Skip to Navigation
Skip to Main content
OIG Home
OIG Home

In This Section

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

September 30, 2014

Major Management Challenges for the Board of Governors of the Federal Reserve System

  • Full Listing

available formats

  • Full Listing:

    PDF | HTML
OFFICE OF INSPECTOR GENERAL
BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM
CONSUMER FINANCIAL PROTECTION BUREAU

September 30, 2014

Memorandum

TO:

Board of Governors

FROM:

Mark Bialek  /signed/
Inspector General

SUBJECT:

The OIG's List of Major Management Challenges for the Board

We are pleased to provide you with the Office of Inspector General’s (OIG) first listing of major management challenges facing the Board of Governors of the Federal Reserve System (Board). These challenges represent what we believe to be the areas that, if not addressed, are most likely to hamper the Board’s accomplishment of its strategic objectives.

We used audit and evaluation work performed by the OIG, audits performed by the U.S. Government Accountability Office, and the Board's strategic planning documentation to identify the Board's major management challenges, which are listed in the table below.

Management challenge no. Description Attachment 1 page no.
1 Continuing to implement a financial stability regulatory and supervisory framework 1
2 Human capital 3
3 Board governance 5
4 Capital improvement projects 8
5 Information security 11

Details on each challenge are in attachment 1 of this memorandum. Attachment 2 maps our ongoing and planned work related to the major management challenges we have identified for the Board.

We appreciate the cooperation that we received from the Board as we developed this listing of challenges. Feel free to contact me if you would like to discuss any of the challenges.

Attachments
cc:

Scott Alvarez, General Counsel, Legal Division
Eric Belsky, Director, Division of Consumer and Community Affairs
Michell Clark, Director, Management Division
Robert deV. Frierson, Secretary of the Board, Office of the
    Secretary
William English, Director, Division of Monetary Affairs
Michael Gibson, Director, Division of Banking Supervision and
    Regulation
Donald Hammond, Chief Operating Officer, Office of the Chief
    Operating Officer
Steven Kamin, Director, Division of International Finance
J. Nellie Liang, Director, Office of Financial Stability Policy and
    Research
William Mitchell, Chief Financial Officer and Director, Division of
    Financial Management
Sharon Mowry, Chief Information Officer and Director, Division of
    Information Technology
Louise Roseman, Director, Division of Reserve Bank Operations
    and Payment Systems
Michelle Smith, Assistant to the Board, Chief of Staff, and Director,
    Office of Board Members
David Wilcox, Director, Division of Research and Statistics

Management Challenge 1: Continuing to Implement a Financial Stability Regulatory and Supervisory Framework

As outlined in the Board of Governors of the Federal Reserve System's (Board) Strategic Framework 2012–15, continuing to build a robust infrastructure for regulating, supervising, and monitoring risks to financial stability remains a strategic priority for the agency. The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) provided the Board with the authority to oversee nonbank financial companies designated by the Financial Stability Oversight Council (FSOC) as systemically important. In Supervision and Regulation Letter 12-17, the Board outlined its updated framework for consolidated supervision of large financial institutions as a result of lessons learned during the financial crisis. While Supervision and Regulation Letter 12-17 provides a high-level description of the framework and priorities for consolidated supervision for large institutions, including nonbank systemically important financial companies, we understand that the supporting guidance necessary to fully implement the framework is forthcoming. Finalizing the supporting guidance and effectively implementing it through examiner training programs will be a challenge for management in the coming years. The following sections describe specific challenges associated with implementing the financial stability regulatory and supervisory framework. 

Cultivating Effective Relationships With Other Regulators 

Effective consolidated supervision is predicated on the Board, as the consolidated supervisor for bank, financial, and savings and loan holding companies, cultivating strong cooperative relationships with the primary supervisors of holding company subsidiaries. Our evaluation work has revealed instances in which this cooperation could be improved. 

