Optimism Bias and Risk Management

By nature, humans have an innate tendency to expect the best out of a situation – a psychological phenomenon known as optimism bias. Optimism bias is defined as a bias that causes a person to believe that they are less at risk of experiencing a negative event compared to others. In the risk management world, this occurrence can affect people who analyze and report risk, which leads to inaccurate results within their risk assessments. Learn how to self assess your own optimism bias tendencies by attending our webinar July 25th at 2:00pm CDT.  

The presentation will outline the factors that lead to optimism bias, give real-world examples of how optimism bias affects financial institution employees, and explain why it is important to understand the relationship between psychological human tendencies and risk management. This session is based on daily interaction with financial institutions and common risk assessment behavior and trends.

Click here to sign up for the webinar.

Upcoming Scout User Webinar: Audit Modules (July 18th)

Attention Scout Users:
There will be another monthly Scout webinar July 18th on Audit Modules. Click here to register if you’re a Scout user.

In this month’s webinar, we’ll review the audit modules in Scout. Scout’s Control Audit is fast, easy, intuitive, and highly automated. The presentation will examine how you can use Scout to generate control audit schedules based on your risk assessment and FFIEC guidelines, change risk ratings, track audit activity, and know when and where to perform preventive reviews and system checks.

Take the time and worry out of your next exam or audit by attending the 45-minute presentation!

ERM Webinar: February 22 & 23

Join Supernal Software for the February installment of our monthly webinar series!

February Topic: Enterprise Risk Management

In this month’s webinar, we will present some of the background and history behind Enterprise Risk Management. Attendees will learn why ERM is important and how you can improve your institution by implementing some basics. We will also review the ERM Module in Scout and examine how you should use it and how it may evolve in the future.

To sign up for a session, click on the links below:

Wednesday, February @ 2:00-3:00pm (CST)

Thursday, January 19 @ 11:00am-12:00pm (CST)

 

(more…)

Mobile Banking Webinar: January 18 & 19

Join Supernal Software for our monthly webinar series!

January Topic: The Risks & Rewards of Mobile Banking

In this month’s webinar, we’ll review the FDIC Winter 2011 Supervisory Insights article titled Mobile Banking: Rewards and Risks. Like the article, we’ll focus more on the risks and how mobile banking should be incorporated into your risk assessment. Even if you don’t supply your users with a downloadable mobile banking application, these risks still apply to your institution.

To sign up for a session, click on the links below:

Wednesday, January 18 @ 2:00-2:30pm (CST)

Thursday, January 19 @ 11:00-11:30am (CST)

Protecting What’s Valuable

icon_star

Tom, our head risk management advisor, walks around with a $100 bill in his pocket.   At training sessions, he’ll set that $100 bill in front of someone and put a stack of his personal bank records next to it.  Then he asks, “Which one should I be more afraid to turn my back on?”

Anyone who works in finance is quick to catch his point.  They know that his personal information is worth far more than $100.  It’s worth more to a crook, and it’s worth more to Tom who’d have to spend at least 10 times that clearing up a case of identity theft.

But what we understand in a training session doesn’t always translate into daily action.  We get hired for enterprise risk management to walk through financial institutions doing risk assessments and social engineering tests.  We know we’re never going to see even a $20 bill lying out.  That’d be heresy in a bank.   But walk by an open cube, and we might find 20 home loan applications ripe for the plucking.

Here are a few daily reminders we’re good at protecting cash: 18-inch-thick steel reinforced concrete vaults, timed vault doors, elaborate alarm systems, cash counted and verified daily, teller drawers locked and stored in the vault overnight, robbery training.

Now ask, how are we reminded about information security?  Remember those loan files sitting out all day and night?

If your bank or credit union is held up at gunpoint and cash is stolen, you only have to tell your regulator and the FBI.  Sure, it’ll make the news, but anyone who hears about it feels bad for the staff and the bank.  The public assumes you did nothing wrong and that you were a victim. (The banks have locks, vaults and alarms after all…) 

However, if your information network is breached, you not only have to tell regulators and authorities, you may have to notify customers.  You’ll get a ton of press and your customers and the public won’t see you as a victim but rather as a business that didn’t do its job.  (Don’t they have a firewall and passwords?)

Now think about the impact on your customers.  When cash is stolen, your customers are fine.  They aren’t out anything.  But when their identity is stolen, they have to work hard to get it back and they never really know if they’re made whole.  (Am I finally through calling everyone and switching things?  Did I get everything? I’m so mad at that bank! )

Like cash security, information security is everyone’s responsibility.  And it’s a cultural shift that needs a champion in your organization.

The truth is, it’s harder to manage information than it is to manage money.  There’s no way to be 100 percent protected when it comes to enterprise risk management, but if you organize yourself, train, and use some better tools, you can limit your risks.  Make yourself better armed than you competitors and you won’t be the “low-hanging fruit.”


