Are your User Accounts up-to-date?

/in , , , /by

Part of effectively using Strunk’s cloud-based Governance, Risk Management and Compliance software is regularly reviewing, maintaining, and updating your user records and access. Our software provides your administrators with tools to make this process easier, rather than updating user records one by one. However, admins always have the option to view and change an individual user’s record and access rights.

A list of all users can be exported as a PDF for reporting purposes. In addition to the basic user information, it also includes each user’s roles and last login. To simplify adding new users and deactivating former employees, an automatic User file import can be set up. Once configured, a file containing all current users will be uploaded and processed on a scheduled basis. This allows you to add and deactivate users in a timely manner.

For other maintenance of existing users, admins can export the current user list to an Excel file. Any necessary updates can be made directly in the file and an admin will import the updated file to make the appropriate changes in the software.

Please contact Strunk Support at support@strunkaccess.com with any questions or for training on these helpful features. It is easier than ever before to keep your information up to date.

No better time to implement a Cloud-Based GRC Solution

/in , , , , /by

Over recent weeks, the ongoing spread of the COVID-19 coronavirus has forced companies around the country to make difficult decisions about how to protect their employees — as well as their communities as a whole.  In an effort to halt the spread of the virus, many organizations are instituting mandatory work-from-home (WFH) policies, engaging with new cloud service providers, and shifting resources toward supporting an expanding remote workforce.  The fast-moving, global reach of the coronavirus has illustrated that a forward-looking approach to risk management is more important than ever. Having a cloud-based tool that streamlines your compliance process should be in all companies’ future strategic discussions.

Strunk offers many great automated cloud-based solutions tools that streamlines compliance and risk management for our clients.  There are many benefits to these cloud-based solutions, especially in today’s environment where some many employees are working from home.  Our software is simple to implement, easy to access, very flexible and is reliable in terms of backing up data for your employees who are at different locations.  Implementing Strunk’s Risk Assessor, Policy Manager, Issue Manager and Vendor Manager software does not require extra hardware or software.  Implementing these tools can be done while business continues as usual which requires no downtime at all.  Strunk has created a new Version 2 of our Risk Assessor which is available to everyone.  Risk Assessor helps our clients complete risk assessments consistent with appropriate regulatory or standards body frameworks in days, instead of weeks.  Clients are able to upgrade for free from Version 1 to Version 2 and Strunk will help transfer results from your current Version 1 assessments.

Given the current coronavirus pandemic, the need for companies to centralize their policies and vendor management is more critical than ever.  Strunk’s Policy Manager software will organize hundreds of policy documents spread across different computer and file systems into a single editable database. With employees working remote, Policy Manager gives employee access to the companies polices for easy access and with the established review dates the system will remind employees to review the policy and make changes.  Centralizing your vendor manager process with Strunk’s Vendor Manager software will automate the process which reduces administrative burden and save time while giving employees who are working remote access to vendor due diligence, providing a practical framework for deciding which vendors to assess in depth, assessing the risks each vendor present, and the monitoring of each vendor performance.

Also, Strunk is offering additional free web training for our client’s employees.  There is no better time than now to get employees who are new or have changed job responsibilities trained on any of Strunk’s GRC software.

The Importance of Moving away from Spreadsheets for Vendor Management

/in , , , , /by

Over the past several years, regulators have targeted vendor management as one of their top regulatory concerns. With growing dependence on third parties for services,  the need for effective vendor management programs has increased. While regulatory framework for vendor management has been in place for years, the detailed expectations and efficiency have been missing. Most organizations have adopted a vendor management process using spreadsheets – which lacks consistency, efficiency, clarity, effectiveness and oversight.

A software solution will help you move beyond spreadsheets and onto a centralized system that will streamline your process and clarify the procedure for everyone involved. Having an automated system will help you manage your vendors more efficiently. Examiners are looking for programs that have automated contract management and due diligence alerts when documents are nearing expirations and also comprehensive assessments, such as risk and controls assessments. An automated system will manage these processes more effectively and efficiently by creating a consistent workflow that a spreadsheet can’t produce. Additionally, a software solution is a more effective way to manage your vendors because it will reduce likeliness of user errors that spreadsheets can cause by keying mistakes or employees not using the correct spreadsheet because there could be multiple copies that are being saved.

With increasing regulations and demands concerning governance and compliance, companies can no longer risk using spreadsheets to manage third-party vendor polices and procedures. By using a centralized vendor management software system, organizations can simplify and standardize their process, effectively managing vendor risk and relationships, and ultimately saving time and money throughout the entire company.

Technology Service Provider Contracts

/in , , , , , , /by

Understanding the increase dependence that financial institutions have on technology service providers, bank regulators have increased their efforts to require banks to appropriately handle third-party risk management.  The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance.  These contracts were missing or inadequately addressed key terms, such as:

  • Requiring the service provider to maintain a business continuity plan,
  • Lack standards for data recovery along with appropriate remedies when a recovery standard is missed.
  • Defining key terms in the contracts relevant to business continuity and/or incident response. Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, promulgated under the Gramm-Leach-Bliley Act.