Agency Actions 

Since 2013, senior Board officials have made significant efforts to coordinate with their counterparts at the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation to align strategic objectives and minimize duplication of efforts with respect to the supervisory planning process. We also understand that similar efforts routinely occur at the examination-team level. 

Finalizing and Ensuring Compliance With New Regulations

While the Board has finalized many of the regulations mandated by the Dodd-Frank Act and other significant rulemakings supporting the financial stability framework, such as the Basel III capital rules, some rulemakings remain in the comment phase or have yet to be finalized. For example, the comment period for the Board's proposal to amend its emergency lending regulations to conform to the requirements of the Dodd-Frank Act has closed, but the rules have yet to be finalized.1

Further, the Board will face challenges as its focus shifts from rulemaking to interpreting the rules and ensuring compliance with recently issued regulations. As an example of challenges related to interpreting rules, we understand that following the issuance of the Basel III capital rules, responding to industry questions for interpretive guidance became a priority for the Board. With regard to ensuring compliance, the Volcker Rule took effect in April 2014, and the Board has indicated its intent to hold banks accountable for complying with the requirements of the final rule starting in July 2015. Under delegated authority from the Board, Federal Reserve Bank examiners will be expected to monitor and enforce compliance with prohibitions and restrictions related to proprietary trading and certain relationships with hedge funds or private equity funds. Supervisory guidance on this topic needs to be issued, and examiners will need to be trained on how to assess compliance with the rule's provisions. Similar training and implementation challenges also exist for other significant rulemakings. 

Agency Actions 

The Board has made considerable progress in fulfilling the regulatory mandates outlined in the Dodd-Frank Act and in finalizing other significant rulemakings supporting the financial stability framework. Our office will assess the Board's progress toward implementing its supervisory approach for these new, complex regulations. 

Developing Technology Infrastructure and Addressing Human Capital Challenges Associated With Monitoring Risks to Financial Stability

The Board faces operational and human capital challenges associated with its efforts to supervise and monitor risks to financial stability. Within the large bank portfolio, our evaluation work has revealed that supervisory teams have encountered challenges searching through the significant amounts of supervisory information that result from the Board's continuous monitoring activities. Within the regional and community bank portfolios, we understand that the Board is in the process of transitioning to a technology platform that will standardize the processes for conducting examinations across the Federal Reserve Banks. This project requires a multiyear implementation effort. The Board also faces challenges in attracting and retaining employees with the specialized subject-matter expertise necessary to execute its supervisory activities, as further discussed in the human capital management challenge. 

Agency Actions 

The Board recently improved supervisory teams' search capabilities for informal supervisory information related to specific institutions. Information previously stored in specific Lotus Notes databases has been transitioned to internal websites to facilitate these enhanced search capabilities. We also understand that the INSite platform will be implemented for the regional and community bank portfolios using a phased approach over multiple years. 

Management Challenge 2: Human Capital

The Board's success in achieving its mission depends on having the right number of people with the necessary technical, managerial, and leadership skills. Accordingly, human capital is one of the key themes in the Board's Strategic Framework 2012–15. As the Board's framework notes, maximizing the value of the Board's human capital will depend on enhancing processes for effective recruitment, development, and retention of qualified staff. A key first step in ensuring that the Board has a workforce that can effectively carry out the Board's mission both now and in the future is identifying the critical technical, managerial, and leadership skills through workforce and succession planning. The Board faces challenges in maintaining the necessary skill sets due to competition for highly qualified staff and the difficulties associated with replacing employees who have the specialized knowledge and skill needed to fulfill the Board's mission. In addition, the Board will face challenges as it implements a new performance management process and continues its efforts to recruit and retain a more diverse workforce. 

