Risk and Compliance Management: Differences, Similarities, and How to Integrate Them
We often hear risk and compliance management bundled together as a single discipline. While it’s true that risk…
Top 3 Takeaways
[02:50] Risk management challenges for smaller financial institutions
[07:13] The significant irony in financial institutions
[09:01] What Terri brings to the table
[10:50] Creating a culture of risk awareness
[12:24] Reactive planning versus strategy planning
[14:25] The shift Terri has seen
[15:32] The unfortunate indicator
[16:45] Terri's opinion on banks reducing their operational costs
[19:43] One challenging area in heavily-regulated organizations
[21:37] What works and what doesn't for acquired financial institutions
[25:03] More tips for acquiring financial institutions
[26:49] Guilty by association
[27:59] Wrapping up with the most shocking fraud story
HOST KELLEY SPAKOWSKI: I'm going to get us started with a quick tip. Today is actually around data privacy, it's actually two tips to get you started. First, learn about your data sources. Find out where and how long it is being stored and how it's being used. Then, develop a consent policy to process personal data and acquire consent from customers.
TERRI SANDS: It's calm water if your strategizing, and you're doing different things like that to plan, rather than to be reactive and wait for an external auditor or even worse, a regulator, tell you that you are inefficient, or you have this reputational risk because you did not know that you were dealing in a world of spreadsheets, and because you were so busy there, you missed the big thing that caused a data breach, or reputational damage.
KS: Hi, I'm Kelley Spakowski, and this is GRC and Me. A podcast where I interview industry thought leaders in governance, risk, and compliance on hot topics, industry specific challenges, trends, and more, to learn about their methods, solutions, and outlook in the space.
Here with me today, to discuss risk and compliance in finance is Terri Sands, founder of Secure Risk Management. Secure is a boutique consulting firm, and membership organization that works closely with financial institutions, many of them small banks and credit unions to safely change with growing technology and regulatory requirements. So, thank you for joining me, Terri. I really appreciate you being here.
TS: Thank you for having me.
KS: We actually met at one of your membership forums. It was awesome. You hosted it in Lake Oconee, am I saying that right?
KS: Lake Oconee, Georgia. It was awesome, at a really nice Ritz on a lake there, very quiet. I can't wait to go back. While I was there, I just, I instantly knew I wanted to have you join me on GRC and Me, because you have such a great pulse on the day-to-day challenges in community banking, as well as, the big picture priorities, so you're really able to build a solution approach that is both top-down and bottom-up that drives meaningful change. So, I'm really excited to chat with you about some of your insights in banking.
TS: Thank you.
KS: So, Terri, you are training many regulatory agencies on payments risk, anti-money laundering practices, enterprise risk and fraud mitigation. What challenges do smaller financial institutions have in their risk management programs?
TS: Well, there's a few. The transparency between parties is tough with financial institutions. You have the first, second, and third lines of defense, and because of old habits, there might be a siloed area here, and a siloed area here. Senior management or executive management may not have the transparency that they think they have, so you may have different lines of businesses doing duplicate processes, duplicate workflows, or doing things that do not make sense, but because they're so siloed it's tough. And certainly technology, and what you guys offer, kind of bring that together.
The other thing is, it's difficult to keep up with all the regulatory requirements with few people. I work with a lot of smaller financial institutions, but I also see this in good sized financial institutions, where you have like, one person. One person is the BSA Officer, they're also the IT Security Officer, and then they head up Deposit Operations, and Electronic Banking. And so, you have that dynamic where one person is trying to do everything without technology. A lot of times without good technology. And then they're over the first line of defense employees that are trying to keep up with all the regulatory requirements.
And so, if you think about some of these regulatory requirements, whether it's regulation E, or whatever regulatory requirement it is, you've got all these deadlines. You've got 10 days, 45 days. If you're trying to keep up with policies or procedures, you update them annually, who owns it, where your risk assessment here. So, it's really tough, and so, without good technology it's really hard, and especially in the world in which we live today with all the fraud that happens. The fraudsters are trying to get to the financial institutions, because they hold the assets. They're holding the money. Then you have that dynamic. So, it's tough to keep up with everything without good technology.
And the struggles that we see are data. The inability, or unwillingness to use data to predict future strategies. So, data is another one, and probably the last thing that we see most of, and probably the number one challenge is the usage of spreadsheets, and other inefficiencies. It's kind of using a spreadsheet to enter information, which is tedious. So, financial institutions, they find themselves in these precarious situations with understanding how they have so much risk, "Where did all this risk come from?" Because it's basically, they're spending more time on preparing the data than monitoring and evaluating, and really managing the risks.
