SPECIAL EDITION • THE NEXT NORMAL
Does Your Change Management Process Need a Conversion? By Stephanie Goetz, Bedel Security
W
e have been seeing findings related to change management cropping up in several audit reports this year. Appropriately scoping change management can be tricky in smaller financial institutions which do not code their own applications. In such cases, pointing to a third party or managed IT provider may cover many of the controls needed, such as coding, testing, back out plans, etc. However, the trick here, as always, is understanding the roles in the bank vs. third party. We all know very well that while we outsource the responsibility of performing the task the bank is still ultimately responsible for risk.
standard changes can fast track through the process with appropriate documentation and approval. Significant rated changes, though, require the full gamut of the process because they are high risk prior to implementation. Also considered as high-risk changes are emergency changes, but due to the emergency at hand we ask forgiveness so to speak, by creating the documentation and testing on the backend. Here’s a breakdown of the change types: u Standard – (moderate risk) A simple and common change with a process and procedures in place to mitigate impact, such as implementation and testing procedures. w Example: Firewall changes or patching.
u Low – (low risk) Defined as having limited potential For each step below ensure it is covered in a policy and understand who is responsible for which step as well as the communication points between your bank and the third party to ensure your bank has the oversight needed to understand and manage the risk.
Risk rate your changes
This is where efficiency can really kick in. Low risk and
• 24 •
• July-August 2021
impact to Bank and Customers. w Example: A minor software configuration change.
u Significant – (high risk) We define those as having significant impacts customers or bank operations to a considerable degree or considerable resource requirements and difficulty of the change make it a significant risk to the bank.
