Exam Prep Should Start With the Controls You Still Call Temporary
A practical weekly article for community bank and credit union boards and senior leaders on using exam prep and risk committee review to surface temporary controls, compensating...
Tuesday at 3:40 p.m., two weeks before the exam, is a bad time to discover nobody owns the list.
The list I mean is not the polished one in the board packet. Not the policy inventory. Not the audit tracker with all the nice status colors.
The manually approved access exceptions that were supposed to last 30 days. The spreadsheet reconciliation that started during a vendor issue and never really left. The branch workaround that lets account opening keep moving when identity verification gets temperamental.
Every community bank and credit union has a few of these. Sometimes they are reasonable. Sometimes they are the only practical way to keep serving customers and members while a system gets fixed or stabilized.
The problem is not that temporary controls exist. The problem is that institutions stop treating them like temporary.
Then exam prep starts, management asks for evidence, and the room realizes a workaround has quietly become part of the operating model without clear ownership, expiration, or board visibility.
That should not be an exam-season surprise. It should be a standing governance conversation before the packet goes to the risk committee.
Temporary controls are not harmless just because they feel familiar
Most institutions do not wake up and decide to build a shadow operating model. They back into one.
A vendor release introduces noise into an alerting workflow. A team adds a manual review step "for now."
A merger integration leaves two systems misaligned longer than planned. Someone creates a daily reconciliation to bridge the gap.
A new digital feature goes live, but exception handling is still clunky. Frontline staff learn the unofficial save-the-day sequence and keep the process moving.
That is how temporary becomes cultural. Not through negligence. Through repetition.
And once repetition sets in, the institution starts lying to itself a little.
People say the control is understood, the workaround is stable, and the process is documented. Maybe. But that is not the same as governing it.
In a community institution, anything that depends on a few experienced employees, a side spreadsheet, a manual approval trail, or a vague memory of why the workaround started is not really under control. It is being carried.
That matters in an exam because regulators are not just evaluating whether the institution had good intentions. They are evaluating whether management knows where operational risk actually lives.
The exam packet usually overstates policy discipline and understates exception drift
I have seen plenty of pre-exam routines. Management wants the policy set clean. Internal audit wants evidence organized. Technology wants open issues framed carefully. Compliance wants consistency between what the institution says and what it can prove.
All reasonable.
But the most important pre-exam question is often much simpler:
Which "temporary" controls are still doing real work in the business?
That question gets to the part of governance that is hardest to fake.
If the institution cannot quickly produce a current register of compensating controls, manual overrides, temporary access arrangements, exception-based monitoring steps, and unresolved process bridges, then leadership is preparing for an exam with a partial map.
Directors should care because exam pain rarely starts with one dramatic failure. It starts when the examiner asks a plain question and gets three different answers from operations, compliance, and IT.
What is this control covering for? Who approved it? When does it expire? What would break if you removed it next Monday? How is the residual risk reported upward?
If those answers are fuzzy, the issue is not documentation. It is governance drift.
Example one: Patelco showed how temporary operating modes can linger after the incident bridge ends
Patelco Credit Union's 2024 ransomware disruption is a useful reminder for this conversation. Public reporting described prolonged member-facing service disruption, limited online access, and extended recovery work after the initial attack response. That is what community institutions should notice. Not just the breach. The operating residue.
When systems are impaired for days or weeks, institutions introduce temporary servicing patterns, manual decision steps, deferred reconciliations, and communication workarounds to keep people moving. Some of those steps are necessary. But once the immediate crisis passes, somebody has to decide which controls get retired, which need to be formalized, and which exposed a deeper weakness in the operating model.
If that review does not happen, the institution carries post-incident debt into the next exam cycle.
Example two: the Synapse and Evolve mess showed what happens when control evidence gets murky
The fallout tied to Synapse's 2024 bankruptcy and the downstream dispute over ledger and reconciliation records is a different kind of lesson, but an important one. When account records, settlement responsibility, and exception handling become hard to trace across multiple parties, "we thought that process was covered" stops sounding reassuring very quickly.
Community institutions do not need to run a banking-as-a-service model to learn from that mess. The broader lesson is that temporary bridges between systems, parties, and evidence trails become dangerous when nobody can show which record is authoritative, who reviews the exceptions, and how long the institution intended to live in that in-between state.
That is exactly the sort of ambiguity a risk committee should force into plain English before the next exam-prep packet is approved.
What I would want in the packet before the exam-prep review
If I were sitting with a CEO, CIO, CISO, COO, or board risk committee ahead of an exam, I would want one uncomfortable page that many institutions still do not produce consistently.
1. A current temporary-controls register
Not a vague mention in a meeting. A real register.
List the compensating controls, manual review steps, temporary access exceptions, spreadsheet-based reconciliations, and operational bridges still active today. Name the business process each one supports.
2. An owner and expiration date for each item
"Operations" is not an owner. "IT" is not an owner. Name the person accountable for either retiring the control, redesigning the process, or bringing the residual risk forward for acceptance.
And if an item has no realistic expiration date, stop calling it temporary. Promote it into formal governance and treat it like the operating dependency it already is.
3. The trigger that would make the board care
Not every workaround belongs in a board packet. But if a temporary control affects member service, fraud exposure, payment timing, privileged access, financial reporting, vendor dependency, or exam-facing evidence, the board or risk committee should know what threshold turns it from a management detail into a governance issue.
4. The labor and concentration risk behind the workaround
How many people know how the workaround really functions? How often does it run? What happens if the one person who understands the weird step is on vacation, leaves, or gets pulled into an incident?
Community institutions do not have deep benches for hidden operational craftwork. If the workaround depends on heroics, that belongs in the discussion.
5. The cleanup plan after the exam
One of the oldest mistakes in financial services is treating the exam like the finish line. It is not.
If leadership cannot say what gets retired, redesigned, automated, or escalated after the exam window closes, then exam prep has turned into cosmetics. That is expensive. It teaches the organization to preserve the appearance of control instead of improving the control environment itself.
This is really a board and executive honesty test
The best exam prep I have seen is blunt. Here are the controls we added because reality got messy. Here is why they still exist. Here is the risk they carry. Here is who owns the cleanup. Here is what the board should watch.
That kind of honesty gives examiners less room to discover a surprise that management should have already named. It also gives the board a much better line of sight into whether the institution is operating on designed controls or accumulated improvisation.
That distinction matters.
A community bank or credit union can survive plenty of imperfections. What it cannot afford is confusion about which imperfections are temporary, which are strategic, and which have already become part of daily operations without anybody admitting it.
Before the next exam-prep packet goes out, do not start with the policy binders.
Start with the controls you still call temporary.
Discussion questions
1. Which temporary control in your institution has been around long enough that it should either be retired or formally governed? 2. Where would an examiner find the biggest gap between the process described in the packet and the process employees actually use? 3. What workaround would become a board issue immediately if the one person carrying it were unavailable next week?
Sources
- FFIEC IT Examination Handbook, Architecture, Infrastructure, and Operations booklet
- Reuters coverage of Patelco Credit Union's 2024 ransomware disruption and recovery
- Reuters and court reporting on the 2024 Synapse bankruptcy fallout and reconciliation disputes