Scaling Controls
Controls are put in place to reduce risk. However, far too often we fail to consider scalability in our control approaches. There is a tendency to rush towards remediating an issue through production of endless documentation (policies, procedures) and manual processes that begin to fall apart as soon as they are implemented. This is particularly rampant in smaller growing companies where controls are often the responsibility of less technical (though still knowledgable) IT risk and compliance staff. You can escape this truth: Entropy is the ruler of controls based on documentation and manual procedures.
As a control profession, I scratch my head at this approach. In a world with no shortage of software developers, it seems that many companies fail to deploy such skills towards the problem of control automation.
The consequences? Simple: controls are incomplete in their adoption. Even worse, nobody knows the extent of adoption but little, if anything is measured. Then your auditors come and beat you over the head. Or worse, the regulators. And then you throw more money at it in the form of people and manual processes.
The solution? Standardize controls, and automate them end to end. By end to end, I mean automation of their adoption, measurement, and correction. It requires security and control engineering. Its requires people and skills to think about, specify, and engineer controls that are easy to adopt (if not fully automated). It requires a mindset and discipline to engineer controls similar to how a company thinks about engineering their customer facing technologies (hopefully you have some discipline there!)
So below I am going to share some key examples of controls that would (and should) commonly be at a financial institution, with insights on how you may automate them. By no means is this a perfect list. What you do will depend on the context of your environment. However, it is a starting ground you can use to think about this problem in your environment. Copy and paste this down into a spreadsheet and think about it for your control environment.
The key takeaway here is this: Think twice about the how you want to design your controls. Manual controls, or semi automatic controls may work in certain circumstances, but will eventually succumb to entropy, especially as the environment grows in scale and complexity. Invest in automation using common software analysis and engineering processes. Federate the problem to your existing engineers if necessary, or invest in a software development team that support implementation of control automation.
Good Luck!
Section | Common Anti-Patterns | Adverse Impact of Anti-Patterns | Key Automation Capabilities (with Sample Vendors/Solutions) | Scaling Challenges Addressed | Automating Adoption of the Control |
---|---|---|---|---|---|
Identity and Access Management (IAM) |
|
Increases the risk of orphaned accounts, unauthorized access, and compliance violations as user base grows. |
|
Reduces the overhead of managing multiple user accounts and ensures secure access control as the number of users grows. |
|
Data Protection and Privacy |
|
Increases the likelihood of misclassified or unprotected sensitive data, leading to data breaches and non-compliance with privacy regulations. |
|
Automates data security and handling processes, making it easier to manage large volumes of sensitive data while maintaining compliance. |
|
Third-Party Risk Management |
|
Vendors can introduce significant risks as the organization grows, leading to supply chain attacks, data breaches, and compliance failures. |
|
Automation reduces the manual workload of vendor risk monitoring and contract compliance as the number of vendors grows. |
|
Cybersecurity Threat Detection and Response |
|
Increases the time to detect and respond to security incidents, leading to prolonged exposure to attacks and significant operational disruptions. |
|
Automated threat detection and response reduce manual intervention, allowing for efficient scaling of cybersecurity operations. |
|
System Resilience and Availability |
|
Leads to downtime, inefficient resource usage, and longer recovery times in the event of failures or increased load. |
|
Ensures system resilience and availability through automated failover, scaling, and testing in large-scale environments. |
|
Regulatory Compliance Automation |
|
Increases the likelihood of missed compliance deadlines, inaccurate reporting, and exposure to penalties as compliance obligations grow with scaling infrastructure. |
|
Automation ensures compliance across growing infrastructures without the need for manual oversight. |
|
Audit and Logging |
|
Results in incomplete audit trails and missed detection of anomalies, making it difficult to meet compliance requirements or identify security incidents at scale. |
|
AI-driven log analysis and automated audit trails reduce the burden of manual log management and provide compliance at scale. |
|
Payment Rails Automation |
|
Leads to delayed payments, higher fraud rates, and manual reconciliation errors, which can impact operational efficiency and customer trust as transaction volume scales. |
|
Automated routing, fraud detection, and reconciliation streamline operations for managing large volumes of payments across networks. |
|
Credit Card Networks Automation |
|
Increases the risk of credit card data breaches, higher chargeback costs, and compliance failures (PCI-DSS), impacting scalability and security of card transactions. |
|
Automation manages complex tokenization, compliance, and fraud prevention needs for growing credit card transaction volumes. |
|
Marketplace Lending Rules and Regulations |
|
Leads to slower loan processing, higher risk of non-compliance with lending laws, and increased exposure to financial loss as loan volumes grow. |
|
Automation ensures efficient handling of increasing loan volumes and complex regulatory requirements for lending platforms. |
|
Data Governance Automation |
|
Increases the risk of data sprawl, unauthorized data access, and non-compliance with data privacy regulations like GDPR or CCPA, especially as data volumes increase. |
|
Automation helps manage data quality, access control, and compliance in large and complex data environments, ensuring scaling without added complexity. |
|