Risk Management Risk Management Software SolutionsSoftware Solutions

Encierro Solutions Encierro Solutions

22

ChallengeChallenge Bank operations pose the greatest risk to bank Bank operations pose the greatest risk to bank

failure and is the subject of increasing regulationfailure and is the subject of increasing regulation

The challenge to a bank is to provide The challenge to a bank is to provide comprehensive, integrated, easy to use tools to comprehensive, integrated, easy to use tools to department managers to capture their knowledge department managers to capture their knowledge and enlist their support for improving the safety and enlist their support for improving the safety and soundness of operationsand soundness of operations

Goal is to move an organization’s approach from Goal is to move an organization’s approach from compliance to operations risk managementcompliance to operations risk management

33

Maturity ModelMaturity Model

Where is your organization on the Where is your organization on the maturity spectrum?maturity spectrum?

Where do you want your organization Where do you want your organization to be?to be?

How can IT lead the way, involve How can IT lead the way, involve others, without bearing all the others, without bearing all the responsibility and cost?responsibility and cost?

44

Maturity CategoriesMaturity Categories Level 1: Ad-hoc process, disjointed, no management of data, task force Level 1: Ad-hoc process, disjointed, no management of data, task force

oriented, done before regulators arrive, annually, only done to comply, no oriented, done before regulators arrive, annually, only done to comply, no special softwarespecial software

Level 2: Ad-hoc process, defined roles, disparate electronic documents, Level 2: Ad-hoc process, defined roles, disparate electronic documents, reviewed by management, annually, only done to complyreviewed by management, annually, only done to comply

Level 3: Process is understood, roles are defined, documentation is Level 3: Process is understood, roles are defined, documentation is distributed across the organization, need to improve efficiency is distributed across the organization, need to improve efficiency is recognized, still only done to complyrecognized, still only done to comply

Level 4: Process is understood and efficiency is a central focus, data Level 4: Process is understood and efficiency is a central focus, data management is critical, roles are honed, management regularly reviews management is critical, roles are honed, management regularly reviews analysis and reports (at least quarterly), operations risk responsibilities are analysis and reports (at least quarterly), operations risk responsibilities are understood by each department managerunderstood by each department manager

Level 5: Organization uses an integrated approach to managing the many Level 5: Organization uses an integrated approach to managing the many regulations, capturing data once, analyzing once, leveraging multiple regulations, capturing data once, analyzing once, leveraging multiple times, in a distributed use, centrally managed system. The system is a times, in a distributed use, centrally managed system. The system is a useful tool to each department manager. Management views risk useful tool to each department manager. Management views risk management reports weekly. New regulations do not pose major burden. management reports weekly. New regulations do not pose major burden.

55

FFIEC IT HandbooksFFIEC IT Handbooks How do you plan to comply with all these guidelines? How can

you leverage them for operational efficiency and soundness? How do you deal with so many overlapping topics?

– Audit– Management– Business Continuity Planning– Operations– Development and Acquisition– Outsourcing Technology Services– E-Banking– Retail Payment Systems– FedLine– Supervision of Technology Service Providers– Information Security– Wholesale Payment Systems

66

MatadorMatador

Third Parties

Information Systems

Business Processes / Functions

KeyEntities

Managem

en

t

Inte

gri

ty

Confidenti

aiit

y

Availa

bili

ty

Th

reats

Contr

ols

Ris

k

…

KeyTopics

Bus C

ont P

lann

ing

Info

Sec

Risk

Mgm

t

FFIEC Guidelines

Supe

rvisi

on o

f Tec

h Se

rv P

rovide

r

Opera

tions

……

…

77

Topic: AvailabilityTopic: Availability

Summary

Most Detail

Information Security RM

Business Continuity Planning

E-banking, Wholesale Payment

Technology Service Providers

Think it through once, document it once, use it many times

88

Topic: ControlsTopic: Controls

Information Security RM

Business Continuity Planning

Human and Process Tasks

60%

20%

20%

Analysis and documentation effort

99

Matador’s Information SystemMatador’s Information System

Information Systems – power Business Functions ( Criticality, Sensitivity, Risk, Mitigation )( Info Sec RM, Bus Cont Plan, Internal Controls, … )

