“Mr. Supervisor, what do you want us to do?” This is probably the question I heard most often during my time as IT supervisor at the Dutch central bank, and I always gave the same answer: “My job is to identify what needs to be improved, and yours is to determine the best way to improve it and implement it.”
Having worked in a bank under supervision for a number of years before becoming a supervisor myself, and now working to support supervised clients, I have seen from both sides that one of the hardest things for supervised institutions to do is to anticipate what will make the supervisor happy and get him out of your hair. In this article, I will shed some light on how to deal with your regulator, based on my own experience, and at the same time improve your grip and control over your IT risk landscape. With the DORA legislation coming into force on January 17, 2025, it seems like a good time to shed some light on this mystery.
Disclaimer
Although it may not seem like it sometimes, supervisors are human beings too. Human beings with character traits, past experiences, morning moods, you name it. This article assumes that your supervisors (as most are) are rational, good-humored, friendly beings. There is always the possibility, albeit a rare one, that your particular supervisor is just not a very nice person who carries a grudge. While the tips in this article will always help, they may not lead to a satisfactory result because some people are just not nice. In that case, you may be best served with the tips and assistance of a communications expert. Also, the views shared in this article are based on Dutch culture, which is generally principle-based. Other European countries (e.g. Italy, Germany) have a more rule-based way of doing supervision. You may find less leeway in dealing with supervisors in these countries. Nevertheless, the content of this article should help you to get a better understanding of where your supervisor comes from and what he or she is looking for.
The world of the supervisor
In general, there are two types of supervisors: generalists and specialists. The generalist is ultimately responsible for supervising the entity. They have a basic knowledge of governance and risk management (although in the area of operational/IT risk this is usually quite low) and as soon as specific questions arise (e.g. related to business models, credit risk or even operational/IT risk), they consult a specialist. This specialist will first try to clarify what exactly the question is that the generalist wants answered. In the case of IT, this may be related to an incident, a hack, a major IT transformation program, or a general need to gain some comfort about the extent to which the institution under their supervision is aware of and managing its IT risk. After gaining clarity on the information need, the specialist will assess whether and how that information need can be met. This can be anything from reading a few documents, having a conversation or two with relevant staff or board members, or conducting a full-scale inspection, which can take anywhere from a few weeks to four or five months.
Like you, supervisors always have more work than they can handle. This pressure causes them to prioritize their efforts. The more comfortable a supervisor is in this regard, the less of their scarce resources will be devoted to a supervisory activity.
The driver of the supervisor
General supervisors are always looking for comfort that the institution they supervise is sufficiently aware of its risk landscape and sufficiently managing it. And that is all. Their drivers (should) be the same as yours. The difference is that your supervisor is not primarily concerned with the limited resources you have to meet certain expectations. You come from a world of trade-offs, where every decision has a price tag. This is not something your supervisor will necessarily consider or feel. This is not to say that the limited resources argument cannot be used as a rationalization for accepting certain risks, as long as the risk acceptance is reasonable, conscious, and deliberate. Note also that awareness is highly valued. Inspection findings are generally tagged as either self-identified by the institution or not. In the former case, the finding is generally considered less severe and may even be interpreted as a sign of maturity.
About comfort
So what is the comfort level mentioned in the last paragraph? There are a number of signals that regulators typically look for, particularly with respect to IT/operational risk:
- Sufficient board knowledge and involvement. Board members should have sufficient awareness, knowledge and involvement in the management of IT and IT risks. Indicators of this include:
- Existence of an IT and cybersecurity strategy that aligns with and supports the business strategy, with at least one board member knowledgeable enough to have a conversation about the details, rationale, and translation to the organization (in terms of run and change the organization).
- Minimal but sufficient reporting on the execution of programs and projects in support of the IT and cybersecurity strategy to enable the board to intervene, direct and reallocate resources as necessary.
- Minimal but sufficient reporting in understandable language to board members to provide them with insight into the current level of IT and operational risk exposure to enable them to steer/intervene where necessary.
- Board-level minutes reflecting board-level discussion of IT strategy, execution, IT and operational risk exposure/cyber incidents, etc.
- A proper, functioning three lines of defense model that provides insight into existing and emerging risks and empowers the institution to manage those risks in line with its risk appetite, including
- A healthy culture where the three lines can all play their role confidently and provide countervailing power where necessary, e.g. an informal mandate from audit, and a sufficient sense of ownership of IT and operational risk in the first line.
- A high level of awareness of the IT and operational risk landscape.
