Compliance Insight with David Schneier

The Rewards of Risk-Based Compliance

Keeping abreast of what's going on in the regulatory compliance domain is something I need to do. It's sort of the life-blood of my career these days, as I spend most of my time either managing or executing audit and assessment activities predicated upon the various regs. Beyond wanting to be certain that my clients are getting the right work done at the right time, I also want to avoid doing the wrong work at anytime.

One of the trends I've been noticing over the last couple of years or so from the various governing bodies is the messaging regarding using a risk-based approach in designing compliance solutions. Quite frankly, I'm relieved.

As someone who is distracted by common-sense when doing just about anything (I prefer to work smarter, not harder) I often find myself questioning why some of my clients need to spend time and money complying with regulatory elements that don't necessarily apply to their business. Until the recent shift towards taking a risk-based approach, it seemed as if the dialogue between banks and examiners was something akin to the age-old quandary of the "why" versus "because I said so" logic. If the regulation said you needed to have a policy for, say, program change control, and your institution doesn't code any of its own applications, there was a chance you could still get dinged for not having a policy in place. For many institutions, it was easier to simply create a policy and avoid the argument. But with the recent push toward taking a risk-based approach, banks have the opportunity to have a dialogue with their regulatory agency's representatives.

Of course, this places greater emphasis on getting a properly executed risk assessment done at the onset of the compliance cycle. But that should've been part of the program anyway. At least now banks can focus their efforts on areas that present the greatest risk to the institution.

I'm all for changes that result in more meaningful work being done.

What's your experience pro/con with the risk-based approach?

About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.