Identifying Mission-Critical Technical, Managerial, and Leadership Skills Through Workforce and Succession Planning

The Board will need to determine the skill sets and number of staff members needed to enable each division to efficiently and effectively accomplish its goals. The U.S. Government Accountability Office (GAO) congressional testimony highlighted the need for federal agencies to identify and address current and emerging critical skills gaps to reduce the risk of staffing shortfalls that could jeopardize agencies' efforts to accomplish their missions. In its 2003 report Human Capital: Key Principles for Effective Strategic Workforce Planning, GAO highlights effective principles for workforce planning that include determining the critical skills and competencies needed to achieve an agency's mission, along with strategies to address skill and competency gaps. 

An important consideration in workforce planning is the need to develop a succession plan to ensure continuity of knowledge and leadership in key positions. The Board has noted the operational risks associated with staff retirement and turnover and the difficulties associated with replacing employees with specialized knowledge and skill sets. Failure to plan for and anticipate turnover and departures could have a negative effect on the Board's ability to achieve its goals and fulfill its mission. In addition, the Board has experienced turnover in the leadership of various divisions, highlighting the need for clear succession plans. In a 2005 report on succession planning, GAO encourages federal agencies to "go beyond a succession planning approach that focuses on replacing individuals and engage in broad, integrated succession planning and management efforts that focus on strengthening current and future organizational capacity." To ensure that the Board successfully achieves its mission, each division will need to identify its current and emerging skill needs, develop and implement a plan to address any identified skill gaps, and ensure that leadership development is a component of its succession planning. 

Agency Actions

In its strategic framework, the Board acknowledged the need to establish a Boardwide succession planning process, which will require considerable support across all divisions. The 2012–2015 Human Resources Strategic Plan also identifies leadership development as a key focus area. In support of these objectives, the Board formed a Leading and Managing People workgroup, composed of senior managers and officers across divisions. The purpose of this workgroup is to develop leadership capacity, including but not limited to introducing leadership coaching, creating case studies to define successful and unsuccessful leadership skills, and developing a list of core competencies expected of leaders. The Board has also successfully implemented a new manager development program, which it is expanding to include senior Board officials, and has begun using a succession planning tool. 

Implementing a New Performance Management Process

In early 2013, the Board elected to change how employees approach and use individual performance feedback. The Board is currently developing and implementing a new performance management program intended to align staff members to the work of the Board, provide greater accountability, and support employee development. The new program seeks to be a more forward-looking, development-centric process in which staff members and managers work together for the greater effectiveness of the Board. The new performance management program is a significant change for the Board. The Board will need to ensure that the new process is effective, fair, and not overly burdensome, while simultaneously maintaining distinctions between high and low performers. Ensuring a successful paradigm shift from a rating-centric process to a development-centric process for assessing employee performance, as well as ensuring that a consistent approach is followed across the Board, will be a challenge for the Board. 

Agency Actions

The Board introduced the new performance management process as a pilot in six divisions for performance year 2013–2014. Full implementation in all divisions is planned for performance year 2014–2015. The Board contracted for the necessary expertise to assist with the program's implementation, which includes information sessions, tools and guides, training, and other support.

Recruiting and Retaining a Diverse Workforce

The Board's policy is to provide equal opportunity in employment for all persons. In support of this commitment, the Board has established strategic objectives to attract, hire, develop, promote, and retain a highly diverse workforce. A diverse workforce is one that not only includes employees with a wide variety of attributes but also is rich in diversity of thought and perspective. According to the Office of Personnel Management's Government-Wide Diversity and Inclusion Strategic Plan, harnessing the innovation that can come from a diverse workforce will help agencies to realize full performance potential and to cultivate a high-performing organization. Although the Board has undertaken a number of activities to increase diversity, it noted continuing challenges in hiring minorities in its April 2014 Report to the Congress on the Office of Minority and Women Inclusion. In April 2013, GAO reported that federal agency officials said the main challenge to improving diversity was identifying candidates, noting that minorities and women are often underrepresented in both internal and external candidate pools. 