Software

Hardware

Service Providers

Physical Records

Facilities

Threats, Vulnerabilities, Controls,Probability, Impact, Risk, Mitigation

1010

Matador Product ArchitectureMatador Product Architecture

Information Security Risk Management

Third PartyRisk

Management

Business Continuity

Risk Management

InternalControls

RiskManagement

1111

Focus by moduleFocus by module

Business Process

Business Sub-Process(es)

Business Function

Business Function

Business Sub-Function(s)

Business Tasks

Business Tasks

BusinessContinuity

InformationSecurity

InternalControls

1212

MatadorMatador Matador helps banks achieve Level 5 efficiencies Matador helps banks achieve Level 5 efficiencies

by focusing on three key entitiesby focusing on three key entities

– Information SystemsInformation Systems– Business Process / Business Functions / Business TasksBusiness Process / Business Functions / Business Tasks– Third PartiesThird Parties

In the process of evaluating these, topics such as In the process of evaluating these, topics such as Information Security, Management, Operations, Information Security, Management, Operations, Fedline, etc. are considered, minimizing the Fedline, etc. are considered, minimizing the effort, maximizing the results, moving the effort, maximizing the results, moving the organization from compliance to operations risk organization from compliance to operations risk managementmanagement

1313

BackupBackup

1414

Matador’s Business Process Matador’s Business Process HierarchyHierarchy

Business Processes – inter-departmental activities ( Bus Cont Plan, Internal Controls )

Business Function – intra-departmental activities ( Bus Cont Plan, Internal Controls, Info Sec Risk Mgmt )

Business Task – intra-departmental activities ( Internal Controls )

1515

Who are We?Who are We?

Encierro is an Operations Risk Encierro is an Operations Risk Management software company for Management software company for banksbanks

Encierro offers software modules forEncierro offers software modules for– Information Security Risk ManagementInformation Security Risk Management– Third Party Risk ManagementThird Party Risk Management– Business Continuity PlanningBusiness Continuity Planning– Internal Controls Risk ManagementInternal Controls Risk Management

1616

What We DoWhat We Do

Encierro Solutions provides software and services Encierro Solutions provides software and services appropriate for banks of various sizesappropriate for banks of various sizes– For small banksFor small banks

Pre-scripted policies, procedures, and risk analysis for Pre-scripted policies, procedures, and risk analysis for common bank assetscommon bank assets

Cost effective approachCost effective approach Easy to useEasy to use

– For mid-sized banksFor mid-sized banks Scalable, comprehensive, flexible systemScalable, comprehensive, flexible system Enterprise wideEnterprise wide Easy to useEasy to use Highly efficient and cost-effectiveHighly efficient and cost-effective

1717

Our Software – The Matador SystemOur Software – The Matador System

A formal risk management system that A formal risk management system that enables banks to:enables banks to:

– Create risk assessment and risk mitigation plans Create risk assessment and risk mitigation plans utilizing pre-scripted policy and Information Security utilizing pre-scripted policy and Information Security analysis of commonly found bank entitiesanalysis of commonly found bank entities

Information SystemsInformation Systems Software/HardwareSoftware/Hardware Facilities/Physical RecordsFacilities/Physical Records Service ProvidersService Providers

– Implement a risk management program that is Implement a risk management program that is integrated into a bank’s operationsintegrated into a bank’s operations

– Meet the demanding requirements of the regulators, Meet the demanding requirements of the regulators, management, and customersmanagement, and customers

– Demonstrate a MERIT worthy risk management Demonstrate a MERIT worthy risk management systemsystem

1818

MERIT MERIT FIL-13-2004 FIL-13-2004 February 4, 2004 February 4, 2004 MAXIMUM EFFICIENCY, RISK-FOCUSED, INSTITUTION TARGETED (MERIT) MAXIMUM EFFICIENCY, RISK-FOCUSED, INSTITUTION TARGETED (MERIT) EXAMINATIONS EXAMINATIONS

                                                                                                                                                TO: CHIEF EXECUTIVE OFFICER TO: CHIEF EXECUTIVE OFFICER

SUBJECT: Expanded Use of FDIC's Streamlined Examination Program Called "MERIT" - SUBJECT: Expanded Use of FDIC's Streamlined Examination Program Called "MERIT" - Maximum Efficiency, Risk-Focused, Institution Targeted ExaminationsMaximum Efficiency, Risk-Focused, Institution Targeted Examinations

The Federal Deposit Insurance Corporation (FDIC) has expanded the use of its streamlined The Federal Deposit Insurance Corporation (FDIC) has expanded the use of its streamlined examination program begun in April 2002.  The "MERIT" program - for Maximum Efficiency, Risk-examination program begun in April 2002.  The "MERIT" program - for Maximum Efficiency, Risk-Focused, Institution Targeted Examinations - applied to banks that met basic eligibility criteria, Focused, Institution Targeted Examinations - applied to banks that met basic eligibility criteria, which included having total assets of $250 million or less and satisfactory regulatory ratings.  which included having total assets of $250 million or less and satisfactory regulatory ratings.  Under the expanded MERIT program, well-rated banks with total assets of $1 billion or less Under the expanded MERIT program, well-rated banks with total assets of $1 billion or less will now be eligible. will now be eligible.  MERIT Examination Procedures MERIT Examination Procedures

During a MERIT examination, the examiners will use procedures that focus on determining the During a MERIT examination, the examiners will use procedures that focus on determining the adequacy of an insured depository institution's internal control systems, and that focus on adequacy of an insured depository institution's internal control systems, and that focus on reviewing the internal and external audit programs.  reviewing the internal and external audit programs.  Examiners will devote significant Examiners will devote significant attention to an overall assessment of the institution's risk-management processesattention to an overall assessment of the institution's risk-management processes .  They .  They will review an institution's lower-risk activities primarily through discussions with management and will review an institution's lower-risk activities primarily through discussions with management and by monitoring the activities through various off-site analytical programs.by monitoring the activities through various off-site analytical programs.

1919

Why a Formal Risk Management System?Why a Formal Risk Management System?

Regulators are placing a greater emphasis on a formal, Regulators are placing a greater emphasis on a formal, comprehensive operations risk management programcomprehensive operations risk management program

– The ability to manage and the ability to demonstrate easily The ability to manage and the ability to demonstrate easily how to manage ongoing operational risk is more important how to manage ongoing operational risk is more important than annual risk assessment resultsthan annual risk assessment results

– Regulations require program to be comprehensive, Regulations require program to be comprehensive, continuous, integrated, collaborative, involved, timely, continuous, integrated, collaborative, involved, timely, historical, testable, and repeatablehistorical, testable, and repeatable

Proof of a formal system assures those who are Proof of a formal system assures those who are ultimately responsible, the Board and Senior ultimately responsible, the Board and Senior Management, that a safe and sound system is Management, that a safe and sound system is operational in the bank operational in the bank

Proof of a formal system reduces a bank’s legal and Proof of a formal system reduces a bank’s legal and compliance liability if a threat is successfulcompliance liability if a threat is successful

2020

Why the Matador System?Why the Matador System?

It provides pre-scripted analysis of typical bank Information It provides pre-scripted analysis of typical bank Information Assets that can be easily customized by department managers Assets that can be easily customized by department managers – Easy to use Easy to use – Saves timeSaves time– Cost effectiveCost effective

It is the only tool on the market that enables banks to It is the only tool on the market that enables banks to implement a formal risk management program that is implement a formal risk management program that is integrated into a bank’s operationsintegrated into a bank’s operations

It is the only tool that addresses all Information Security areas:It is the only tool that addresses all Information Security areas:– IT, facilities, records, information systems, and third party service IT, facilities, records, information systems, and third party service

providersproviders

It is has been discussed with banking regulatory agenciesIt is has been discussed with banking regulatory agencies

2121

Matador Meets the Regulatory Matador Meets the Regulatory Requirements of a Formal SystemRequirements of a Formal System

The Matador system is:The Matador system is:– Comprehensive – covers the full spectrum of Comprehensive – covers the full spectrum of

information security issuesinformation security issues– Continuous – respond to new threats quicklyContinuous – respond to new threats quickly– Integrated – part of the decision making processIntegrated – part of the decision making process– Collaborative – involves all departmentsCollaborative – involves all departments– Involved – requires critical thinkingInvolved – requires critical thinking– Timely – responds effectively to eventsTimely – responds effectively to events– Historical – shows trends, enables drillingHistorical – shows trends, enables drilling– Testable – works in real world situationsTestable – works in real world situations– Repeatable – procedure that can be followed by all Repeatable – procedure that can be followed by all

Matador system provides assurance Matador system provides assurance – Provides confidence and knowledge that the bank is Provides confidence and knowledge that the bank is

implementing best practices to protect bank and implementing best practices to protect bank and customer data and information systemscustomer data and information systems

2222

A web-based, relational database driven A web-based, relational database driven software systemsoftware system

Leads the bank through the risk management Leads the bank through the risk management processprocess– Step 1. Information Security Risk Management Step 1. Information Security Risk Management

Program definitionProgram definition– Step 2. Information Asset / Entity definitionStep 2. Information Asset / Entity definition– Step 3. Personnel AssignmentsStep 3. Personnel Assignments– Step 4. Risk AssessmentStep 4. Risk Assessment– Step 5. Risk Mitigation PlanningStep 5. Risk Mitigation Planning– Step 6. ReportingStep 6. Reporting

Is available with additional modules forIs available with additional modules for– Third Party Risk ManagementThird Party Risk Management– Business ContinuityBusiness Continuity

Features of the Matador SystemFeatures of the Matador System

2323

Customer Comments: Customer Comments: Enterprise Bank & TrustEnterprise Bank & Trust

“Encierro’s Matador system for Information Security Risk Management has enabled us to implement a well-thought out approach in a formal way with a flexible software system that can grow and change as our bank grows.

Providing us an end-to-end solution, covering the information security concerns from the development of an Information Security program, to the risk management of software, hardware, physical records, service providers, facilities and information systems, the Matador system enables us to get the departmental managers across the company involved in managing risk, while enabling us to meet the regulatory compliance needs of the bank.

Having a system that is a true management tool, above and beyond a way to be compliant, is important for the bank to operate in a safe and sound manner.”

Steve Irish, CIO and Executive VP for Enterprise Bank.

EBTC is a community bank headquartered in Lowell, MA with approximately $800M in assets.

2424

Contact UsContact Us

For more information view:For more information view:

Our corporate website at:Our corporate website at:– www.encierro.bizwww.encierro.biz

Matador information at:Matador information at:– http://www.encierro.biz/infosecurity/matadorannounce.dochttp://www.encierro.biz/infosecurity/matadorannounce.doc– http://www.encierro.biz/infosecurity/matadordescription.dochttp://www.encierro.biz/infosecurity/matadordescription.doc

Information Security related documents at:Information Security related documents at:– http://www.encierro.biz/infosecurity/formalapproach.dochttp://www.encierro.biz/infosecurity/formalapproach.doc

Or email us at:Or email us at:– encierrosolutions@yahoo.com encierrosolutions@yahoo.com