Skip to main content
Image coming soon

The Technology Risk Manager's OCC Heightened Standards Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Technology Risk Manager's OCC Heightened Standards Playbook

Turn the technology risk taxonomy, control testing evidence and third-party concentration view into a single OCC-ready package.

The heightened standards self-assessment asks one question your evidence layer cannot answer in a single query: which IT general controls cover which third-party tier-one services, and which of those controls were retested this quarter with a passing result.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Technology risk at a large US bank lives at the join of four registers. The control inventory in the GRC tool. The third-party register in vendor risk. The model inventory under SR 11-7. The quarterly RCSA testing log in the first line. The OCC examiner does not care that each register is healthy on its own. The examiner asks for the joined view: this third-party tier-one service is covered by these IT general controls, those controls were tested this quarter, here are the exceptions, here is the remediation owner, here is the residual concentration risk. Most banks stitch that view by hand the week the request lands. The technology risk manager spends Sunday in the binder. The second line signs reluctantly. The examiner accepts it and the next cycle starts from the same blank page. The fix is not another GRC tool. The fix is a control evidence layer that joins the registers once, refreshes on the RCSA cadence, and lets the technology risk manager hand the examiner a queryable view instead of a stitched binder.

What you walk away with

  • Author a single joined evidence view that maps IT general controls to third-party tier-one services and to SR 11-7 model dependencies.
  • Close the quarterly RCSA in three working days instead of three weeks by replacing manual stitching with a queryable layer.
  • Hand the OCC examiner a heightened standards self-assessment that the first line signs without rework and the second line signs without footnotes.
  • Brief the Audit Committee on cloud concentration with a single chart that names the workloads, the controls, and the residual risk in plain terms.
  • Sit the next examination with the binder built once and refreshed on cadence, not stitched the Sunday before.

The 12 modules

Module 1. The four-register problem and the join you actually need
Walk the four registers a technology risk manager at a heightened standards bank owns or oversees: the control inventory, the third-party tier-one register, the SR 11-7 model inventory, and the quarterly RCSA testing log. Name where each register is authoritative, where each is duplicate, and where the join lives today. The module ends with the one-page join schema the rest of the course builds against.
Module 2. Reading the heightened standards self-assessment as an evidence request
Re-read the OCC heightened standards guidelines as a structured evidence request rather than a policy statement. Each subsection maps to a query your evidence layer either answers or does not. Build the question list the examiner is actually asking, the evidence artefact that answers each, and the owner of each artefact across first and second line. Output is a self-assessment evidence map that drives the rest of your remediation plan.
Module 3. Technology risk taxonomy that survives examination scrutiny
Audit your existing technology risk taxonomy against the FFIEC IT examination booklets and the categories the OCC actually uses in heightened standards conversations. Identify the categories where your taxonomy is thinner than the examiner expects, the categories that are redundant with operational risk, and the categories that need a controlled vocabulary rather than free text. Output is a taxonomy version note and a migration plan for the GRC tool.
Module 4. IT general controls inventory that maps to evidence, not policy
Walk the IT general controls inventory line by line and tag each control with the evidence artefact a tester actually pulls. Logical access controls map to entitlement reviews and SoD reports. Change management controls map to deployment logs and approver evidence. Backup controls map to restore test results. The output is a control-to-evidence map that the first line owns and the second line trusts.
Module 5. Third-party tier-one register joined to control coverage
Take the third-party tier-one register and join it to the IT general controls that cover each service. Name the controls that are bank-owned, the controls that are vendor-owned, and the controls that are shared with a contractual evidence cadence. Build the concentration view that names which services run on which hyperscaler and which controls are common across them. Output is the third-party control coverage view the examiner asks for in heightened standards conversations.
Module 6. Cloud concentration view for the Audit Committee
Translate the technical cloud concentration register into a one-chart Audit Committee briefing. Name the workloads by business line, the share of customer-facing volume on each hyperscaler, the controls that mitigate concentration, and the residual risk in plain language. The module includes the briefing template the second line uses to walk the chart and the question list directors typically ask.
Module 7. SR 11-7 model inventory through a technology risk lens
Most technology risk managers treat SR 11-7 as a model risk concern owned by quant. The OCC increasingly reads it through a technology risk lens: which models run on which platforms, which platforms have which IT general controls, which control exceptions have model risk implications. Build the SR 11-7 to IT general control crosswalk that lets the second line answer the technology risk question in a model risk conversation.
Module 8. RCSA quarterly close that does not eat the second line
Re-design the quarterly RCSA close from a manual stitching exercise into a queryable cadence. Name the data the first line produces, the join the second line owns, the exception triage rules, the residual risk scoring inputs, and the signoff path. The module includes the close calendar, the role-by-role checklist, and the three-day target close that replaces a three-week close.
Module 9. Control testing evidence layer that an examiner can query
Build the control testing evidence layer end to end. Where the test results live, how the join to the control inventory works, how the exception register feeds remediation tracking, how testing cadence is enforced, and how the evidence is exposed to internal audit and to the examiner. The output is the queryable layer that replaces the stitched binder, including the queries the examiner most often runs.
Module 10. Examination prep without the Sunday binder
Walk the examination cycle from the entry letter through the exit meeting. Name the artefacts the examiner asks for first, the artefacts the examiner asks for once the first batch lands, and the artefacts the examiner asks for only if something looks thin. Build the standing request response pack that runs from the evidence layer rather than from a Sunday stitch, including the response template and the version control discipline.
Module 11. Issue and remediation tracking the second line actually trusts
Re-design the issue tracker so the second line trusts it without re-walking the evidence. Name the issue intake schema, the severity scoring inputs, the remediation owner assignment rules, the milestone evidence the second line accepts, and the closure signoff path. The output is a tracker the second line signs and the examiner reads as evidence of a managed control environment, not a queue of open findings.
Module 12. Operating the layer through one full cycle
Walk the technology risk manager through one full operating cycle: quarterly RCSA close, mid-cycle examination request, Audit Committee briefing, and annual heightened standards self-assessment. Name the artefacts produced at each step, the role of the first line, the role of the second line, and the role of internal audit. The output is the operating runbook the technology risk function uses to retire the Sunday binder for good.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The OCC examination entry letter has landed and the heightened standards evidence pack is due in three weeks: modules 2, 9, 10.
The Audit Committee has asked for a cloud concentration briefing this quarter: modules 5, 6, 11.
The quarterly RCSA close is consistently taking three weeks and the second line is signing reluctantly: modules 4, 8, 9, 11.
A new Chief Technology Risk Officer is reviewing the technology risk taxonomy and asking why it does not align to FFIEC categories: modules 1, 3, 7.