Agency Actions

To successfully achieve its diversity goals and objectives, the Office of Human Resources plans to partner with divisions to design, develop, and implement an integrated Boardwide talent management strategy. This strategy will facilitate the management of a diverse workforce throughout all phases of the employee life cycle, which includes recruiting, engaging, retaining, and developing employees. Building on each phase of the life cycle will enable the Board to create an integrated approach to managing talent. An enterprise-wide talent management strategy that identifies the basic competencies every employee should possess will allow the Board to assess performance and to develop and retain talent. In addition, the Board continues to address challenges to improving diversity by participating in educational forums and offering mentoring programs and summer internships. 

Management Challenge 3: Board Governance

Historically, the Board's divisions have operated largely autonomously in performing their specified mission functions, developing organizational structures, formulating budgets, and establishing management processes. As the Board's mandate expanded in the wake of the financial crisis and the enactment of the Dodd-Frank Act, so has the Board's need for strategic planning, management processes, and coordination across divisions. In its Strategic Framework 2012-15, the Board lists three strategic themes that address various aspects of its governance challenges:

  • strengthening management processes to enable effective implementation of strategic themes, increasing operating efficiencies, and reducing administrative burden
  • establishing a cost-reduction approach and a budgetary growth target that maintains an effective and efficient use of financial resources 
  • redesigning data governance and management processes to enhance the Board's data environment 

The Board's strategic framework states that achieving its strategic objectives will require more active collaboration across divisions. Collaboration will be required to fulfill the Board's supervisory expectations under the Dodd-Frank Act as well as its traditional monetary policy functions. Collaboration will also be required to carry out the Board's agenda of management process changes to keep major investments on track, identify additional opportunities for cost savings, and improve overall operations. Enhancements to the Board's management processes will allow for increased ownership of and accountability for leadership decisions, an enhanced ability to prioritize strategic needs, and a potentially reduced administrative burden. We believe that aspects of Board governance, including internal control, information technology (IT), and data, will continue to pose management challenges to the Board's efficient accomplishment of its mission. 

Internal Control Governance

Internal control is an integral part of managing an organization and is critical to improving organizational effectiveness and accountability. Internal control comprises the plans, methods, and procedures used to meet the organization's mission, goals, and objectives. The Federal Managers' Financial Integrity Act of 1982 (FMFIA) requires that each executive agency establish internal accounting and administrative controls in compliance with standards established by GAO and prepare an annual statement on internal control based on an evaluation performed using Office of Management and Budget guidelines. The Board is not subject to FMFIA. 

Although the Board has stated that it voluntarily complies with the spirit and intent of FMFIA, it does not currently have a Boardwide process for maintaining and monitoring its administrative internal controls. Office of Inspector General (OIG) work has identified internal control weaknesses at the Board. While these control weaknesses have not prevented the Board from carrying out its mission or achieving its strategic objectives, some of them have introduced operational and reputational risks. Establishing a process for maintaining and monitoring internal controls will help ensure that the Board's controls, as designed and implemented, are effective and continue to work over time. Establishing a Boardwide process to monitor internal controls will also provide a means for the Board to identify and timely mitigate any control weaknesses that exist.

Agency Actions

Board management identified actions that it plans to take in 2014 to implement a process for maintaining and monitoring administrative internal controls. Management plans to (1) develop a Board policy describing the requirements for appropriate administrative internal controls based on the guidance provided by the Committee of Sponsoring Organizations of the Treadway Commission2 and GAO, (2) implement the new policy using a phased approach, (3) require each Division Director to provide a reliance letter acknowledging that the division is responsible for implementing and maintaining internal controls, and (4) develop training on administrative internal controls and the Board's policy. Management noted that given the priorities and budget constraints underlying the Board's new strategic framework, creating additional infrastructure to develop and implement policies and processes must be carefully balanced with other competing resource priorities.