- Recognition that IT and operational risk is a discipline on its own, with a second line that creates awareness that IT and operational risk is the responsibility of the first line and facilitates the proper adoption of that responsibility by providing tools, processes, knowledge transfer and support where necessary.
- Sufficient reporting to the board on the level of risk exposure relative to the risk appetite to enable the board to make optimal board-level decisions.
- Sufficient in-house knowledge of IT risk and IT security, e.g:
- Availability of experts to engage in in-depth discussions with oversight experts at all levels of the organization.
- Insight into the required knowledge of IT, IT risk, IT audit, IT governance and IT security (SOLL position).
- Understand the current state of available knowledge (IST position).
- Active initiatives to maintain the proper degree of knowledge (clearing the gap between IST and SOLL).
- Sufficient documentation in all IT, IT governance, IT risk and IT security related functions to support knowledge transfer.
- An active training program for the entire organization and for specific functions, including board members.
- A mature supervisory communication posture (see below).
With the above in place, a supervisor will be more likely to trust the institution’s reporting, rather than feel the need to expend valuable resources to gain comfort, e.g., in the form of on-site inspections. If you are willing to invest resources to keep the regulator off your back, your best bet is to invest in the above. Note that in doing so, you will most likely also increase the maturity of your internal governance and control over your risk landscape as a nice byproduct.
Mature attitude in dealing with your supervisor
Internal governance frameworks and standards such as COBIT, ISO2700x, and NIST contain control objectives and provide tools to measure the maturity of the controls aimed at achieving those objectives, e.g., the COBIT Capability Maturity Model. Another form of maturity I have seen in my time as a regulator relates to how organizations deal with their regulators. Roughly speaking, there are 3 levels of maturity:
- Resistance: The most immature organizations are those that are resistant to supervisory interference. They tend to look down on supervisors as subject matter experts and show a high level of resistance to the boring, dusty, old-fashioned requirements that supervisors bring to the table. They focus on all the flashy and modern technology they are implementing. They feel this is clearly outside the knowledge space of central bank supervisors, and adopt a posture: “Who are they to tell us how to do things?” This behavior is most prevalent in modern tech banks and institutions that have only recently come under supervision.
- Cooperation: After some experience with supervision, most organizations learn that in the end, supervision costs them less effort if they just give up and go along with whatever the supervisor says. Most of the observations you make as a supervisor are then met with, “Yes, Mr./Ms. Supervisor, we see your point. You are right, and we will make every effort to correct this. Note that “cooperative” is in quotes because there is little productive discussion at this stage.
- Mature: Organizations at this level of maturity have had sufficient experience with supervision. They have learned that their supervisors are human beings who know less about their environment than they do. They have learned that their supervisors are open to discussion. This is the level of maturity that supervisors want. Constructive dialog can take place. Institutions are not afraid to object to certain requirements, can argue why certain threats don’t apply to them, and can discuss how they have identified their own risks that the supervisor may have overlooked. In doing so, they demonstrate that they are sufficiently aware of and managing their own IT/operational risk landscape. Even if they may have missed some of the risks identified by the supervisor.
Recommended attitude towards your supervisor
When you go to a bakery where you have never been before to buy a loaf of bread you have never bought before, you know exactly how to act. This is because of a psychological concept called patterns.
Patterns allow you to shape your behavior based on similar experiences in the past. One of the interesting things I’ve seen in supervision and auditing is that when someone with some degree of authority comes in and starts asking you how you do your job, people don’t have patterns for that. There is an added pressure to these conversations because people in these meetings do not know what will happen with the information the supervisor gathers from the meeting.
It is not uncommon for people to feel tension because the supervisor may be on the hunt for what you are doing wrong and may take that information to management so that the manager can take action toward you. This leads to a wide range of attitudes from people when they are questioned.
Some get really quiet, some become your best friend, some get a little aggressive. I can tell you that in my 15 years as an auditor and supervisor, I have had a lot of interviews with a lot of people. There were exactly three of them (in fact, I remember them by face and name) who did not do their job the way they thought was best for the benefit of the organization.
Supervisors very rarely want to burn someone, and never someone who doesn’t deserve it. In general, supervisors recognize that they are generalists and risk experts, and that the people they supervise are much more knowledgeable about the specific processes and systems they work with every day. The general approach for any auditor or supervisor is to first learn from the people they interview what their day-to-day work looks like, how the processes work, how the technology works, and so on.
Once they understand the big picture, they will challenge the interviewee to see if this leads to a lack of comfort that all relevant risks have been identified and properly managed. This does not mean that all risks must be mitigated. Just that:
- The risks are identified;
- The risks have been assigned to an owner;
- The likelihood of the risk occurring and the cost of manifesting the risk have been properly weighed against the cost of mitigating the risk through some form of control; and,
- Monitoring of the manifestation of the risk takes place.
