3 minute read

Updated FFIEC IT Examination Handbook: What's Changing? Part 2

Professional woman reading the FFIEC handbook updates.

Considering that the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) on “Operations” was last updated in July 2004, it should come as no surprise that a lot has changed over the past 17 years. The recently published “Architecture, Infrastructure and Operations” IT Handbook updates are long overdue.

One major change reflects the expanded title, going beyond operations to show the increased importance of an entity’s architecture and infrastructure. All three work together and as the guidance lays out, you can’t have effective operations without solid architecture and infrastructure.

In order to understand how these three related functions work together, we will look at how the FFIEC defines these terms and give some examples.

Architecture refers to the manner in which the strategic design of the hardware and software infrastructure components are organized and integrated to achieve and support the entity’s business objectives. Planning and designing and effective IT architecture facilitates management’s ability to implement infrastructure that aligns with the entity’s strategic goals and business objectives.

Similar to how architecture has traditionally involved designing and building physical structures, in the context of the new guidance, architecture involves good planning and design of IT to enable an organization to reach its business objectives. Determining the appropriate strategy starts with understanding where the business wants to go. Notice that the business objectives drive strategy, and effective IT strategic plans should align with the overall entity’s strategy.

That sounds good in theory, but where should we start?

Assuming the organization has set strategic goals and business objectives, develop an enterprise model to capture the current state and interrelationships among the various business functions.

“The first responsibility of a leader is to define reality.” Max De Pree

Once you have a picture of your current reality, you can figure out what gaps exist in being able to meet the entity’s business goals and objectives. Review your existing infrastructure and operations to determine the capabilities needed by IT systems to deliver the expected new products and services. While IT will play a major role in this process, management and the Board of Directors play an important role as well. IT should communicate to the Board and senior management challenges like industry trends or resources constraints in meeting the established business goals and objectives.

Infrastructure refers to the physical elements, products, and services necessary to provide and maintain ongoing operations to support business activity and includes the maintenance of physical facilities. The focus of the new guidance is on IT infrastructure, which is a subset of infrastructure and includes hardware, network and telecommunications, software, IT environmental controls and physical access.

While architecture involves planning and design, infrastructure forms the foundation upon which to move the business forward and adapt as needed. IT infrastructure can be managed internally or by a third-party service provider as part of the operations function. As business demands continue to rise and as many financial institutions find themselves supporting a remote workforce, we have seen an increasing number of financial institutions leveraging cloud computing to achieve their strategic goals and business objectives.

A key to effective infrastructure is to understand the associated interconnectivity critical to business and IT operations. Specifically, the guidance stresses the importance of understanding how databases interconnect throughout the entity when developing an architectural design and selecting and appropriate infrastructure. Additionally, upstream and downstream connections should be understood. Management should understand where data reside and flow to establish effective controls for protecting sensitive data.

Regularly, I work with clients who have implemented redundant systems; however, data communications among applications may not be completely understood. Frequently, these clients rely on a third-party managed service provider who understands technology but lacks Jack HenrySM application knowledge. The clients may pass their disaster recovery tests of being able to bring up their applications, but unless they perform full integration testing, they do not realize that they likely will have a hard time operating in the event of an actual disaster.

Operations are the performance of activities comprising methods, principles, processes, procedures, and services that support business functions. Operations transform resource or data inputs into desired products, services, or results, and help in the creation and delivery of business value to internal and external customers. Operations include the ongoing maintenance, monitoring, and support for business systems, products, and services. The new guidance addresses IT operations in the context of tactical management and daily delivery of services to support the overall business processes of the entity.

As you can see, operational effectiveness depends on good planning and design (architecture) coupled with a firm foundation (infrastructure). You can have great processes and procedures, but without good architecture and infrastructure, reaching your goals will be like swimming in molasses. Best case, your progress will be slowed. More likely, you’ll get off track and never reach the finish line.

Regularly, I talk with financial institutions who have gaps in their architecture and infrastructure. Although the bank or credit union may realize they could do more, they’ve been doing things a certain way for a while and haven’t had any apparent issues, so management assumes they’re ok. Or they may evaluate strengthening their architecture and infrastructure, but hold off to see if their auditor or examiner raises the issue. One executive when evaluating ways to strengthen their cybersecurity (but who found comfort in the status quo) said they “knew it was a good thing to do, and if they got hacked then they will wish they had done it … ”

A common thread runs through these responses. Do you want to be proactive or reactive? Do you want to determine your destiny or go wherever the wind blows? Do you want to just pass an audit/exam or protect your financial institution? Does your IT Infrastructure help you achieve your enterprise-wide business and strategic objectives? If not, maybe you should reevaluate what you’re doing. There is a better way.

If you’re not achieving your business objectives, you’re not alone. While misery may love company, there are organizations who have figured out how to use their infrastructure as a strategic advantage.

Share
Button - Back to Top