1
Plan for Your Institution’s Strategic Growth 5/19/2016
MAY 19, 2016
2
Our Discussion Topics
1. Why Strategic Planning 2. A Process That Works3. Walking Through That Process4. Minimizing Execution Risk
3
Converting Opportunities to Performance
Strategic Options
External Factors
Changes emerging in the external environment
Internal Factors
Capabilities to execute the strategy
Strategic Options: What is the best path to long-term value?
Growth
Long TermValue
Organic
Acquired
CustomerBase
Share of wallet
Profits
Geographicfootprint
Newcustomers
New or better
products
ProductMix
Efficiency
Invest toInnovate
Invest to reduce costs
4
• Has done a critical, data-driven evaluation of internal capabilities
• Effectively links operating and capital budgets to strategy; strategic objectives with performance evaluation and rewards
DescriptionComponents
• Has done a critical, data-driven evaluation of marketplace opportunities and needs
• Has strong mechanism for monitoring results on strategic initiatives; actual performance versus expectations
Strategic Planning Components
4
Customers and Markets Understood
Internal Capabilities Understood
Effective Linkages
Progress is Known, Tangible
Agreed Upon, Shared Vision
Clearly Communicated Future Direction
• Has done an effective job of involving key stakeholders (owners, directors, leadership, senior management)
• Strategy statement/document clearly delineates the future path and performance objectives; strategic initiatives to get there
5
2 431
A Process That Works
55
Link to operating and capital budgets; management objectives, compensation
Execute the Strategy
Agree and communicate the strategy, objectives, and road map
Develop the Strategy
Discuss performance, strategic options; drive to common understanding
Conduct Planning Sessions
Compile comprehensive information for planning sessions
Establish a Common Fact Base
Focus the organization on a course of action to achieve its objectives
1. Where are we now?2. Where do we want to be?
Structured, logical path to build a well-thought out and agreed upon strategy
3. How do we get there?4. How do we measure our progress?
Simple Question Set
6
Changes Emerging in External Environment
Internet of things, delivery channel
evolution or revolution, cybersecurity − threats
to information assets
Economy Political, Regulatory
Technology
Customers
Industry
Competition
External FactorsAnalysis
Margin compression, increased capital
requirements, lower returns to owners,
acquire or be acquired
Prosperity trends, lackluster GDP growth trends, monetary
policy, interest rates, capital market directional trends
National elections and business orientation, regulatory compliance and rising cost
Saturated markets, scale and cost advantages, new entrants
Emerging segments; changing preferences, habits, and attributes; brand loyalty
The ability of an organization to sense the changes emerging in its external environment and to develop decisions and actions to mitigate risks and take advantage of
opportunities – and doing this better than the competition
1
7
Business Segment Assessment
7
Fact base established at business segment level
7
• What are our major opportunities to improve operational performance?
• What are the internal strengths and weaknesses of the business –people, process, and technology?
• How do they help or constrain the business?
• What customer segments, products, and markets offer the greatest potential?
• What is the strategy to most profitably serve those customer segments and markets?
• Who are the competitors?
• What is the basis of competition?
• How do we perform versus those companies?
Operating Model
Internal Capabilities
Opportunities & Strategy
Competitive Position
1
8
Integration
Strategy
DeliveryNetwork
Operating Model
Core Competencies
Competitive Analysis
Evaluating Opportunities and OptionsMatching marketplace opportunities and core competencies by business segment, overall
ProductsCustomerSegments
Marketplace
Market Opportunities
2
• Ask tough, but necessary questions
• Agree on business opportunities and core capabilities
• Ask tough, but necessary questions
• Agree on what not to do, as well as do
9
Strategy − Focus on Course of Action to Achieve Goals
3
Plan should capture and summarize• Strategy statement
• Characterizes the products-to-target markets and segments, channels to reach those targets; specifies explicit profit and performance objectives; states distinguishing operational philosophies
• Assumptions under which the plan was prepared
• Financial projections
• Desired future state
• Primary Strategic Initiatives to reach that desired future state
• Accountability, action steps and timelines, specific milestones, success clearly defined
10
Citizens Business Bank (CBB) The segment: small to middle size businesses, de novo in 1975
3 Top Performers Convert Opportunities Better Than Others
Source: Winning Strategies in Community Banking, Project Excellence, 1998 KPMG Peat Marwick LLP
Winning Strategies in Community Banking (KPMG 1998)• Top Performing Community Bank − $1.3 billion in
assets• Clear vision of strategy and market from beginning.
Business and professional market is where CBB can make the difference and have the greatest competitive advantage.
• CBB put in place a customer-focused sales driven strategy with unparalleled customer service as a cornerstone. Sales is a top priority. “If you are good at sales, then good business will come to you,” per CEO D. Linn Wiley.
“Wiley believes strongly that today’s banking market demands a commitment to rigorous ‘professional management.’ He asserts, ‘We are a planning oriented company.’ The bank goes through an annual planning process in November formulating specific goals and plans for the coming year. Wiley then puts in place the structure and people to support the plan.”