Supervisors are open to a discussion of whether or not a particular risk should have been mitigated or not. They are also receptive to probability and budget arguments, as long as the respondent can demonstrate that they have considered the matter and made a measured, considered decision. And where they have not, the supervisor also recognizes that most subject matter experts are not risk experts and would be happy to share their views on the need for additional attention to certain risks.
Why supervisors will never provide you with the solutions to the problems they find
So why is it that supervisors are so good at complaining about what’s wrong with you, but they rarely give you any insight into what they want you to do? There are three reasons.
First, supervisors expect people in the organization to have sufficient knowledge about their own environment and the specific issues they have to deal with. If not, that is the problem that needs to be addressed, not so much the potential shortcomings that have been identified or how they might be addressed.
Second, supervision is a lot like auditing, and the first rule of auditing is that auditors remain independent. Part of this independence is achieved by not being involved in 1st or 2nd line activities. Providing advice may lead to a situation where auditors/supervisors may have to evaluate their own work in the future.
Third, if the supervisor gives advice and things go wrong, institutions may point to their supervisors and say: “They told us to do it this way.” This can lead to a lack of responsibility and/or ownership for certain aspects of governance, risk and control, on the one hand, and the start of discussions that the supervisor would like to stay away from, on the other.
However, reality is not black and white and regulators see many different organizations that deal with certain requirements in different ways. To some extent, you can ask questions and share ideas with your supervisor. If an idea is a really bad idea, a supervisor can always share his or her thoughts.
Supervisors only mention when things are bad, and hardy ever give credit when something is good. Why is that?
Unfortunately, supervision will never acknowledge when something is good. The reason for this is that this would invite institutions to use supervisory feedback as a credential. Supervision does not have the mandate to do this and must always maintain the diplomatic space to criticize certain aspects of the institution’s organization. Having previously marked something as sufficient can undermine this space.
How to deal with supervisors that never seem to be content with the information you provide?
You may find yourself in a situation where a supervisor just won’t get off your back and keeps asking you for new information on a particular topic, no matter what you provide. This is not an atypical situation, and it is rooted in a sense of concern for which the supervisor is seeking reassurance. If you find yourself in this situation, the best thing to do is not to keep providing new information that you think the supervisor needs, but to address the aspect of concern that is driving the series of requests. Ask your supervisor about the nature of their concern. What is the risk for which they are seeking reassurance? In the ensuing dialog, ask yourself if you share this concern. If you do, steer the conversation toward alleviating the concern. If you don’t, you should be able to reason and argue why, and aim to communicate that reasoning to your supervisor.
About proportionality
Almost all legislation contains a paragraph on proportionality. In my experience as a supervisor, proportionality is the most abused argument in daily practice. When institutions, especially less mature ones, are confronted with certain unmet expectations, proportionality is often the first argument they reach for. However, this usually does not help to ease the supervisor’s discomfort. Especially if the argument is used in a reactionary way. Some degree of proportionality can be applied to legal and regulatory requirements, but only if they are well thought out, subject to feasibility analysis, accepted by the highest level of authority in the organization, well documented and reasonable. This would be demonstrated by being able, when challenged, to provide insight into the potential cost of compliance, awareness of the residual risk exposure, and measures to monitor the degree to which the underlying risks are being monitored for manifestation. Simply responding to a challenge with “That’s not proportional,” without demonstrating that you are aware of the risk and have consciously accepted it, conveys the following message:
- This organization is not fully aware of its risk landscape and may be exposed to a higher level of risk than its risk appetite dictates without realizing it.
- This organization places insufficient emphasis on managing and controlling its risk landscape.
How to prepare for an on-site investigation
So what can you do to get the most out of an on-site investigation? Here are some tips. Inform your employees:
Inform your employees: Inform affected employees of the upcoming inspection and its details (subject of investigation, timelines). Also, try to convey the message that no one is a suspect and, in the absence of criminal findings, invite people to be both open, factual and critical towards the supervisor (it’s okay to discuss if they feel certain opinions are invalid or not useful, as long as there is a proper rationale).
Present the review as a healthy challenge and a potential opportunity to improve their daily work. It’s not about blaming anyone for wrongdoing, but about identifying risks, exploring their nature, and exploring ways to reduce risk exposure at a reasonable cost. Encourage employees to adopt an open and constructive attitude, giving due consideration to the reasonableness of the potential cost of mitigating certain risks.
