Risk Management
Software Solutions
Encierro Solutions
Challenge



Bank operations pose the greatest risk to bank
failure and is the subject of increasing regulation
The challenge to a bank is to provide
comprehensive, integrated, easy to use tools to
department managers to capture their knowledge
and enlist their support for improving the safety
and soundness of operations
Goal is to move an organization’s approach from
compliance to operations risk management
2
Maturity Model
 Where
is your organization on the
maturity spectrum?
 Where
to be?
do you want your organization
 How
can IT lead the way, involve
others, without bearing all the
responsibility and cost?
3
Maturity Categories





Level 1: Ad-hoc process, disjointed, no management of data, task force
oriented, done before regulators arrive, annually, only done to comply, no
special software
Level 2: Ad-hoc process, defined roles, disparate electronic documents,
reviewed by management, annually, only done to comply
Level 3: Process is understood, roles are defined, documentation is
distributed across the organization, need to improve efficiency is
recognized, still only done to comply
Level 4: Process is understood and efficiency is a central focus, data
management is critical, roles are honed, management regularly reviews
analysis and reports (at least quarterly), operations risk responsibilities
are understood by each department manager
Level 5: Organization uses an integrated approach to managing the many
regulations, capturing data once, analyzing once, leveraging multiple
times, in a distributed use, centrally managed system. The system is a
useful tool to each department manager. Management views risk
management reports weekly. New regulations do not pose major burden.
4
FFIEC IT Handbooks

How do you plan to comply with all these guidelines? How can
you leverage them for operational efficiency and soundness?
How do you deal with so many overlapping topics?
–
–
–
–
–
–
–
–
–
–
–
–
Audit
Management
Business Continuity Planning
Operations
Development and Acquisition
Outsourcing Technology Services
E-Banking
Retail Payment Systems
FedLine
Supervision of Technology Service Providers
Information Security
Wholesale Payment Systems
5
Matador
FFIEC
Guidelines
Third Parties
Key
Entities
Information Systems
…
Risk
Controls
Threats
Availability
Confidentiaiity
Integrity
Key
Topics
Management
Business Processes / Functions
6
Topic: Availability
Summary
Information Security RM
Technology Service Providers
E-banking, Wholesale Payment
Most Detail
Business Continuity Planning
Think it through once, document it once, use it many times
7
Topic: Controls
Analysis and
documentation effort
Human and Process Tasks
Business Continuity Planning
Information Security RM
20%
20%
60%
8
Matador’s Information System
Information Systems –
power Business Functions
( Criticality, Sensitivity, Risk, Mitigation )
( Info Sec RM, Bus Cont Plan, Internal Controls, … )
Software
Hardware
Service Providers
Threats, Vulnerabilities, Controls,
Probability, Impact, Risk, Mitigation
Physical Records
Facilities
9
Matador Product Architecture
Third Party
Risk
Management
Internal
Controls
Risk
Management
Business
Continuity
Risk
Management
Information Security
Risk Management
10
Focus by module
Business Process
Business Sub-Process(es)
Business Function
Business Function
Business
Continuity
Information
Security
Business Sub-Function(s)
Business Tasks
Business Tasks
Internal
Controls
11
Matador

Matador helps banks achieve Level 5 efficiencies
by focusing on three key entities
– Information Systems
– Business Process / Business Functions / Business Tasks
– Third Parties

In the process of evaluating these, topics such as
Information Security, Management, Operations,
Fedline, etc. are considered, minimizing the
effort, maximizing the results, moving the
organization from compliance to operations risk
management
12
Backup
13
Matador’s Business Process
Hierarchy
Business Processes –
inter-departmental activities
( Bus Cont Plan, Internal Controls )
Business Function –
intra-departmental activities
( Bus Cont Plan, Internal Controls, Info Sec Risk Mgmt )
Business Task –
intra-departmental activities
( Internal Controls )
14
Who are We?


Encierro is an Operations Risk
Management software company for
banks
Encierro offers software modules for
–
–
–
–
Information Security Risk Management
Third Party Risk Management
Business Continuity Planning
Internal Controls Risk Management
15
What We Do

Encierro Solutions provides software and services
appropriate for banks of various sizes
– For small banks



Pre-scripted policies, procedures, and risk analysis for
common bank assets
Cost effective approach
Easy to use
– For mid-sized banks




Scalable, comprehensive, flexible system
Enterprise wide
Easy to use
Highly efficient and cost-effective
16
Our Software – The Matador System

A formal risk management system that
enables banks to:
– Create risk assessment and risk mitigation plans
utilizing pre-scripted policy and Information Security
analysis of commonly found bank entities




