FFIEC Guidance: Significant Changes to the Management Booklet

On November 10^th, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Management booklet which is a part of the IT Examination Handbook. This is considered a major revision of the booklet and the first one to take place since 2004. As just a quick overview, the Management booklet provides guidance to examiners and outlines the specific principles of IT Governance and how this is a very important component of a financial institutions overall risk management strategy and expectations from Federal Examiners.

There are several major updates to the booklet that was recently released that will have a significant impact on financial institutions and how they are measured as a part of their yearly examinations through the various agencies that conduct these examinations, including the FDIC, OCC, NCUA, and Federal Reserve. The updated booklet assists examiners in evaluating:

• IT Governance as a part of a financial institutions overall governance
• IT Risk Management as a part of a financial institutions enterprise-wide risk management program

While this is considered a major revision of the Management booklet and effectively replaces the previous version of the booklet from 2004, some of the significant changes include the following:

• Incorporation of Cybersecurity concepts as a part of information security
• Augmentation and further definition of the stages of IT Risk Management, including risk identification, risk measurement, risk mitigation, risk monitoring, and risk reporting

In addition to the changes listed above, one of the significant changes in this revised booklet is the involvement of the Board of Directors in the oversight and direction of an institutions IT Program to help mitigate the associated risks. This is a fairly significant step for the FFIEC and comes as a direct result of the FFIEC Cybersecurity Assessment program that they ran during the Summer of 2014. One of the observations that the FFIEC noted during the course of the Cybersecurity Assessment Program was that since financial institutions are critically dependent on IT to conduct business operations, the Board of Directors and Senior Management must be engaged in this process on a regular basis to fully understand the inherent risks that are present as well as how to mitigate and respond to these risks. For a detailed report of the FFIEC findings, click here.

Compass IT Compliance has been assisting Financial Institutions of all sizes navigate the Federal and State requirements around their IT Security position and ultimately mitigate any risks that they encounter. For more information please don’t hesitate to contact us and be sure to download our brochure on the services that we offer Financial Institutions. In addition, Compass IT Compliance will be holding a no cost webinar to discuss these significant changes to the FFIEC Management Handbook and the impacts that these changes will have on financial institutions on December 17th at 1:00 PM EST. Click on the link to register below and we look forward to seeing you on the 17th!