It's this habit forming spreadsheet world, Kelley, that's when I actually approached LogicGate. I did the demo because I was a big fan of it, because it's simple, it's not overwhelming, and it truly is user-friendly. And the ability for risk management to be better managed through rules based technology is a plus, because it's really hard with all the things that you have to do to also have to prepare to monitor, prepare to do these things. So, technology adds that layer of support. It's like having a virtual employee. So, I like LogicGate, is truly a great resource for smaller financial institutions.
KS: Yeah, I appreciate that. One of the things that I thought was really interesting is, a lot of the folks I met at your forum who are performing these functions at these banks and credit unions, this is just one element of their job. They're wearing so many different hats. So, I can't imagine, if I had to go to a spreadsheet to aggregate or manipulate this data, or gather it, that would be totally on the bottom of my list of things to do.
TS: Right, exactly.
KS: At the end of the day, because that's just not the fun work. It's really tedious, so I hear you, and I agree. In your opinion, is it difficult for these financial institutions to become efficient when there are so many fintech companies to choose from now?
TS: Here's the thing, and I talk to so many financial institutions about this, it's overwhelming. I put myself in their shoes, and you've got to think about all the technology companies that are approaching financial institutions, "We can do this for this, and we can do this for this." So, you've got that coupled with the fact that, kind of going back to one of the challenges is, that's not my only job.
Sometimes, I've seen with financial institutions, that they're so busy with inefficiencies, they don't have time to be efficient. So, the irony here is significant. Unfortunately, some financial institutions learn of significant inefficiencies through regulatory scrutiny. Sometimes it's the reactive piece of them. They wait, because they think everything is fine, until a regulator comes along, and whether it's a consent order, or almost a consent order, or a super bad audit, they're basically finding themselves having to deficient staffing models. Or, they have good people who simply leave because the environment is so overwhelmingly inefficient that they can't continue in that type of environment.
Truly, the problem solver is education, things like this. And also, it's calm water if you're strategizing, and you're doing different things like that to plan, rather than to be reactive and wait for an external auditor, or even worse, a regulator, tell you that you are inefficient, or you have this reputational risk because you did not know that you were dealing a world of spreadsheets, and because you were so busy there you missed the big thing that caused a data breach, or other reputational damage.
It's really bringing fintech companies, and that's what we love doing, is bringing fintech companies that make sense, to financial institutions. And especially with us, we deal with a lot of smaller financial institutions, but bringing that good technology to a financial institution to say, "This will solve your problem," and that's what I love doing so much. And then when you put really good technology into a financial institution, and they start working it, it's just like, "Why didn't we do this sooner?" Because then, that's when you learn the regulation. When you have the technology helping you keep up and do the enterprise risk management, and do all that, that's when people learn the content.
So, it's always really interesting with this, but again, that's the challenge, and quite frankly, the other thing is asking the question, who at the financial institution is going to ask the question, "What takes you the longest to do? What is the most difficult part about managing risk today, and how can I help you do that job better?" Senior management, and I'm seeing a lot of this over the past year, where senior management is really taking a deeper dive into that first line of defense. The people who are doing the work every day and saying, "Okay, what can we do to help you out?"
Unless you have that environment, then you're going to be dealing with spreadsheets, and you're forcing yourself into a reactive mode. But the challenges, in terms of fintech companies, is trying to fit what you need with what's out there. And so, that's a big challenge.
KS: Yeah. This is across the board. I see this really not just in finance, but in a lot of different industries, that environment that you spoke of. What we're calling it is, creating a culture of risk awareness. You can't do that if you don't have visibility into these areas, and I don't know if this is something that you are noticing in finance as well, but in other industries these different areas, or workstreams if you will, the data is siloed. So, you've got a group of people that are managing compliance related things, another group managing policy and procedure, maybe another team that is responsible for risk management and mitigation, and then you've IT, and there could be different departments that have their own way of measuring and mitigating risk.
So, everything is managed separately, and the data is siloed in spreadsheets. So to actually get accountability and visibility across those data points that really tree up into an overall risk strategy for the organization, they just can't do it. We're seeing a shift in other industries to get that more proactive approach, and actually, realize that, "Hey, we can use risk data as a strategy for the organization," to create new business opportunities. Things like identifying a merger acquisition strategy, or gaining a certification, or rolling out privacy as a part of their service level to customers, and actually using these as new business opportunities, and a strategy for a competitive edge. Is this something that you're seeing banks and financial institutions moving towards?
