Vendor Risk: Effective Management is Essential
description
Transcript of Vendor Risk: Effective Management is Essential
Vendor Risk:Effective Management is
Essential
Michael MastersonVice President Union Bank
Vendor Risk Administration
Agenda
Importance of Properly Managing the Risks
Components of a well-structured vendor risk management process
Decentralized to Centralized/Center-Led
Tools and Resources
Importance of Properly Managing the Risks
You can’t pass the responsibility for managing activities in a safe and sound manner and in compliance with all applicable laws and regulations on to the vendor.
Decreased direct control requires intensified oversight
The bar has been raised Unfair, Deceptive or Abusive Acts and Practices (UDAAP) CFPB
Familiar risks…with a twist Strategic/Operational Risk
Ill-advised business decisions Products/services that do not help achieve strategic goals Return vs. cost and risk Integrating the internal processes of other organizations with the
financial institution’s processes can increase the overall operational complexity.
Importance of Properly Managing the Risks
Reputation Risk Poor service = dissatisfied customers Negative publicity involving the vendor
Compliance Risk Violation of laws, rules, or regulations Nonconformance with internal policies and procedures
or ethical standards Increased when the vendor maintains or has access to
non-public information Transaction Risk
Product delivery errors or failure Inadequate security controls Inadequate business resumption and contingency
planning
Importance of Properly Managing the Risks
Credit Risk Risk to earnings or capital if vendor does not perform
or have the financial capacity to fulfill its obligations Other Risks
The types of risk introduced by an institution's decision to use a third party cannot be fully assessed without a complete understanding of the resulting arrangement. Therefore, a comprehensive list of potential risks that could be associated with a third-party relationship is not possible.
Country Risk Economic, social, and political conditions and events
Components of a well-structured vendor risk management process
Risk Assessment and Strategic Planning Integration with overall strategic objectives Internal expertise to oversee and manage the activity Cost/benefit relationship Customer expectations with respect to joint marketing
and franchising activities Objective assessment of inherent risks
Selecting a Third Party and Due Diligence
How formal the process is and the level of due diligence depends on the complexity of the service to be performed and the associated risks
Components of a well-structured vendor risk management process
Comprehensive due diligence involves a review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls. The evaluation of a third party may include the following items:
Audited financial statements, annual reports, SEC filings, and other available financial indicators.
Significance of the proposed contract on the third party's financial condition. Experience and ability in implementing and monitoring the proposed activity. Business reputation. Qualifications and experience of the company's principals. Strategies and goals, including service philosophies, quality initiatives, efficiency
improvements, and employment policies. Existence of any significant complaints or litigation, or regulatory actions against the
company. Ability to perform the proposed functions using current systems or the need to make
additional investment. Use of other parties or subcontractors by the third party. Scope of internal controls, systems and data security, privacy protections, and audit
coverage. Business resumption strategy and contingency plans. Knowledge of relevant consumer protection and civil rights laws and regulations. Adequacy of management information systems. Insurance coverage.
Components of a well-structured vendor risk management process
Contract The agreement should include clearly defined and
enforceable expectations and obligations of each party Include the right to audit Responsibilities for providing and receiving information Confidentiality and security Regulatory oversight when services are performed for
the financial institution Oversight
Extent of oversight activities and performance monitoring depends on the nature of the product or service provided and the associated risk
Management should dedicate sufficient staff with the necessary expertise to oversee the third party
Components of a well-structured vendor risk management process
Monitor Financial Condition Analysis should be as comprehensive as the ongoing
credit analysis the financial institution would conduct of its borrowers
Review adequacy of the insurance coverage Monitor Controls
Review audit reports Review vendor policies relating to internal controls and
security On-site reviews Review business resumption contingency planning
and testing Review compliance with applicable regulations
Components of a well-structured vendor risk management process
Assess Quality of Service and Support Regularly review documentation of vendor’s
performance relative to contractual terms and conditions and SLAs
Document and follow-up on performance problems Evaluate the vendor’s ongoing ability to support and
enhance the financial institution’s strategic plan and goals
Training provided to financial institution employees Review complaints and resolution Discuss performance and operational issues with
internal areas the vendor touches
Components of a well-structured vendor risk management process
Documentation Business plans for new lines of business or products
that identify management’s planning process, decision making, and due diligence in selecting a third party
List of significant vendors or other third parties Valid current and complete contracts Regular risk management and performance reports Regular reports to the board, or delegated committee,
of the results of the ongoing oversight activities
Decentralized to Centralized/Center-LedVendor Risk Management Program
Drivers Responsible personnel should have the requisite knowledge
and skills to adequately perform the steps necessary to properly identify and control the risk
The need for information Increased use of third parties
Where to start Executive champions Define manageable pieces
Assessment Assemble information Develop the process and tools The importance of understanding at all levels Training Continuous process improvement
Tools and Resources
Vendor Management Software Agiliance Aravo RSA Archer Ariba Evantix Fortrex/Vendorpoint MetricStream Modulo SAP
Vendor Management Groups BITS Vendor Management Special Interest Group
(http://www.bits.org/initiatives/) Shared Assessment Group (http://sharedassessments.org/about/)
Tools and Resources
Regulatory Guidance OCC 2001-47 FDIC FIL-44-2008 FFIEC Outsourcing Technology Services June
2004