Vendor Risk Management - Love From the Other...

Vendor Risk Management (Banks and Financial Institutions)

Speaker:

Jay Ranade/Ram Engira CIA, CRMA, CRISC, CBCP,CISA,CISSP,CISM,ISSAP,CGEIT

Director of Education Risk Management Professionals Intl.

New York City, USA [email protected]

[email protected] [email protected]

[email protected] Phone +1-917-971-9786

mailto:[email protected]




Instructor Jay Ranade

CIA, CRMA, CRISC, CISA, CISSP, CISM, CBCP, CGEIT, ISSAP

Risk Management Professionals Intl. [email protected]

[email protected] [email protected]

[email protected] New York City

Cell +1-917-971-9786

Vendor Risk Management





3/4/2014 Copyright by Risk Management

Professionals International (Version 19) 3

Instructor Introduction

Jay, a certified CISA, CISM, CISSP, and CBCP, is an internationally renowned expert on computers, communications, disaster recovery, IT Security, and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, operating systems, languages, and systems. He also has an imprint with McGraw-Hill with more than 300 books called “Jay Ranade Series”. He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal. The New York Times critically acclaimed his book called the “Best of Byte”. He is currently working on a number of books on various subjects such as IT Audit, IT Security, Business Continuity, and IT Risk Management. Jay has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. He was a member of the ISACA International's Publications Committee(2005-07).

He also teaches graduate-level classes on Information Security Management and Ethical Risk Management at New York University. Jay is also adjunct professor at St John’s University and teaches Accounting Information Systems, IT Auditing, Internal Auditing, and Operational Risk Management.

Instructor Introduction

Ram Engira has more than 22 years of experience collected through some of Wall Street’s largest firms. He has fundamental business operation and technology skills, especially surrounding key initiatives in Banking, trading & investment bank arenas. Ram is currently working as a senior vice President/Senior IT Infrastructure Manager for the Retail Bank O&T division at a major financial firm. He works for the business office focused on strategic planning, proper business & technology alignment, client service delivery management, business realignment, engagement planning and Risk Management. He is a subject matter expert in BCP/DR, Enterprise and IT Risk Management, Information security and Infrastructure optimization. Ram is involved with BCP/DR, Information Security, System Auditing from both strategic and tactical points of view. Ram is among the industry leaders in planning and executing Data Center Consolidation programs and infrastructure virtualization leading to IT optimization. Ram is also an adjunct professor at St. John’s University and New York Institute of Technology (NYIT) teaching Master’s level courses in Business continuity planning, enterprise Risk Management and IT security and auditing as well as Database Management systems.



Instructor’s Information

• Contact information

– [email protected]




– USA +1-917-971-9786

• Risk Management Professionals International







What is RISK



Types of Risks

• 97 types of risks

• Credit risk, market risk, liquidity risk, IT risk, sovereign risk, political risk, IT risk, Operational Risk………

• And by the way- Vendor Risk which is a subset of Operational Risk



Organizational Focus

• Mitigate risk to the organization

– Focus is on controls

• Comply with laws and regulations

– Focus is on compliance

– Usually in regulated industry



Facts about risk

• It is part of life

• It is part of doing business

• You can avoid it, mitigate it, accept it, transfer it

• Controls are not free – Controls slow down business

– Controls cost money

– Balance controls and benefit



Categories of Vendor Risk Controls

• Directive controls- policy

• Preventive controls

• Detective controls

• Corrective controls - IRM

• Compensating controls

• Deterrent controls- SLA penalties



Types of Vendor Risk Controls

• Controls can be any of the following six

– Policy

– Standard

– Procedure

– Process

– Organizational structure

– Physical entity



Why use Vendors?



Reasons for using vendors….