Discourage the use of the proportionality argument, or at least provide guidance on when and how this argument can be put on the table. It may also be helpful to convey that if the parties agree to disagree, the supervisor is likely to get his or her way in the end. Designate one party (e.g., from audit) to guide any internal colleagues to prepare them before and debrief them after each meeting.
Establish and agree on lines of communication: Designate a single point of contact to interact with the inspection team. One person or department to handle all data, interview, and facilitation requests from the inspection team. Have this person act as a liaison between the inspection team and the organization, manage the interview calendar, and forward documentation requests.
Schedule progress meetings with the inspection team: The inspection team will likely control this, but if not, suggest at least bi-weekly meetings with a central internal facilitator and monthly meetings with the board.
Prepare board members: Prepare and inform your board members before and during the inspection so that they are fully aware of the nature of the site visit and are kept informed of progress.
Communicate openly with your board throughout the year: Be transparent about IT strategic progress, key developments and incidents. The worst thing that can happen is for your manager to read about developments and/or incidents in the newspaper. Proactively involve your manager in key strategic decisions and major changes (e.g., cloud strategy, major application replacement/migration, reorganizations, etc.).
Use control wisely: Oversight can benefit your organization in three ways. 1) To gain insight into the nature and potential vulnerabilities and areas for improvement in your own IT landscape. 2) to gain insight into how certain things could potentially be done better, and 3) to create leverage to get things done.
What to never say to your supervisor
Finally, I would like to close this article with some things you should never say to your supervisor (from my own practical experience).
This is not proportional.
Without demonstrating that the issue at hand has been sufficiently considered, subjected to a feasibility study, the residual risk has been identified, the risk acceptance decision has been approved, documented and reported, and that monitoring of the manifestation of the residual risk is taking place. Without this support, the statement that something is not proportionate conveys a lack of awareness of the IT risk landscape and a lack of priority in managing it.
Our IT security organization leaves nothing to be desired, we are sufficiently protected against cyber threats.
Overconfidence in security risk management immediately raises several red flags. In security, it is often said that it is not a question whether you will be breached, but when. While the truth of this can be debated, the statement represents a mindset expected of any mature organization. To say that you have everything under control is to say that you may, and probably do, underestimate the threats posed by cyber criminals.
We outsourced this, so it is the responsibility of our vendor.
Rule #1 in outsourcing is that you can outsource your operations, but never your responsibility. To say that your supplier is responsible is to say that you are not aware of the need to manage your risks wherever you are exposed. This means that you are most likely exposed to all kinds of IT risks without even realizing it.
We are ahead of our peers in terms of the maturity of our internal controls.
I’ve heard this statement many times. Remember that your supervisor probably has a better view of your peers’ performance than any benchmark that may or may not have been performed. Otherwise, this statement will get you nowhere, as supervisors tend to focus on facts and evidence rather than loose statements. It conveys that you are grasping at straws. It is better to either come up with valid arguments or accept that your manager has a good point that you will have to evaluate further.
Yes, Mr./Ms. Supervisor, you are right, we will look into it.
This may be a strange one, given the content of the article, but it is meant to trigger you. The message I’m trying to get across here is that just as you have the responsibility to demonstrate that you’re in control, your supervisor has the responsibility to demonstrate that a particular risk is real and a concern is valid. If you are faced with a request to mitigate something that you don’t see as a risk, you can challenge your supervisor as to why you should be making investments to mitigate it. This will keep you from diverting funds from somewhere else where they may be needed more, and will keep you and your supervisor on your toes. Unfortunately, the supervisor ultimately has the power to force you to take certain actions. So if you agree to disagree, you will most likely draw the shortest straw. However, this is no reason not to be vigilant and try to avoid wasting valuable investments on non-existent or non-significant risks.
If the risk hasn’t manifested itself, it’s not really a risk, is it?
This seems very obvious, but I just wanted to give it an honorable mention because I once heard an IT risk manager of a large bank say this to me. After closing my mouth, which had been open for 30 seconds, I told the lady, of whom I had had a pretty good impression up to that point, that I would pretend not to have heard her say that. If you don’t understand why you can’t say that to your supervisor, you need a course in risk management more than you need this article.
Closing notes
In this article, I have tried to provide a view of the supervisor’s world. Contrary to popular belief, you and your supervisor are on the same side. You both want to facilitate a reasonable level of control over your IT risk landscape. I hope the insights in this article will help you reach that level of common understanding, and shift the supervisor’s attention from an authoritarian relationship to one that is more constructive. If you would like more information about my experiences and/or assistance in dealing with oversight, please feel free to contact me.