Vendors that provide technology related services can create special risks to depository institutions that need to be properly addressed in their service contracts.  The FDIC indicated that it plans to hold the board and senior management of financial institutions accountable for controlling those risks in accordance with the requirements of the law and its existing regulatory guidance.

Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract.  All financial institutions should have provisions that they review for all of their contracts with a robust vendor management program, this will help uncover any weakness in business continuity and data recovery early in the process.

 

You Can Outsource, But You Cannot Hide

/in , , /by

Companies may outsource an activity, but cannot outsource accountability.

In today’s economic environment, almost every aspect of a company’s operations can be outsourced efficiently. As a result companies interact with vendors on a daily basis, opening themself up to additional risk. Vendor Risk is a type of Operational Risk associated with the potential risk that may occur from relying upon outside parties to perform services or activities on an organization’s behalf. When a company outsources a need to a vendor, it is still the responsibility of the company to ensure that the vendor operates in compliance with established policies, procedures and regulator expectations.

For financial institutions in particular, this has been a clear message from all banking regulatory agencies to their members. Regulatory agencies have identified instances in which financial service institutions have:

  • Failed to properly assess and understand the risks and the direct and indirect costs involved in vendor relationships.
  • Failed to perform adequate due diligence and ongoing monitoring of vendor relationships.
  • Entered into contracts without assessing the adequacy of a vendor’s risk management practices.
  • Entered into contracts that incentivize a vendor to take risks that are detrimental to the financial institution or its customers, in order to maximize the vendor’s revenues.
  • Engaged in informal vendor relationship without contracts in place.

All companies, and especially financial services institutions, must establish an effective vendor management program to protect their business, clients and employees. Having an effective vendor management program enables institutions to control costs, drive service excellence, mitigate risks, and gain increased value over the life cycle of the vendor relationships. Selection, contract structuring and ongoing monitoring of third party service providers are the consistent theme from the regulatory agencies and other risk experts.

Take The Scary Out of Your SOC2 Exam

/in , , /by

SOC 2 examinations can be scary and complicated, taking up extended amounts of your employees‘ and stakeholders‘ time. Changes to the AICPA framework can throw your SOC 2 exam into a tailspin, if you discover you don’t have policies and controls to address the newer principles. Utilizing a patchwork of spreadsheets, word docs and PDFs ensures your company will be sinking the maximum human investment into SOC 2 compliance, helping to increase frustration and the possibility of a qualified report.

Strunk Risk Manager can decrease the frustration and the complexity of your policy management process. Our software includes six basic tools for managing risks, policies, controls, compliance issues, vendors and employee knowledge, helping you seamlessly manage your compliance and policy frameworks. Strunk SOC 2 tools don’t just stop at management. We also include a suite of SOC 2 Trust Principle templates to help jump start your policy creation or fill gaps in your already-developed policy regime.

What can you expect from Strunk’s SOC 2/Risk Framework enablement tools?

  1. Your company submits your current policies to our secure portal. If your company does not have developed policies, we have you covered. Use our library of policies and controls to pick and choose templates applicable to your company, helping to speed up the policy and control creation process.
  2. From there we load your policies into the system. Once completed we will train you and your team on how to utilize the system, enabling your team to take off running.
  3. Once your policies are in the system, we will work with your team to map these policies to the correct SOC 2 trust principles.
  4. When your policies and controls are loaded and mapped to the correct trust principles, the heavy lifting is over. Modifying existing policies or adding new ones takes very little time, and your team can easily document board and management approvals.
  5. Help speed along your compliance audits using our Policy Map View, which provides a single document, showing the SOC 2 trust principles, your mapped policies and controls, as well as your control test history and applicable documents. Give your auditors most of what they will need in a single shot, reducing overhead and delays caused by communication lag.

At Strunk, we know our solution works because we use it on our own SOC 2. Contact us today for a demo to see if our solution is right for your company.

Technology Service Provider Contracts

/in , , , , /by

Understanding the increasing dependence that financial institutions have on technology service providers, bank regulators have ramped up their efforts to require banks to appropriately handle third-party risk management. The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance. These contracts were missing or inadequately addressed key provisions, such as:

  • Requiring the service provider to maintain a business continuity plan,
  • Lacking standards for data recovery along with appropriate remedies when a recovery standard is missed.
  • Defining key terms in the contracts relevant to business continuity and/or incident response.

Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, as promulgated under the Gramm-Leach-Bliley Act.

Vendors that provide technology-related services can create special risks for depository institutions that must be properly addressed in their service contracts. The FDIC indicated that it plans to hold boards and senior management of financial institutions accountable for controlling those risks, in accordance with the requirements of the law and its existing regulatory guidance.

Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract. All financial institutions should have provisions that they review for all of their contracts, along with a robust vendor management program that will help uncover any weakness in business continuity and data recovery early in the process.

Our GRC Services

/in , , /by

Our roots go back to 1976, when we began providing consulting services to banks and credit unions. Since then, we have worked with more than 1,500 clients in all fifty states. Among banks and credit unions, we are best known for our compliant fee income improvement programs, including Overdraft Privilege, Rewards Checking and Value Checking. Because risk management and compliance have always been a big part of what we do, in recent years we have gradually expanded our focus to helping clients in all industries improve their risk management and compliance processes and productivity using our software.

We now offer six comprehensive, easy-to-use and affordable compliance management tools that are useful for clients in any industry:

Risk Assessor helps you prepare comprehensive risk assessments consistent with regulatory or other requirements, in days, not weeks.

Policy Manager organizes all your policies into a single database, mapped to the relevant standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Vendor Manager is a specialized tool for managing vendor risk that standardizes risk assessment methodology and organizes all vendor related documentation.

Issues Manager is a centralized database for tracking all compliance issues and incidents across your entire organization.

Skills Manager provides online testing and training to ensure employees are knowledgeable about your policies.

All our tools are securely and reliably hosted at Amazon AWS, from which they are available on a variety of devices from anywhere. We’ve gotten some great feedback from our clients. Here are a few comments:

Our policy and control structure is very complex having both a broker/dealer and an investment advisory firm. Policy Manager allows us to easily organize a large volume of policies and maintain our control testing documentation all in one convenient place—a significant improvement over our previous process! — Laura Hendricks: Woodlands Securities / Woodlands Asset Management

We currently use Strunk’s Policy Manager to update and track changes to our policies. We like the audit trail it leaves of changes and also the PDF Redline that indicates changes used for the Board to review and approve. Strunk Customer Support has been prompt and they always assist with any issues we might have. — Karen Lomax, Vice President and CFO Kinetic Credit Union

Strunk’s program brings efficiency to the process and allows us to focus on areas of high risk. Our team sees great value in the process and reporting generated by the Strunk program. It is an affordable way to manage regulatory required risk assessments. — Bob Sundquist, CFO/CRO, NebraskaLand National Bank

Our core customer base has always been smaller and medium-sized organizations and so, unlike most providers, we have tried to price Risk Manager at a level that is affordable by all. In order to encourage usage, we charge a flat annual fee based an organization size. That fee gets you unlimited access to the tools for an unlimited number of users, along with unlimited support from for our support team.

Strunk at WBA’s Education Summit & Regulatory Compliance Conference

/in , , , , , , /by

Strunk is excited to be exhibiting once again at the Western Bankers Association’s Education Summit & Regulatory Compliance Conference next week, August 25th-28th. This year hosted at the Hyatt Regency Huntington Beach, the event always proves to have many learning opportunities for bankers to gain insight into the most current information facing our industry.

In addition to visiting with many current clients, we look forward to showing attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software. The solution now includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and the all new Vendor Manager.

Vendor Manager provides an easy to follow standardized process to assess risk, gather due diligence materials, evaluate contracts and stores all vendor documentation in one convenient place. Vendor Manager keeps everything organized, is simple to use and of course follows the latest FFIEC guidelines.

Please stop by booth 28 to learn how to improve compliance, streamline responses, and enhance collaboration… all with less effort. All bankers will also have the opportunity to enter to win a $250 Amazon gift card from Strunk. We can’t wait to see you!

Strunk at COCC Foxwoods

/in , , , /by

We were happy to see so many friends and clients at the COCC Annual Client Conference earlier this month. We were definitely on friendly ground, as we have now implemented our solutions for well over half the COCC base. This event set a new attendance record for COCC. Thank you to everyone who dropped in to see us and congrats to Maria Sgambati at Everett Co-operative Bank who was the winner of our $250 Amazon gift card.

At the conference we were able to show off some of the latest improvements in our Governance, Risk Management and Compliance (GRC) software. We have upgraded Risk Assessor to version 2. It now includes automated feeds of peer data from the FDIC, consolidated risk and trend scoring, and an inline scoring history so you can see at the indicator level your scores on prior assessments. Policy Manager now includes more fine-grained reader logging and alerts.

We also were able to demo our new Vendor Manager tool for managing vendor risk. Vendor Manager provides an easy to follow standardized process to assess risk, gather due diligence materials, evaluate contracts and store all vendor documentation in one convenient place. Vendor Manager keeps everything organized, is simple to use and of course follows the latest FFIEC guidelines.

An independent certified public accountant has examined Strunk’s operations and found them to be in compliance with the AICPA’s Trust Service Principles. It was determined that Strunk meets the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria for SOC 2 established by the AICPA.