11
Citizens Business Bank155 Consecutive Quarters of Profitability 105 of Paying Cash Dividends (2015)
3 Top Performers Convert Opportunities Better Than Others continued
Source: CVB Financial Corp. Annual Report 2015; 4th Quarter Analyst Briefing
“Our team has worked hard to execute the long-term strategy of our bank which is to build and maintain relationships with the best small to middle size businesses and their owners in our geographic marketplace.”
- Chris Myers, CEO4th Quarter 2015, Analyst Briefing
The Best Bank in America (Forbes 2015)• Top 5 Bank (Bank Director Magazine), SNL Top 100 $1 to
$10B − $7.7 billion in assets
• Vision…Become premier financial services company...serving the comprehensive financial needs of successful small to medium-sized businesses and their owners.
• Mission…Achieve superior financial performance and rank in the top 10 percent of financial institutions in the nation in ROE and ROA…Will be achieved by delivering the finest in financial products and services through relationship banking commitments with businesses and professionals…
12
Minimizing Execution Risk
Commit to an identity
Differentiate and grow by being clear-minded about what you can do best
1
Translate the strategic into
every day
Build and connect the cross-functional capabilities that deliver your strategic intent
2
Put your culture to work
Celebrate and leverage your cultural strengths
3
Cut costs togrow stronger
Prune what doesn’t matter to invest more in what does
4
Shape your future
Reimagine your capabilities, create demand, and realign your industry on your own terms
5
Five Acts of Unconventional Leadership
Source: How Winning Companies Close the Strategy-to-Execution Gap, Paul Leinwand and Cesare Maindari, 2016 Harvard Business School Publishing
4
• Have the right people on board
• Have a clear strategy and path to execution
• Be agile in adapting to changing external factors, market circumstances
• Be very disciplined in plan development and execution
13
• Planning Process: “There needs to be a great deal of intentional discipline – a standard process that is predictable and executed every year.
– February – Executive management team looks out a couple of years; invite experts of various types to participate in dialog
– May – Have extended meeting with board to look forward; discuss performance– July – Update the strategy; offsite with board and executive management team– September – Updated strategy reflected in the budgets– Monthly and quarterly – Assess how well we are doing.”
• Strategy Execution: “Key to execution is accountability.
– Overall linkage is essential – strategic goals budget goals individual goals/incentive plans
– Tie compensation to strategy. Some goals/aspects are easy since it’s meeting the numbers; some are more difficult to establish because they are more intangible – but they all need to be linked together.”
Source: Interview with CEO, Diversified Financial Services Company (Banking and Specialty Finance), 2016
4 Minimizing Execution Risk continued
14
Closing Comments
• It is essential that: Leadership has confidence in the strategy The strategy is understood across the bank The strategy can be or is being executed.
• Anything less makes dealing with headwinds extremely difficult.• Q&A
With today’s external regulatory and competitive pressures and uncertain economic environment, building franchise value requires a well-thought out
and agreed upon strategy.
15
Bill WaltonPartner
DHG Financial [email protected]
D 404.575.8902
Suzanne DonnerDirector
DHG Financial [email protected]
D 404.681.8224
1IT advisory
Cybersecurity UpdateRodney Murray, PrincipalIT Advisory
2IT advisory
Why are we talking Cyber? The Numbers
• 4 trillion
• 5%
• 4 minutes
• 100%
3IT advisory
Agenda
• Brief Look at Data Breach Stats
• Data Breach Causes and Results
• Security Incidents – Common Scenarios
• How can we prepare?
4IT advisory
Data Breach Stats
5IT advisory
728 829
1099
16621531
1264
0
200
400
600
800
1000
1200
1400
1600
1800
2009 2010 2011 2012 2013 2014
Source: http://datalossdb.org/statistics
Recent Statistics
6IT advisory
Recent Statistics
6%
8%
10%
11%
37%
Financial
Govt. & Public Sector
Education
Retail
Healthcare
Top 5 Sectors Breached by Number of Incidents
Source: 2015 Symantec Internet Threat Report
7IT advisory
Recent Statistics
$155
$165
$179
$215
$220
$300
$363
Industrial
Retail
Communications
Financial
Pharmaceuticals
Education
Health
Breach Cost Per Capita 2014
Source: Ponemon Institute 2015 Cost of Data Breach Study
8IT advisory
Recent Statistics
Average Time to Identify a Breach
206 days
Source: 2015 Verizon Data Breach Report
Ransomware
113%
9IT advisory
Recent Statistics
Breach Root Causes 2015
Malicious or Criminal Attack
System Glitch
Human Error
Source: Ponemon Institute 2015 Cost of Data Breach Study
47%
24%
29%
10IT advisory
Recent Statistics
Source: Hackmageddon.com
Cyber Espionage11%
Hacktivisim22%
Cyber Crime67%
11IT advisory
Recent Statistics
Source: http://datalossdb.org/statistics
12IT advisory
Recent Known Breaches
Kardashian website- Web application code deficiency- 663,270 names and email addresses
Excellus Blue Cross Blue Shield - NY- May have started 2 years ago- 10 million records (names, DOB, SSN, credit cards)
University of Virginia- Hack originating from China
www.privacyrights.org
13IT advisory
Recent Known Breaches
Ashley Madison- Hack originating from China but possible inside job- 37 million records (including names posted online)
UCLA Health System- Did not take “basic” steps to encrypt data- 4.5 million records (names, DOB, SS#, credit cards)
Office of Personnel Management – D.C.- 21.5 million social security numbers
14IT advisory
Social Engineering
15IT advisory
Social Engineering
Attention User:
Your email quota is almost exceeded. Starting from December 8th, we are migrating to new email interface. So we are currently doing maintenance on our server. Please visit page below to update your account and avoid losing your inbox. http://xxxxxxxxxxxx.com/data/allow.html
Thank you.