TS: It's interesting, in the past year and a half, probably, I have seen a shift in more strategy. I'm happily seeing the steady increase really focusing on strategy planning with financial institutions and companies, rather than reactive planning. Because reactive planning is just not as fun. Reactive planning, it's all about time. You're already in trouble at that point, whether you've had a big fraud event, or regulatory consent, or something even more significant. So, just talking to CEOs and CFOs, and really all types of employees within those financial institutions, it does seem like financial institutions are taking more of a proactive approach to their risk management strategy, and listening to the people who are in the best position to tell them what they need.
And so, they're really using risk management as a strategy. The thing that I think, which is great is that, financial institutions, used to, you started with risk management, and then you worked down, so a lot of financial institutions would say, "No, we can't bank that client. No, we can't have that product," but if you have a true blue, enterprise risk management program, where you have technology, like obviously LogicGate, helping you out, you can start with the customer first and say, "We want to bank that customer," Or, "We want to offer that product or service," and then you can work from the customer. Not start with risk management, because the customer is going to be the point from which you're going to say, "What do you need, and what do we need to do?"
And so, if you have the technology and the transparency, and every level knows what's going on, you have such a competitive advantage over other financial institutions and companies, because everything is transparent. And then you've got everybody working together.
I've also seen a shift, and again, I think this goes hand-in-hand with the technology is, if you have the technology to be able to open all the doors, it's like go into a financial institution and opening all the doors to all of these departments and saying, "Everybody, come into the lobby, and let's all talk." To me, that is truly enterprise risk management, where everybody is collectively agreeing on something, risk management can be managed a lot easier, and you can talk about strategies and technology efficiencies, enterprise risk management. And it's always been my experience that if you do this as a team with good technology, and you listen to everyone's thoughts, it is truly a success.
Unfortunately, I see financial institutions still today, work on spreadsheets. To your point, Kelley, you've got somebody working in compliance on their stuff, and you've got the sales folks over here selling it, and fighting back and forth with risk management and compliance people. That is, to me, it's always been the indicator that you do not have an enterprise risk management program with good technology to be able to help you.
I've been into financial institutions that they say they have this enterprise risk management program, but it really isn't. They're dealing with spreadsheets, and it's really siloed risk management. So, you really need good technology, and the ability to see, you've got to see the blue sky, because if you're surrounding yourself with spreadsheets, you're trying to manage policies, and vendor management, and risk assessments with spreadsheets, you are truly, and it doesn't matter what size you are, you are truly, in today's environment, with all of the external threats, you're setting yourself up for failure. It's not a sustainable risk management program.
KS: Yeah. I think at it's best, you're just behind. You're lacking. But at it's worse, it could be really catastrophic. It could result in something that cripples the business.
KS: Yeah, I think that's a great point. You mentioned efficiency. Something we see, financial institutions are wanting to reduce operating costs. In your opinion, what do you see, in terms of banks reducing their operational costs more effectively, competing in the financial industry?
TS: This is kind of a hot potato topic these days. It's interesting. You might hear, financial institutions really talking about, "Hey, we want to reduce those operating costs," but then you walk into a room, into the same, you may walk into the operations center, and you're surrounded by stacks of paper. People around you looking like they're about to cry because they don't know what to do with these stacks of paper. But I am happy to say that, like I said, over the past year and a half, there does seem like a lot of financial institutions, and the smaller ones too, we work with financial institutions that are 50 million in assets, but they operate so efficiently and effectively, we've got some financial institutions who have virtual employees. And basically, there is technology that is really running manual reports, doing different things, helping the operational folks. And while the operational folks are really focusing on things like fraud prevention, risk management, compliance management.
So, you're seeing a shift in the doers, like I'm sitting there, and I am either typing out something, a spreadsheet, an Excel spreadsheet, I'm dying in the world of Excel, or I am writing all of these things. Instead of that, you're seeing an uptick of people really focusing on risk management. In risk management, you don't have to be typing on a spreadsheet to say that you're doing risk management. Risk management is about monitoring, evaluation data, keeping up with things, understanding things, communicating out to the business line so that they can go sell and do those things. The last thing you want to do is make risk management this dreadful thing that takes way too long to do. Then you've lost your competitive edge to be able to go sell.