IT Governance

The Board also faces governance challenges in both the centralized and decentralized management of IT services. A primary mission of the Division of Information Technology (Division of IT) is to provide services to meet the automation and data analysis needs of its customers; however, divisions also provide IT services to their employees. Our recent audit work found that over half of Board divisions perform their own application development and help desk activities, often using differing processes, procedures, and tools. We also found that Board divisions do not track costs for IT services in a consistent manner. 

Agency Actions

The Board recently approved new delegations of authority that grant the Director of the Division of IT the authority for automation, telecommunications, and other IT matters; information security; and the formulation, approval, and implementation of the management policies for IT and information security.

The Director of the Division of IT chairs the Board's Business Technology Strategic Committee, which comprises senior IT representatives from each division. The purpose of the committee is to promote an enterprise view of the implementation and administration of IT services in a consistent, cost-sensitive, and secure manner that is informed by business needs. The Director of the Division of IT recently updated and finalized the committee's charter to increase coordination among the divisions; she also continues to hold discussions on strategic collaboration. 

In 2013, the Director of the Division of IT administered a survey of IT costs across the divisions to help the Board better understand the scope and diversity of the technology services provisioned across the enterprise. Also, the Business Technology Strategic Committee designed a survey to collect information from each Board division and office to identify opportunities to improve operational efficiency. 

Data Governance

As a result of expanded responsibilities under the Dodd-Frank Act, the Board is engaging in new data collection and analysis. New data collection and data management processes are required to perform these new responsibilities. The need for data across the divisions to support the Board's analytical challenges has also increased in terms of the quantity, sharing, awareness, access, controls, and quality. Traditionally, data were used within divisions to accomplish specific mission functions; however, to fulfill the Board's expanded responsibilities, divisions now need to increase coordination with each other and with the Board's new Office of Financial Stability Policy and Research, and they need to support the Board's participation in FSOC. A Boardwide data management view is needed to enhance the ability of staff members to obtain, interpret, and analyze these data. The Board will be challenged to expand its technology infrastructure and processes to support the increased requests for and analysis of data, as well as to enable comprehensive, enterprise-level data governance and information management practices.

Agency Actions

 In the Strategic Framework 2012–15, the Board outlined the role of a new Chief Data Officer (CDO) position. The first CDO was hired in April 2013. The CDO is working with the Board Data Council and Board divisions to establish data governance policies and to facilitate coordination across data communities at the Board and among the Board; the Federal Reserve Banks; and other regulatory agencies, such as FSOC and the U.S. Department of the Treasury's Office of Financial Research.

A new Boardwide data governance and management structure is planned to support the growing need to share large amounts of data across divisions. The CDO is reviewing the current data collections, engaging divisions, and developing a cohesive enterprise data governance framework.

Management Challenge 4: Capital Improvement Projects

The Board is currently managing two major capital improvement projects that are included as key themes in the Board's Strategic Framework 2012-15: the Martin Building renovation and construction and the relocation of the Board's data center. Both are multiyear projects that involve significant resources and pose challenges due to their size, complexity, and effect on the Board's staff members and mission. In addition, managing large-scale construction projects is not a core function of the Board. 

The Martin Building facility has not been significantly renovated since its construction in 1974. In addition to ensuring a safe and adequate environment in which individuals and groups can work and meet, efforts associated with the renovation will focus on security, energy efficiency, meeting and conference space, and physical plant capacity. Relocating the data center is critical because the Board needs increased storage capacity for the data essential to its mission. As currently planned, the relocation of the Board's data center will overlap with the Martin Building project, creating an additional challenge as the Board attempts to oversee and manage both projects. In addition to managing these projects, the Board will have to adapt its space-planning and leasing activities due to the Martin Building project. The Board will need to manage the swing space acquired to accommodate its significant workforce growth as well as staff members displaced from the Martin Building during the construction period.

