don’t have to look far to find news of the latest data breach or ransomware attack – these all make excellent cautionary tales to underscore the importance of preventative measures.

To efficiently and effectively support the Board at your institution, you need to know your audience. Board members are not always experts in information technology and cybersecurity, but a “rubber-stamp” approach to these topics is no longer adequate for regulators. Your Board needs the right information in the right context to make the right decisions and provide that all important “credible challenge”.

The quality and involvement of the Board and senior management is probably the single most important element in the successful operation of a financial institution. While senior management (and certainly the Board) may not typically be involved in day-to-day IT operations, they must be knowledgeable about what is happening in the department and what the institution needs to be successful and to meet regulatory expectations.

The Role of the Board

The Board of Directors plays a crucial role in setting the tone and direction for an institution’s use of IT. In fact, board engagement is now more important than ever as both the FFIEC Management Handbook and the Information Security Handbook focus specifically on the responsibility and accountability of the Board as it relates to information technology oversight. Boards that do not heed these new standards run the risk of penalties, lowered CAMELS Scores and audit rankings, and in extreme circumstances, individual director financial accountability. In a recent conversation with an examiner, we learned that 80% of the deficiencies they are now seeing are management-related. The Board of Directors and senior management cannot just simply “delegate-and-forget” their responsibility when it comes to IT, just as they can’t for lending, deposit operations, funds management, or any other banking activity. They (especially the Board) are expected to be a vocal participant in the process and provide a “credible challenge” to management. This means the Board must be “actively engaged, asking thoughtful questions, and exercising independent judgment”. And to do that requires accurate, timely, relevant, and ultimately actionable, information.

Developing a Strategic Vision

The success of any institution begins with a solid shared understanding of the institution’s mission, vision, business model, risk profile, risk appetite, positive influences (strengths, opportunities) and adverse influences (weaknesses, threats). Once the Board of Directors establishes the strategic vision, it is shared with senior management who develops the policies and procedures. All policies and procedures must align with the strategic plan and vision of the organization. These written policies and procedures are passed on to a steering committee, who implements them into the institution, monitoring and managing to assure that actual day-to-day practices adhere to the written plan.

Along the way, the management team and Board of Directors must stay abreast of any necessary regulatory changes that may require adjustments to policies, or policy deviations that may require modifications to practices. This process is often provided by a steering committee, and this committee may be managements only window into IT. To be effective, the committee requires accurate and timely reporting and an understanding of how any changes and/or deviations may negatively impact the institutions ability to achieve its shared objectives. If adjustments are required, management must not only know what it takes to get back on (and remain on) course, they must also understand the consequences of inaction. Once again, all of this requires accurate, timely, relevant, and actionable information.

Financial institution management is bombarded with data from all sides, and this trend will continue (and accelerate) in 2019. The challenge is to sift through that data to extract the information which, when combined with knowledge, are necessary to manage the institution to the satisfaction of shareholders, customers, and regulators. Reports alone are no longer sufficient; they must be combined with an understanding of what the reports actually say, what conclusions can be drawn, and what actions should be taken. And along the way, the board and senior management must be kept informed and involved.