Pete Griffith is CEO of Supernal, makers of the Scout™ risk management dashboard.  Find him online at www.supernal.com and on Twitter @SeeScoutRun

Enterprise Risk Management

 

Simplify risk management and regulatory compliance requirements with the most effective ERM dashboard.

Identify the real risks facing your bank or credit union and establish how to manage them more effectively.  With Scout software, every step of the risk management process – from accurately inventorying assets, risks and controls to building a comprehensive risk management plan – is tracked in one place, so risk, compliance and IT staff can work on assigned risk reduction tasks, be tracked for progress and prepare your institution for your examination.

With real-time reporting, and process tracking software, you can make better decisions and reduce time and costs.  Scout customers get automation and reporting for the following areas:

Request a software demo to see how Scout’s time saving dashboard format, artificial intelligence, reporting, task assignment capabilities and project management will reduce your risk, improve your decision making and save you money.

ACH Training Webinar: 11/17 and 11/18

Don’t miss out! 

Register now for a webinar training session and learn how to use the new ACH Module from Scout.

Two webinars will be held Thursday at 2:00pm CST (11/17) and Friday at 10:00am CST (11/18).

To register for the Thursday webinar, visit this link: https://www2.gotomeeting.com/register/497987178

To register for the Friday webinar, visit this link: https://www2.gotomeeting.com/register/305093354

Join us on either of these dates above for an informative, 30 minute training session. Tom Ezdon of Supernal will show you how the new ACH module works, including tips and tricks based on experience in front of examiners dealing with regulations on:  ACH Network; ATM Network; Bankcard Network and Check Based assessments. Do not miss this opportunity to get a jump start on limiting risk and meeting this compliance standard.

The module works just like the other risk assessment modules so there is no need to learn a new risk assessment process. The product, risk and controls lists are already populated and associated.  All you need to do is customize the lists, scores and verify the associations fit your organization.

Author and Presenter
Thomas Ezdon, CISA, VP of Compliance for Supernal Software.
Tom has vast experience in best practices in auditing and securing
business environments, especially when focusing on human activity
and policy. Tom is an in-demand speaker on best practices in security
and compliance with state and national financial associations and has
authored numerous articles in related journals.

Why Commercial Account Theft Is Your Problem

icon_important

Two out of five businesses switch banks due to fraud.  That’s a sobering takeaway from Guardian Analytics 2011 Business Banking Trust study.

For the most part, financial institutions provide online protections to businesses that are similar to what they provide for consumers.  However, it may only be a layered security approach when it should be an enhanced layered security approach, according the FFIEC’s latest authentication guidance.

With their large account balances and frequent transactions, commercial accounts are an attractive target for criminals. If fact, of roughly 500 small and medium-size businesses recently surveyed by Guardian Analytics, 32 percent said they had experienced online fraud in the last 12 months.

Financial institutions pay a real price for lax security, and commercial customer retention is no longer a given.   Fraud victims aren’t automatically giving their institution a second chance.  Yes, it’s an onerous process to move a business banking relationship.  But customers can and will switch to a competitor if they lose trust in their institution’s ability to protect their accounts.  Additionally, with the premium now on top-notch business accounts, your competition is assuredly doing everything to make this switch easier.

I’m not going too far out on a limb when I say financial institutions don’t just handle money anymore.  They handle information.   And that paradigm switch has made it infinitely easier to commit financial crimes.  Your customers’ financial information has been entered into a network countless times.  Do you have any idea where it resides and who is using and protecting it?

It’s time to step up and pay attention.  While 41 percent of the Guardian survey respondents said they didn’t believe their financial institution would cover losses if their company’s assets were stolen, a full 70 percent thought it should.

That’s the notion driving one lobbying organization, the Cyber Looting Awareness and Security Project.  (You’ll find them online at the ominous YourMoneyIsNotSafeInTheBank.org.) The group is urging lawmakers to require institutions to provide commercial customers the same sort of fraud reimbursement it provides to consumers accounts.

Meanwhile, businesses are failing to educate their employees on the dangers of cyber theft.   In one study, 81 Fortune 5000 companies were sent simulated phishing attempts.  Of the 79 businesses that successfully received the email, 43 percent had a least one employee who clicked the link, theoretically opening the network to keyloggers and paving the way for cyber thieves.

In fact, according to the Guardian Analytics study, only 12 percent of businesses are educating employees about not downloading dubious programs and just 10 percent are educating employees about not opening email attachments of unknown origin.  And only 25 percent say they have plans to enforce the use of strong passwords.

What does this mean for the financial community?  It means you have to watch your back.  It’s time to get serious about commercial account protection—that means everything from increasing your own risk assessment activity to offering training for customer employees.

The alternative is loss of reputation, loss of goodwill, and loss of revenue…whether the breach initiated inside your systems or not.

(Get the printer-friendly .pdf version of this article here: Why Commercial Account Theft is Your Problem.)


Pete Griffith is CEO of Supernal, makers of the Scout™ risk management dashboard.  Find him online at www.supernal.com and on Twitter @SeeScoutRun. 