Martin Building Renovation and Construction

The Martin Building renovation and construction project is one of the Board's largest contracting efforts, and it will require an estimated $280 million expenditure. The concept for the project began shortly after the events of September 11, 2001. Since the original concept was developed, the Martin Building project has gone through a lengthy design phase, primarily due to significant scope changes. In addition, project management has been complicated by changes in the Board's organizational structure and leadership.

The Martin Building renovation and construction project is a complex undertaking with significant implementation risks and challenges that the Board must manage. These risks include scope changes, cost management, and disruption to staff members during the renovation. Delays during construction could lead to contractor claims and increased costs for the Board due to the size of the construction contract and the nature of construction work. Many parties are involved in the construction life cycle process, and interdependencies exist. As a result, delays could cascade and affect the timing and sequencing of others' work.

In September 2012, the Martin Building project team presented an overall conceptual construction cost estimate of $179.9 million to the Committee on Board Affairs. The project was approved as a strategic plan project, and the capital portions of the project are currently included as a multiyear capital project in the Board's 2013 Budget as Approved by the Board of Governors. Our audit of this conceptual construction cost estimate identified opportunities for the Board to improve its recordkeeping, cost estimation, and cost management processes for the Martin Building project. 

Agency Actions

Since 2011, the Board has hired personnel with construction experience. In addition to the project team, an executive team and the Executive Oversight Group were established to be strategic advisors to the Martin Building renovation and construction project. The project team purchased software that provides collaboration, project management, and information management applications specifically for the architectural, engineering, design, and construction business sector. In addition, the project team is currently maintaining files initiated by the former project manager to fulfill contracting officer technical representative and project record keeping responsibilities. After receiving independent cost reviews, a stated cost limitation was established with the architectural and engineering firm, and the firm submitted cost-saving items to aid in cost management. 

Relocation of the Board's Data Center

A key consideration of the Martin Building renovation and construction project is the future of the data center. The Board has undertaken a multiyear project to move its data center from the Martin Building to the Baltimore Branch of the Federal Reserve Bank of Richmond. The Board is relocating the data center because the growing number of file servers, network racks, and network switches has dramatically increased the footprint of data center operations. Critical subsystems for cooling and power have exceeded their capacity. The data center relocation is a major element of the third theme in the Board's Strategic Framework 2012–15, and the multiyear data center project is composed of four overlapping phases, with completion scheduled for December 2015. 

Relocating the Board's data center within the approved budget and schedule will pose challenges to the Board. The start of the Martin Building renovation and construction project is contingent on completion of the data center relocation. The construction phase of the data center relocation project has an aggressive schedule with several identified risk areas. The initial planning schedules for the Martin Building project and the completion of the data center project have a six-month overlap; therefore, delays in the data center schedule could affect the Martin Building project. The Board's data center operates 24 hours a day, 365 days a year, to monitor the operation of the Board's mainframe and the status of the file servers and other critical components of the Board's distributed network. The data center provides the infrastructure that makes data and IT available to the Board and to the Federal Reserve System for monetary policy, financial supervision, consumer protection, and economic research purposes. 

The Board has approved $201.5 million as the overall budget for the project. The budget was based on a 10-year total cost of ownership estimate based on a rough order of magnitude. As the actual build-out work begins, additional changes and cost increases are possible, which could potentially affect the budget. 

Agency Actions

The Federal Reserve Bank of Richmond is responsible for the build-out of the data center, and it designated a project manager to oversee the project. The Board designated a program manager and a project manager, both within the Division of IT, to oversee the project in coordination with a team composed of members with experience in IT, procurement, and financial management, among other areas. There is also an Executive Oversight Group that oversees and provides guidance on the project and ensures that the Board's strategic objectives are being met. 

Space Planning and Leasing

The Board currently occupies space in several buildings in Washington, DC. The Board's overall staffing level has grown significantly over the last several years, and continued growth is expected in some of its divisions. The Board is challenged with accommodating both the expected growth of its workforce and the placement of staff members in swing space due to the  Martin Building renovation and construction project, while also effectively managing its existing real property assets. 