What you get with this course

  • Twelve written modules sized for a technology risk manager at a heightened standards bank.
  • Downloadable templates: the four-register join schema, the heightened standards self-assessment evidence map, the third-party control coverage view, the cloud concentration briefing chart, the RCSA quarterly close calendar, the control testing evidence layer query catalogue.
  • Worked examples that walk through a representative bank's control inventory, third-party register, model inventory and RCSA log.
  • The hand-built implementation playbook tailored to the buyer's control count, third-party tier-one count, and next examination window.
  • Thirty-day money-back guarantee.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours: account in the Art of Service learning environment plus the hand-built implementation playbook sized to the buyer's bank.

Module 1 onwards: self-paced through the twelve written modules, with downloadable templates at each step.

End of module 9: the joined evidence layer schema is drafted and ready to walk past the first line.

End of module 12: the operating runbook is in place and the next examination cycle runs from the layer, not the binder.

Before and after

Before

Four registers, four owners, a Sunday stitch the week the examiner asks, an Audit Committee chart re-drawn from scratch each quarter, an RCSA close that eats three weeks and a self-assessment the second line signs with footnotes.

After

One joined evidence layer that the technology risk manager queries on the cadence the second line trusts, an RCSA close inside three working days, a heightened standards self-assessment the first line signs without rework, and an examination request response pack that runs from the layer rather than from a binder.

What happens if you do not address this

The next OCC examination cycle starts from the same blank page. The technology risk manager spends a third of the year on stitching that should take a cadence. The Audit Committee gets a concentration chart that has to be re-explained each quarter. And the heightened standards self-assessment carries footnotes the second line knows the examiner will eventually circle back on. None of that is a control failure on its own. All of it together is the shape of a technology risk function the examiner is starting to read as immature.

Who it is for

Technology Risk Manager (or Senior Manager, VP, or Director of Technology Risk) at a large US bank or bank holding company subject to OCC heightened standards. Sits in the second line of defence. Owns the technology risk taxonomy, IT general control testing oversight, third-party technology concentration view, and the technology risk view of SR 11-7 model risk. Reports into a Chief Technology Risk Officer or CRO. Spends a meaningful share of the year on examination prep, RCSA quarterly close, and Audit Committee technology risk briefings.

Who this is NOT for. Not for first-line IT control owners who execute the controls. Not for internal audit. Not for technology risk at a community bank below the heightened standards threshold. Not for cyber risk specialists whose work is upstream of the technology risk taxonomy. The course assumes you already own a taxonomy and a register and the problem is the join, not the build.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. About thirty to forty hours across the twelve modules. Most technology risk managers take it over six to eight weeks, fitting it around the quarterly RCSA cycle.

Why $199 is the right number

A GRC tool migration costs six figures and eighteen months and does not solve the join problem. A Big Four advisory engagement on heightened standards readiness costs more and leaves you with a binder rather than an operating layer. Free OCC and FFIEC guidance tells you what the examiner wants and does not tell you how to build the evidence layer that delivers it. This course delivers the operating playbook and the templates at a price the technology risk manager can authorise without a steering committee.

FAQ

Is this a course on the heightened standards rule itself?
No. The OCC heightened standards guidelines are public. This is the operating layer that lets a technology risk manager answer the heightened standards self-assessment from a queryable evidence view rather than a stitched binder.
Do we need a specific GRC tool to use the templates?
No. The templates are tool-agnostic and have been mapped against the common GRC platforms a US bank typically runs. The implementation playbook names the joins that have to happen regardless of tool.
How tailored is the implementation playbook?
Sized to the buyer's IT general control count, third-party tier-one count, RCSA cadence and next examination window. Hand-built per buyer, delivered alongside the learning environment account.
Can the first line use this too?
Yes. Modules 4, 5 and 9 are written so the first line can walk them with the second line. The RCSA close in module 8 is explicitly a joint operating cadence.
What if our bank is not under heightened standards?
The course is built for the heightened standards bracket. Banks below that threshold get value from modules 1, 3, 4 and 8, but the SR 11-7 and concentration modules are tuned for the larger bank context.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!