Utah Bankers Association Compliance Conference

See us at the Utah Bankers Association Compliance Conference at Park City, UT September 29 – October 1.

http://myemail.constantcontact.com/UBA-Compliance-Conference.html?soid=1102717540719&aid=iSr4GVh9kGI.

Spreadsheet’s Aren’t Free

Most financial institutions rely on a patchwork of spreadsheets and documents to catalogue compliance activity. This people-driven system adds untold hidden costs to the compliance process—costs in labor, time, and lost opportunity.  Sometimes you have to spend to save, and compliance is one area ripe for dividends.  It’s time to automate…for the sake of the bottom line.

More People

As reported in Deloitte’s 2007 Global Banking Industry Outlook, compliance is demanding an ever larger percentage of an institution’s operating budget.  As regulations increase, most organizations are responding with additional human resources rather than technology.

In fact, 95% of the financial institutions surveyed said their executives were much more involved in compliance management than in the past, with 40% saying that the time devoted to compliance had increased by more than 25%.

More regulations mean more people—exponentially more people.  As regulations increase and as the institution expands, the management task grows larger.

Already compliance costs are growing faster than net revenue. Unless organizations can find a way to automate, they can only expect to allocate increased time and energy to compliance, further eroding financial returns.

Spreadsheets Add Cost

Examiners want to see a consistent and repeatable approach to risk management that’s integrated into daily operations.  But processes that rely on spreadsheets are a poor choice because they are usually “owned” by part-time compliance officers who can’t easily pass the system on to others. Spreadsheets aren’t easily managed by multiple parties, and as a result several versions often propagate throughout an organization.

What’s more, spreadsheets lack an audit trail—who changed what, when, and why—that could otherwise provide ready-proof that an organization has made risk management a thoughtful, year-round activity.

Spreadsheets become veritable data silos. Without automation, users must cut and paste information from one data source to another.  Without integration, the organization lacks an enterprise-level view of risks, costs and opportunities.  Either way, the process is limited and inefficient.

Organizations that automate, on the other hand, control these costs.  They streamline processes, eliminate duplication of effort, and trim expense. With automation, organizations use technology—not additional staff—to accomplish risk assessments and track compliance activity.

Remember when email first came on the scene?  Andy Grove, former chairman of the board for Intel, prognosticated, “There are two kinds of businesses: those that use email and those that will.”  And so it goes with compliance automation; it’s just a matter of how much money you’ll burn on those spreadsheets before you get there.

Here are five hidden ways spreadsheets add costs:

  1. Built From Scratch. It takes a good deal of time just to figure out what information to collect and how to best record it.  Software systems eliminate that learning curve with built-in FFIEC guidance.  Users can choose from ready-to-go templates or edit information to suit their needs.
  2. Everything (and we mean everything) is Manual. Copy, cut, paste.  Toggle back and forth between worksheets and narrative documents.  Scroll, search, and search some more. The whole process is labor intensive and prone to errors in both data entry and analysis.  Software systems automatically update associations between interrelated assets and controls, track user changes, send reminder notices, highlight high risk areas, and generate reports.
  3. Extended Examinations. Spreadsheets = examiner headaches.  The harder it is to pull information for the examiners, the more your costs go up.  Lengthy exams are costly as valuable employees are pulled away from their regular jobs. Automated tools deliver commonly requested compliance reports, and users can choose to give examiners direct access to the system.
  4. Duplication. Duplicate information means duplicate effort. GBLA, BSA, Red Flags, vendor management, your own institution best practices—they’re all interrelated. Now multiply that across all your locations and business divisions.  Spreadsheets can’t integrate that information. Software creates a common framework to manage all those requirements in a consistent, connected format.
  5. Mistakes & Lost Opportunities. With spreadsheets the responsibility for analysis lies solely with the individual.  It’s a Herculean task to synthesize all that data.  And while human analysis will always be critical, it cannot match software for efficiency, accuracy and depth.  The right automation tool will demonstrate which assets are most vulnerable and where new security controls will provide the highest return on investment. Automation provides the institution transparency in both its strengths and weaknesses. Spreadsheets, on the other hand, add layers of confusion.

The attachment to spreadsheets is clear.  Microsoft Excel is widely popular and most financial professionals have a strong working knowledge of the application.  And yes, it has some powerful analysis capabilities.  But it can’t support the depth and breadth of information an organization needs to manage compliance activity.

You don’t use a putter to get out of a sand trap. It’s simply not the right tool for the job.

Switch to an automated risk management tool, like Scout, and suddenly the institution gains.  You get efficiency, actionable business intelligence, and better security.  And much, much easier examination days.

The cost savings are near immediate.  Scout users report drastic reductions in time spent on compliance management.  That frees up valuable time to refocus on revenue building initiatives.

Don’t waste another dollar.  Organizations that rely on spreadsheets will experience a continued escalation of costs, time consuming examinations and possible fines.  Failure to automate will jeopardize your competitive position.  And that, certainly, is the most costly risk of all.