So, I do think people are looking at operating costs simply because, it is negatively impacting that front line to be able to go sell, and bring in deposits. If I am a sales person, and I'm spending half of my time doing operational risk management functions, half of the time I'm not selling, I'm not bring in deposits. So, that is where that becomes a crippling process.
So I think reducing operational costs has a lot to do with the inefficiencies on the front line and on the sales side, because they're doing all of this stuff that they should not have to do.
KS: 100%. You know, I'm going to go off on a brief tangent here, but your statement about the stacks of paper making people cry just reminded me of something. I'm speaking with a bank currently, and they are looking at incident management solutions. They are doing the right thing. They are being proactive. They want to streamline this, and one of the things that she asked me, and I think this is also one of the areas of challenge for these types of heavily regulated organizations is, it's like, they're chasing their tale constantly.
One of the things she asked me is, "Can we import all of our historical incident cases into your technology?" My answer was yes, but then I was like, "Well, let's dig into this. How much history are we talking? How many cases?"
"Hundreds of thousands. We've got a regulatory requirement that, for one of the departments, it requires us to keep the entire history, the lifetime of incidents. So, it's like, more than 10 years of incidents."
And I thought, "Oh my God. When are you ever going to reference an incident that happened more than a decade ago?"
KS: They are just like, in a sea of non-useful data at that point.
KS: It's not that we can't meet that need, but I just [inaudible 00:20:42] in that moment, because there is this kind of, I don't know if it's a chicken and egg analogy, but how can we move forward if we are held back by historical data that we can't efficiently manage?
KS: So I thought that was interesting.
KS: So my task to her was, "Hey, go back and challenge your legal team, and find out what you really need to keep, and let me know if it's seven years, five years, three ideal," because less is more in an instance like that.
TS: That's exactly right.
KS: Do you see anything significant in the risk management space through financial institution merger and acquisitions? We're seeing that this is a trend. It's been a trend for a bit now, but it's definitely going to increase through 2019 and 2020. Specifically, what do you think works, and what do you think doesn't work when financial institutions merge, or get acquired?
TS: There's a couple of things. The first thing that I see, financial institutions, if you sit on the sidelines and you watch financial institutions, the acquirer and the one being acquired. I see sometimes it's, the acquirer comes in and just swoops it up and they're not listening. It's who's got the best in show technology? Sometimes it's on both sides. The advice that I would give to an acquiring financial institution is pay attention to all, do an inventory of technology, and see what works best with what the smaller financial institution has, because maybe they have a best in show thing on their side, and maybe you have a best in show technology on your side. So one is, listen to each other, because I think that's important.
The other thing I think, if you were an acquiring financial institution, you don't just wake up and become an acquiring financial institution. Most of the time, you're in business to do that. So, a lot of the audits that I've done over the past several years in financial institutions who are acquiring other, they're in the business. They do that. Historically, they do that. They find themselves in an incredibly risky position because their program may not be sustainable for where they are in the moment.
And so, when they take over another financial institution, it only gets worse. I talked to several financial institutions. They're either hitting the billion dollar mark, or they go to the three billion dollar mark, or even more significantly, the 10 billion dollar mark, and I will say, "You're dealing in spreadsheets. This monitoring system that you have here was not even made to monitor what you're monitoring." Or, "Your technology is antiquated." Or more so than anything, "There's way too many manual processes." And then you've got layers of people trying to manage to those spreadsheets.
So, for financial institutions who are in that business, who are acquiring, they have got to get an enterprise risk management program, because they will find themselves, as you get bigger in asset size, regulatory audits get worse. They just do. They get more intense. And so, the regulators, which they should, because you're responsible for more consumers. You've got more commercial clients, you've got more opportunity for fraud. There's more opportunity for AML risk, regulatory consent risk, it's important that these acquirers get with the program, and make sure that they have a sustainable program for years to come. They need to plan on not just today, because if you acquire a financial institution that's even 200 million in assets, and you're 10 billion in assets, it's still a 200 million dollar organization that you're going to pull in, and 200 million even, pulling into a financial institution that is managing risk to spreadsheets and inefficiencies, is not good.
And so, that's unsustainable for even today. So, I think that what I see is, financial institutions acquiring financial institutions, and I've talked to many, and especially over the past six months, is really, what do we need to do to get into a new program that we're growing in. Acquiring financial institutions know their strategic plan. It's not a secret to them. They know what they want to do. So, if you know what that plan is, you're going to work to a three or five year plan. Your enterprise risk management needs to be with a three or five year plan, whatever. But if you're just dealing in the moment, every day is going to be a new day to you, you're just playing with time. And it's just a matter of time before something happens again.
