Conducting The Annual Security Review
by Dana Turner
Every financial institution should conduct a comprehensive security review at least annually -- and more frequently if the institution's environment changes rapidly. The purpose of the security review is to identify conditions that may result in a loss or a legal action tomorrow, or thirty years from now. In other words, this review simply targets an institution's "loss potential" -- a standardized, practical and cost-effective means for analyzing the condition and contributions of the security function -- and for identifying the institution-wide "windows of opportunity" for loss from all sources.
The security review shouldn't be an audit that identifies compliance issues and makes suggestions for their correction. It shouldn't be an examination of an institution's financial safety and soundness. It's not an organizational development exercise. It's not an "efficiency" study designed to enhance productivity and reduce operating costs. Although the security review often crosses into these processes, it should be used as a comprehensive review of your institution's business practices from security and loss avoidance perspectives -- from "the carpet up".
The Security Review Process
The security review process helps you reduce -- not eliminate -- your institution's exposure to losses from mistakes, misunderstandings, crimes and legal actions. Remember that your policies, procedures, business practices and training materials are open to a court's inspection in every criminal and civil proceeding. The review process should use several tools to analyze the "state of security" within your institution. The categories to consider include your:
- Tools; and
Your review and subsequent report should involve security and related issues as they relate to the five (5) most common, industry-standard areas of exposure, including:
- Employees and other institution-affiliated parties;
- Customers and other persons likely to be on the premises, including vendors;
- Facilities that you own or control;
- Assets that are tangible and intangible; and
- Records from internal and external sources.
Plan your security review to target the same critical areas of exposure every time -- then examine other areas when issues arise. Using personal observation and interviews, the focus of this project should be to develop and articulate a professional opinion of the security environment within the institution, including:
- A review of appropriate facilities;
- A review of current employee abilities;
- A review of current training methods and approaches;
- An analysis of current fraud and violent crime prevention and response procedures, and their understanding and implementation by staff;
- An analysis of current loss prevention and response procedures, and their understanding and implementation by staff;
- An evaluation of the institution-wide loss potential due to mistakes, misunderstandings and crime;
- An evaluation of the institution's current ability to defend itself against a liability claim involving premises safety or process design; and
- Safety and security practices that could be eliminated or improved.
You already have most of the tools that you need at your disposal -- in the categories of people, places and things. Using your observations and interviewing skills, follow this suggested plan to develop the information that you'll need to make an objective determination of your institution's security readiness.
Review Appropriate Documents
Examine appropriate documents for currency, content, security features and process integrity, including:
- Security Officer's Reports to the Board of Directors for the past three (3) years;
- Operational loss summary reports, or a summary of the institution's recent losses due to policy violations and crimes;
- Organizational charts;
- Appropriate comments made by examiners and internal and external auditors during the institution's last review;
- Written Security Program;
- Bank Secrecy Act audit;
- Employee Handbook;
- Personnel Manual;
- Existing operations manuals;
- Existing position descriptions for all personnel, including service vendors;
- Existing training materials, including course outlines, lesson plans and audiovisual aids;
- Telephone directory and any existing emergency instructions distributed to staff;
- Videotapes and diagrams of interior and exterior views of your facilities;
- Actual institution documents, including cashier's and expense checks, safety deposit lease agreement, signature cards, employment and lending application forms and checking/savings account agreements; and
- Written procedures; including:
- Bank Secrecy Act;
- Know Your Customer Policy;
- Office of Foreign Assets Control Policy;
- Crisis Management Procedure;
- Overdraft procedures; and
- Wire transfer procedures.
Interview appropriate persons responsible for the functions reviewed during this project, including:
- Banking Operations;
- Human Resources;
- Information Systems;
- New Accounts;
- Retail Banking; and
- Teller Supervision.
Conduct Facility Inspections
Conduct on-site inspections of the facilities identified in this project, including selected individual branches (cash-handling facilities) and:
- Establish priorities based upon:
- Safety issues;
- Security issues;
- Business practices; and
- Concentrate upon the institution's operational issues that traditionally offer the most significant sources of long- and short-term exposure;
- Conduct an exit recap meeting with department/branch/function representatives of your choosing;
- Conduct additional telephone interviews with selected personnel as it's necessary; and
- Write a comprehensive report concerning the issues that you've identified -- and include appropriate recommendations.
Your final security review report should relate your security concerns with operational and administrative issues that are addressed within these categories -- and that should be presented in this order:
- Introduction & Executive Summary;
- Common Threads;
- Security Function;
- Employees & Institution-Affiliated Parties;
- Customers & Vendors;
- Records; and
- Summary & Miscellaneous Comments.
Your security review becomes one of your most valuable loss prevention tools. Developing it causes the Security Officer to focus upon real -- and potential -- liabilities. Writing the report causes the Security Officer to justify comments and recommendations. Delivering the report to the institution's board of directors educates the board members about the security issues -- issues that are normally not part of the board's daily concerns.
Note: This article is derived from a workbook section used in Security Education Systems' Security & Risk Management Seminar .
? Security Education Systems 1983 - 2001
Last updated on February 16, 2001
First published on BankersOnline.com 11/5/01
First published on 11/05/2001