Information Systems
Software/Hardware
Facilities/Physical Records
Service Providers
– Implement a risk management program that is
integrated into a bank’s operations
– Meet the demanding requirements of the regulators,
management, and customers
– Demonstrate a MERIT worthy risk management
system
17
MERIT
FIL-13-2004
February 4, 2004
MAXIMUM EFFICIENCY, RISK-FOCUSED, INSTITUTION TARGETED (MERIT) EXAMINATIONS
TO: CHIEF EXECUTIVE OFFICER
SUBJECT: Expanded Use of FDIC's Streamlined Examination Program Called "MERIT" Maximum Efficiency, Risk-Focused, Institution Targeted Examinations
The Federal Deposit Insurance Corporation (FDIC) has expanded the use of its streamlined
examination program begun in April 2002. The "MERIT" program - for Maximum Efficiency, RiskFocused, Institution Targeted Examinations - applied to banks that met basic eligibility criteria,
which included having total assets of $250 million or less and satisfactory regulatory
ratings. Under the expanded MERIT program, well-rated banks with total assets of $1 billion
or less will now be eligible.
MERIT Examination Procedures
During a MERIT examination, the examiners will use procedures that focus on determining the
adequacy of an insured depository institution's internal control systems, and that focus on
reviewing the internal and external audit programs. Examiners will devote significant attention
to an overall assessment of the institution's risk-management processes. They will review
an institution's lower-risk activities primarily through discussions with management and by
monitoring the activities through various off-site analytical programs.
18
Why a Formal Risk Management System?

Regulators are placing a greater emphasis on a formal,
comprehensive operations risk management program
– The ability to manage and the ability to demonstrate easily
how to manage ongoing operational risk is more important
than annual risk assessment results
– Regulations require program to be comprehensive,
continuous, integrated, collaborative, involved, timely,
historical, testable, and repeatable


Proof of a formal system assures those who are
ultimately responsible, the Board and Senior
Management, that a safe and sound system is
operational in the bank
Proof of a formal system reduces a bank’s legal and
compliance liability if a threat is successful
19
Why the Matador System?

It provides pre-scripted analysis of typical bank Information
Assets that can be easily customized by department managers
– Easy to use
– Saves time
– Cost effective


It is the only tool on the market that enables banks to
implement a formal risk management program that is
integrated into a bank’s operations
It is the only tool that addresses all Information Security
areas:
– IT, facilities, records, information systems, and third party service
providers

It is has been discussed with banking regulatory agencies
20
Matador Meets the Regulatory
Requirements of a Formal System

The Matador system is:
– Comprehensive – covers the full spectrum of
information security issues
– Continuous – respond to new threats quickly
– Integrated – part of the decision making process
– Collaborative – involves all departments
– Involved – requires critical thinking
– Timely – responds effectively to events
– Historical – shows trends, enables drilling
– Testable – works in real world situations
– Repeatable – procedure that can be followed by all

Matador system provides assurance
– Provides confidence and knowledge that the bank is
implementing best practices to protect bank and
customer data and information systems
21
Features of the Matador System

A web-based, relational database driven
software system

Leads the bank through the risk management
process
– Step 1. Information Security Risk Management
Program definition
– Step 2. Information Asset / Entity definition
– Step 3. Personnel Assignments
– Step 4. Risk Assessment
– Step 5. Risk Mitigation Planning
– Step 6. Reporting

Is available with additional modules for
– Third Party Risk Management
– Business Continuity
22
Customer Comments:
Enterprise Bank & Trust
“Encierro’s Matador system for Information Security Risk Management has enabled
us to implement a well-thought out approach in a formal way with a flexible software
system that can grow and change as our bank grows.
Providing us an end-to-end solution, covering the information security concerns from
the development of an Information Security program, to the risk management of
software, hardware, physical records, service providers, facilities and information
systems, the Matador system enables us to get the departmental managers across
the company involved in managing risk, while enabling us to meet the regulatory
compliance needs of the bank.
Having a system that is a true management tool, above and beyond a way to be
compliant, is important for the bank to operate in a safe and sound manner.”
Steve Irish, CIO and Executive VP for Enterprise Bank.
EBTC is a community bank headquartered in Lowell, MA with approximately $800M
in assets.
23
Contact Us
For more information view:

Our corporate website at:
– www.encierro.biz

Matador information at:
– http://www.encierro.biz/infosecurity/matadorannounce.doc
– http://www.encierro.biz/infosecurity/matadordescription.doc

Information Security related documents at:
– http://www.encierro.biz/infosecurity/formalapproach.doc

Or email us at:
– [email protected]
24