The Board acknowledges the need to focus on its long-term space requirements while also considering, in the context of its strategic framework, factors such as the current space environment, building location limitations, the projected growth of the organization, technological requirements, the implications of telework, and the operational effects and life cycle costs of all options. Considering these factors will help the Board to develop a meaningful approach for the most efficient and effective use of space. 

Agency Actions

The Board signed a 10-year lease for swing space to relocate staff members displaced by the Martin Building renovation. To accommodate anticipated growth in some divisions, the Board plans to retain that space after the renovation is complete. Recognizing that it needs to take a more consistent approach to space planning, the Board is developing a standard process for allocating and managing its space. The Board is also developing a strategic master plan for space planning, and it contracted for real estate advisory services to assist with this effort. This plan is intended to inform the decisions of the Board's senior leadership regarding the Board's space needs. 

Management Challenge 5: Information Security

GAO continues to include as a priority for federal agencies the protection of information systems and the nation's cybercritical infrastructures. The OIG has also identified information security as a major management challenge for the Board. Management should place a high priority on implementing new federal requirements for developing a Boardwide continuous monitoring program and a Boardwide risk management program. In addition, the Board is challenged to ensure that information systems and services provided by third-party providers, including the Federal Reserve Banks, meet the requirements of the Federal Information Security Management Act of 2002 (FISMA) and the Board's information security program. 

Continuous Monitoring of Information Security

Implementing Boardwide continuous monitoring of information security that complies with National Institute for Standards and Technology (NIST) requirements will pose challenges for the Board. NIST requires that agencies establish a continuous monitoring strategy and implement a continuous monitoring program that includes a configuration management process for the information system and its constituent components, a determination of the security impact of changes to the information system and the environment of operation, ongoing security control assessments in accordance with the organizational continuous monitoring strategy, and a reporting of the security state of the information system to appropriate organizational officials. 

NIST Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (SP 800-137), states that at the mission/business processes tier, the organization needs to establish the minimum frequency with which each security control or metric is to be assessed or monitored. Frequencies need to be established across all organizational systems and common controls. SP 800-137 states that the organization-wide information security continuous monitoring strategy and associated policy should be developed at the organizational tier, with general procedures for implementation at the mission or business tier. OIG reports have identified that the Board's Chief Information Officer has continued to make progress in implementing a continuous monitoring program; however, the Chief Information Officer should finalize policies and procedures, establish metrics, and define the frequency of monitoring. 

Agency Actions

The Board's Information Security Officer (ISO) outlined a strategic plan for the Board and has made progress in implementing NIST guidance. The initial plan for continuous monitoring was developed in 2011 and was updated in August 2012 to include additional continuous monitoring automation tools and to provide more detailed implementation status information. In August 2013, the ISO evolved the continuous monitoring strategy into an Information Security Continuous Monitoring Program document, which discusses three primary activities: continuous monitoring automation, manual processes, and key metrics. Lastly, the ISO developed a draft version of the continuous monitoring standard.

Risk Management

Implementing Boardwide risk management will pose challenges to the Board. Although the majority of the Board's computing environment is managed by the Division of IT, NIST requires that the risk management program be expanded to address and cover all aspects of the Board's computing environments within all divisions' missions and business processes. 

FISMA requires organizations to develop and implement an organization-wide information security program for the information and the information systems that support the operations and assets of the organization, including those provided or managed by another organization, a contractor, or another source. NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, expands the concept of risk management and covers a strategic-to-tactical organizational approach to risk management. NIST Special Publication 800-39, Managing Information Security Risk, states that it is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk—that is, the risk associated with the operation and use of information systems that support the mission and business functions of their organizations. OIG reports have identified that the Board's Chief Information Officer has continued to make progress in implementing a risk management program; however, the program still needs to be implemented Boardwide. 