Technical Team
16IT advisory
Social Engineering
17IT advisory
Top 5 Assessment Findings - Technical
Internet Service Provider connections
Outdated security patches
Voice over IP (telephone) lack of encryption
Weak and default passwords
Weak secondary device configurations
18IT advisory
Top 5 Assessment Findings - Social
Weak physical site controls
Response to phishing email- Provide logon credentials- Click on a bad link or attachment
Response to vishing (accounting departments)
Response to fake website
19IT advisory
Social Engineering - Physical Site Scenario
- Printer vendor who is taking over toner cartridge supplies needs an inventory – behind teller line
- General contracting company who won the bid to fix anything visible to the public – got access to bank vault
- From AT&T looking at access issues
- Fake letter if challenged- -
20IT advisory
Social Engineering – Vishing Scenarios
- Known third party lender inquiring of the Accounting department for missing wire
- Fictitious company starting a grant program, has “had discussions with the CFO” and needing a last minute wire transfer
- Utility company on behalf of their customer regarding an “overdrafted account”
- Third party IT support vendor- -
21IT advisory
Security Incident vs Data Breach
Perception is Important– People use “breach” too frequently
– You don’t want your customers or regulators to think you are subject to numerous breaches
– “Breach” suggests something bad happened or is going to happen
– “Breach” has legal significance
• Incident Response Team should use “Security Incident” not “Breach” on internal communications
22IT advisory
Security Incidents –Common Scenarios
23IT advisory
Typical Security Incident Scenario
“Houston we have a problem …”
Ransomware message Malware incident that escalates Network performance Increase in suspicious emails Notification from employees’ banks of
suspicious account login activity
24IT advisory
Typical Security Incident Scenario
“Time for action …”
Performs initial analysis and triage Notifies IT service providers Determines assistance is needed,
scrambles to find an outside security specialist
“Tick, tock, tick, tock …” or “$, $, $, $...”
25IT advisory
Unanticipated Costs
• Investigation Costs
• Regulatory / Industry Fines or Penalties
• Remediation / Infrastructure Change Costs
• Mandatory Notification to Customers
• Brand Damage
26IT advisory
How Can We Prepare?
27IT advisory
How Can We Prepare?
Question – If someone was trying to breach your systems today …
WHO WOULD BE THE FIRST TO NOTICE IT?
Reducing risk will require investment … Skillsets / resources Software / hardware solutions Third party relationships for monitoring User Awareness
28IT advisory
How Can We Prepare?
Assign Responsibility for Data Protection
• CISO, CPO, CRO• Responsible for overseeing ongoing data
protection program• Must Maintain Awareness of New
Technologies and Their Risks
29IT advisory
How Can We Prepare?
IT Risk Management
• Management should understand what data they process and store
• IT threats should be considered as part of the organizational risk management process
• Consider mitigation, transfer, or elimination of risks
30IT advisory
How Can We Prepare?
Strong Vendor Management Program
• Include Security as Part of Vendor Evaluation Procedures
• Conduct Ongoing Evaluation of Vendor Relationship
• Disgruntled Employees• Remember Target’s Scenario
31IT advisory
How Can We Prepare?
Strong Incident Response Program“Not if, but when …”
Roles and Responsibilities Who owns the program?
Include PR and Legal Counsel as Part of Response Team
Ensure forensic skillset is available Continued regulatory focus
32IT advisory
FFIEC Cybersecurity Assessment Tool (CAT)
• New guidance finalized earlier this year– www.ffiec.gov/cyberassessmenttool.htm
• “Repeatable and Measureable”• Incorporates principles from the FFIEC IT
Examination Handbook• Two Parts:
1. Inherent Risk Profile2. Cybersecurity Maturity
33IT advisory
FFIEC CAT – Role of Management & Board
• Develop the plan to conduct the Assessment
• Define the target state of cybersecurity preparedness
• Oversee performance of monitoring and risk mitigation
• Oversee changes to maintain or enhance targeted state of preparedness
34IT advisory
FFIEC CAT – 2. Cybersecurity Maturity
Innovative
Advanced
Intermediate
Evolving
Baseline
• 5 maturity levels are based upon sophistication, design, and effectiveness of controls
• Critical controls include detective, preventative, and responsive