Back in June of this year the FFIEC released an update to the 2004 Operations Handbook called Architecture, Infrastructure, and Operations (AIO). As the lengthier name implies, this was not simply an update, it also greatly expanded the scope of operations to include architecture and infrastructure principles and practices. This reflects the tight integration between and among the various separate but related functions that comprise the IT environment, and the recognition that inadequate coordination and oversight of these components may result in various risks including credit, liquidity, operational, compliance, and reputation. Similar to the BCMP Handbook back in 2019, it encourages financial institutions to take an enterprise-wide, process-based approach.
Another similarity between this IT Handbook and the others released in the past couple years is the use of the term “entities” instead of “institutions” to describe the intended audience. “Entities” include depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers. (Emphasis added.) Using the “entities” terminology effectively eliminates the distinction between the expectations for an institution and those of the key third-parties that provide the interdependencies necessary for the delivery of an institutions’ products and services. And this provides perhaps the most important take-away from this Handbook for the vast majority of institutions that out-source core and technology services; architecture and infrastructure (and to a lesser degree, operations) are largely the responsibility of your provider. Indeed the Handbook seems to recognize this, making no fewer than 70 references to the importance of understanding the “complexity” of the entity as specific principles and practices are considered. This applies to the entity and the examiner alike, and hopefully will translate into a more optimal examination experience for smaller, less complex (and largely outsourced) community financial institutions as examiners adjust their scope and objectives accordingly. (Of course it’s important to understand that the AIO burden does not necessarily decrease in these outsourced scenarios, it simply shifts to the third-party oversight!)
Another similarity between recent Handbooks is the claim that the “…booklet does not impose requirements on entities. Instead, this booklet describes principles and practices that examiners review to assess an entity’s AIO functions.” We’ve always found this statement to be somewhat contradictory, as anything an examiner may use to evaluate, or grade, your practices becomes in effect a defacto requirement. Nonetheless, this statement (along with the aforementioned entity “complexity”) may provide just enough leeway for the basis of honest differences in opinion between how (and if) specific principles and practices are implemented within your institution. In fact, this could prove to be very useful as a “push-back” if an auditor or examiner tries to use the booklet to rationalize the implementation of a specific practice.
All that said, here are a few actionable observations from the booklet:
- The importance of a strategic planning process to assure that the IT strategic plan aligns with the overall enterprise-wide strategic plans. Make sure your project planning includes a way to link one or more specific enterprise goals and objectives to every IT initiative.
- The importance of IT asset management (ITAM). Specifically, “Management should have a comprehensive inventory of its electronic (or digital) and physical information assets to adequately safeguard them against reasonably foreseeable threats.” Simply put, you can’t secure it if you don’t know you have it.
- The importance of oversight of third-party service providers. This goes without saying, but especially for smaller institutions where system architecture and infrastructure are outsourced. Expect significantly increased scrutiny in this area. (A case in point, we’re keeping an eye on this.)
- The importance of accurately depicting the interconnectivity between entity assets and third-parties by creating and maintaining up-to-date network, data flow, and business process flow diagrams.
- The importance of building resilience into your AIO components and functions by proactively anticipating the impact of a disruptive event in the design, implementation, and operation of your IT systems and processes.
- The importance of an internal control self-assessment process for management and work teams to monitor and continuously improve the effectiveness of IT operations controls.
It would be prudent to review the entire operational controls section of the booklet, as many of these apply regardless of whether you have a dedicated data center, or only a server room or closet.
In summary, we’ll have to see how (and how quickly) the new expectations will be integrated into the existing IT examination work program, but we think it’s safe to assume the items above will certainly be among the areas of increased focus. As always, Appendix A contains the Examination Procedures and can be a valuable pre-exam resource. (This 11-year-old post is still relevant!) It also bears repeating that even if you outsource the “A” and “I” components, the day-to-day “O” elements* are still largely your responsibility, as are Board and management committee reporting.