Agency Actions

The ISO developed the Risk Management Program and Risk Assessment Guide to enhance the original risk assessment framework initiative. 

Reliance on the Federal Reserve Banks and Third-Party Providers

The Board will be challenged to ensure that information systems and services provided by third-party providers, including systems supported by the Federal Reserve Banks while they transition to a NIST-based information security program, meet FISMA requirements. FISMA requires agencies to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, a contractor, or another source. The Board's information security program requires third parties, including Federal Reserve Banks, other agencies, and commercial providers, to use appropriate security controls to protect Board-provided information and services. The level of controls provided by third parties must be comparable to the controls provided for in NIST requirements. 

The Board is part of the Federal Reserve System and relies on some services provided through the Federal Reserve Banks; however, the Federal Reserve Banks are not bound by the requirements of FISMA. We have issued information security control review reports to the Board that identified services provided by third-party providers, including Federal Reserve Banks, that did not meet the Board's information security requirements.

Agency Actions

The Federal Reserve System is currently implementing NIST guidance as the strategic direction for the Federal Reserve Bank information security program. The information security program defines the rules, such as the security objectives and control requirements, and the risk management process that help the Federal Reserve System manage information security risk. 

The ISO performs onsite security reviews of Federal Reserve Bank systems that store or process Board data to ensure that the systems are meeting the requirements of the Board's information security program. The ISO has developed a security policy that applies to all third parties that collect or maintain Board information or those that operate or use information systems on behalf of the Board. The ISO also published an inventory guide that outlines how the Board accounts for all information assets and tracks the security compliance of all systems, including systems used or operated by third parties on behalf of the Board.  

Board Management Challenges: Crosswalk to Ongoing and Planned OIG Work

Management Challenge 1: Continuing to Implement a Financial Stability Regulatory and Supervisory Framework

Ongoing work

  • Evaluation of the Federal Reserve's Supervisory Activities Related to the Loss at JPMorgan Chase & Co.'s Chief Investment Office
  • Evaluation of the Division of Banking Supervision and Regulation's Model Risk Management Practices for Models Used in Support of the Annual Comprehensive Capital Analysis and Review
Planned work for 2014
  • Audit of the Board's Process for Supervisory Assessments of Large Bank Holding Companies and Savings and Loan Holding Companies
  • Evaluation of the Board's Continuous Monitoring Supervisory Tool
  • Evaluation of Systemically Important Financial Institutions Supervision Teams: Preserving and Transferring Institutional Knowledge Within and Between Supervisory Teams
  • Audit of the Board's C-SCAPE Project
Management Challenge 2: Human Capital
Ongoing work
  • Audit of the Board's Diversity and Inclusion Processes
Planned work for 2014
  • Evaluation of Systemically Important Financial Institutions Supervision Teams: Preserving and Transferring Institutional Knowledge Within and Between Supervisory Teams
Management Challenge 3: Board Governance
Ongoing work
  • None
Planned work for 2014
  • Audit of the Board's Data Governance
  • Audit of the Board's Strategic Plan Implementation and Governance
Management Challenge 4: Capital Improvement Projects
Ongoing work
  • Audit of the Board's Data Center Relocation--Phase 2
Planned work for 2014
  • Follow-Up on Martin Building Audit
Management Challenge 5: Information Security
Ongoing work
  • 2014 Audit of the Board's Information Security Program
  • Audit of the Board's STAR Modernization Project
  • Audit of the Board's Information Technology Contingency Planning and Continuity of Operations Program
  • Security Control Review of the C-SCAPE System
  • Audit of the Information System Security Life Cycle Process
Planned work for 2014
  • Board Security Control Reviews
  • Vulnerability Scanning

Source: Office of Inspector General, Work Plan, updated September 5, 2014. The OIG's current Work Plan is available at http://oig.federalreserve.gov/reports/work-plan.htm.

archived reports