And like I have on my website, it takes one regulatory consent order, one thing that can cause you reputational damage, that you would never, ever be able to acquire a financial institution again. So, it's basically being in a sustainable enterprise risk management environment, surrounding yourself with good people, and technology that really works for you. Not that you have this technology in the middle of you that doesn't work.
Sometimes I see financial institutions who have enterprise risk management technology, and they don't use it because it's bad, so they do all these workarounds around it, and they let it sit there, and pay for it. The technology is sitting there not being used, so you're working three times as hard for technology, which is completely ironic.
So, I think the sustainability of risk management programs, especially for acquiring banks, is significant, and it's something that is on the regulatory radar. When I do training for regulators we, all the time, talk about acquisitions and mergers, because those financial institutions are at risk more than other financial institutions.
KS: Yeah. Absolutely. It's funny, too, we have such a crazy environment right now, just in business, but personally, with guilt by association. Just in this whole M&A between financial institutions, just got me thinking, too. My mom always used to say, growing up, "Treat others how you would like to be treated." If you have a good business practice, and process in place for these procedures, you're going to attract other organizations that have those good practices and strategies in place, too.
And you want to be doing business with somebody who is doing business that way, because if they've got something hiding in the closet, you are going to be guilty by association.
TS: Right, exactly. I think that this is kind of a thing that financial institutions who acquire other financial institutions need to be paying close attention to.
KS: 100%. Well, to round out our episode, I know you have rolled up your sleeves, and dealt with a lot of fraud cases. I'm just curious, what is the most shocking fraud story?
TS: Several years ago I was doing an audit of a bank, and I came across something that didn't make sense, and I went to the person and asked her, "Can you help explain?" And she was babbling on. Whatever she said did not make sense, and she kept babbling on, babbling on, babbling on. Interesting enough, during that audit, it was the first time that I'd ever caught fraud actually performing an audit.
And so, she was responsible for everything. And talk about spreadsheets, kind of bringing this around, she had a stack of papers and spreadsheets, and all of this other stuff, and she was the go-to person for the president of the bank. She was the go-to person for everyone. It was difficult because they fired her. They went through the whole thing. It was pretty significant.
The interesting thing, it's like, you have to pay attention to your surround. The interesting thing is that, here's a person who made like, 30 thousand dollars a year. She was responsible for everything, making 30 thousand dollars a year, and she was driving like, a brand new Jaguar. It was some crazy expensive car. So, every single day, they came into work, she pulls in the front with her brand new Jaguar. She goes on vacations. She did all this extravagant stuff, and even when she was not there, she had her backup do the fraud.
So, the backup was doing the fraud, so she had organized fraud within the financial institution, and because they were so inefficient, she made things so layered and inefficient, she was able to get by with the fraud. And because everything was so siloed, she was able to get by with that. And I think that was probably the wildest thing, because every day was a new day. No one put things together. No one.
So, it was kind of like, all the things we talk about, data, working in silos, one person trying to do everything. That was the point in time when I thought, "You know what?" It was my first opening, grand opening, to fraud mitigation, because it was a lesson to me, and I was just doing the audit. This happens even today, and this was 15 years ago. So, think about the significance of fraud today, and think about your surrounding yourself, so if you're working in silos, and doing all that, you are opening yourself up even more today, than like, 15 years ago.
So, this stuff still happens. She was working her own organization in the bank. That was wild. It was just wild.
KS: That is wild. So, a single point of failure can also be a single point of fraud, is what you're saying.
TS: A single point of fraud, exactly.
KS: I'm a big fan of the Ozark show, and it reminds me of that, all the paper shuffling-
TS: Absolutely. Exactly.
KS: That's crazy. Well, thank you so much for joining me on GRC and Me. I hope you'll come back for another episode. We just scratched the surface today on hot topics in this industry, and we'd love to have you back, and maybe we can feature a key study, something that we've done together.
TS: Perfect. Thank you so much for having me.
Cybersecurity incidents like ransomware attacks and data breaches are grabbing many of the risk and security headlines these…
Cyber attacks have been around for as long as the internet has existed, but they’ve been growing in…
Check Out the Fall 2023 Report
The modern risk and compliance environments that our businesses and organizations operate in have become far more complex…