We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

OCC Targets Cybersecurity and AML Deficiencies - ERM is the Answer

Vote 0 Votes

The OCC released its "Semiannual Risk Perspective" and, perhaps as anticipated, banks continue to struggle plugging gaps in information technology practices.

Among the risks highlighted in the study, as reported by Joe Mont at Compliance Week:

  • - Evolving cyber-threats and information technology vulnerabilities require heightened awareness and appropriate controls.
  • - The high volumes and frequency of changes to information systems to address regulatory requirements, enhance risk monitoring reporting, and update compliance systems.
  • - Banks are taking on additional risks by expanding into new, less familiar, or higher-risk products without adequate due diligence or appropriate risk management and controls.
  • - The number, nature, and complexity of domestic and foreign third-party relationships continue to expand, increasing complexity, concentration, and risk management challenges.
Thumbnail image for Hands Typing - angled.jpg

While these risks are diverse in nature, the OCC identifies a possible solution. They suggest that banks use "Enterprise Risk Management practices to fully align with heightened standards."

Enterprise Risk Management is an effective tool for compliance management because it evaluates a bank's obligations in the context of both the regulatory and business environment to properly prioritize resources. Rather than just meeting the letter of the law, ERM provides a mechanism to document the achievement of compliance while improving daily operations and increasing operational efficiency on a daily basis at the same time.

For example, cross functional risks like cybersecurity are only addressable across silos with an Enterprise Risk Management methodology. Cybersecurity is not only an internal concern, but has cascading effects on vendors and service providers. One in three banks don't require third parties to alert them about information security breaches, indicating an obvious communication failure between the IT and vendor management governance functions. Many businesses conduct an IT assessment on vendors AFTER they select the vendor to validate what mitigation controls are actually in place verses what was promised during the sales cycle. ERM provides a common, risk-based approach toGovernance, Risk, & Compliance activities to identify connections between departments, vendors and the impact of risks based on these connections; so that these gaps can be identified and addressed before they make their rounds on social media.


How does LogicManager help organization's address the cross functional issues posed by cybersecurity? Learn more by downloading our annotated guide on how to implement SEC Cybersecurity Best Practices with ERM.


Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives