In the wake of the Great Recession and other well-publicized failures of corporate governance, it is no surprise that financial services companies are more highly regulated: Congress and other regulatory bodies enacted extensive “control oriented” legislation in response to these problems. Well-known examples include Sarbanes-Oxley and the Dodd–Frank Wall Street Reform and Consumer Protection Act. Fully complying with these regulations is challenging under any condition, but the stakes increased for Trexin’s Client, a financial services firm with nearly $70B in assets, when the US Treasury designated it a Systemically Important Financial Institution. Amid this designation, certain Internal Audit findings had gone unresolved for unacceptably long periods of time, while new control issues continued to be uncovered. Trexin was asked by the Chief Information Security Officer (CISO) to review the known process control issues and define risk management improvements to satisfy Internal Audit, Board, and regulatory stakeholders.
Trexin’s approach to untangling the knot of these unresolved control issues was to conduct a comprehensive assessment of all open issues along with performing a diagnostic of related remediation and management reporting processes. Working closely with our Client’s first, second, and third lines of defense, Trexin:
- Interviewed key stakeholders
- Reviewed existing process documentation
- Constructed an as-is process model for the Technology and Information Risk stakeholders
The key factor to moving forward from this assessment was to identify future-state processes by developing a deep understanding of our Client’s technology risk management objectives.
When documented, these risk management objectives formed the basis for enhanced control issue reporting and an underlying data model to drive constituent risk analytics. Combined, these deliverables also provided a prototype for our Client’s next iteration of a data repository and reporting dashboard. The engagement also served to provide a solid framework for improved visibility and transparency into our Client’s control issue management process, serving as a critical input into the broader Governance, Risk, and Compliance roadmap.