• Reduce cost

• Increase performance

• Access specific expertise lacking in organization

• Increase product offerings



Common 3rd Party Relationships



Common Vendor Relationships

• 3rd party product providers e.g. credit card providers, auto dealers, mortgage brokers

• Loan servicing providers e.g. flood insurance monitoring, debt collection, foreclosure activities

• Disclosure preparers e.g. related SW, 3rd party documentation preparation



Common Vendor Relationships

• Technology providers e.g. web development, software vendors

• Outsourced compliance functions e.g. fair lending reviews, compliance audits, compliance monitoring



Common 3rd Party Risks



Common Vendor Risks

• Compliance risk – Laws, regulations, rules

• Reputation risk – Law violations, dissatisfied customers

• Operational risk – People, processes, systems, external events

• Transaction risk – Service delivery issues

• Credit risk – 3rd party not able to meet contract terms



Vendor Risk Types Examples

• Deceptive vendor marketing

• Credit discrimination

• Privacy issues (data loss or leakage) – GLBA issue

• UDAP – unfair deceptive acts or practices – UDAP not always apparent, may be commonly

accepted bank practices

• Solution: Oversee vendors as you would a department in your bank



What practices Increase Vendor Risk?



Bad Practices

• Overreliance on 3rd party vendors

– Expertise in staffing vendors, products, and services does not mean expertise in compliance and regulations.

• Failure to monitor vendor

– Monitoring is variation in risk. You can not outsource accountability



Bad Practices

• Failure to retain knowledgeable staff – Vendor staff has expertise but organization’s

staff does not know vendor activities. Risk is to the organization.

• NO clear expectations set – Contracts must include consumer protection

requirements

– Other expectations



Bad Practices

• GIGO effect

– Not providing enough information to vendor to do job

• Vendor activities in violations

– No verification process whether vendor complying with the law/regulation or not



Some Examples of Vendor Risks



Examples of Vendor Risk

• Flood insurance monitoring

– Vendor is used to monitor flood insurance

– Vendor’s error in calculating required coverage

– Civil money penalty (CMP) lawsuits

• HAMP Program

– Home affordable-loan modification program

– Vendor delay in processing

– Vendor sending duplicate applications




• Credit Card Administration – Vendors to market credit cards programs – Balance transfer – Non-disclosure of fees, UDAP violation – CFPB has enforcement actions against 3 major

credit card issuers in 2013

• Disclosure generation software – Vendor SW generates consumer disclosures – Regulatory changes need SW changes/alignment – Management depends on vendor to make changes




• Revenue enhancement – 3rd party offer for revenue enhancement

– For many products and services

– Compliance issues not considered

• 3rd party payment processors (TPPP) – Customers use accounts to process payments for

merchant clients

– TPPP issued payments for merchants in high risk illegal activity

– Can also result in UDAP risk



What is a Vendor RISK



Bank’s Vendor Risk

• Banks use third party vendors to – Outsource internal operations

– Provide products and services to customers that they do not provide

– Lend their name for services or activities to others for a fee

• Why use 3rd party? – Resource constraint with bank

– Provide additional products and services

– Provide expertise not available with the bank



Regulator’s concern

• Does outsourcing create more risk?

• Can financial institution

– Identify such risk

– Manage/Control this risk

– Monitor this risk

• Two aspects of regulator’s concern

– Financial institution’s business and solvency

– Consumer’s protection from harm



Regulator’s concern

• 3rd party vendors are not subject to banking and financial reporting requirements

• 3rd party vendor’s lack of accountability to regulators

• So, banks and non-banks subject to civil and criminal penalties

– Because they have the accountability



Regulator’s new tools

• Bank Service Company Act – When 3rd party performing function for bank

operations, regulators treat 3rd party subject to act • Bank Service Company Act, 12 USC 1861-1867(c). Sec. 1861

– Regulator can examine operations of 3rd party as if they are performed by the bank

• Dodd-Frank Act - Consumer Finance Protection Bureau (CFPB) has jurisdiction over any “person” that provides material service to bank (or non-bank) for consumer financial product or service



VRM Facts

• You outsource responsibility, not accountability

– Board and senior management own that

• CFPB - financial institutions responsible for actions of companies they CONTRACT

– Financial institutions expected to manage such risk



So what 7 things do you do?

• Proper vendor governance • 3rd party due diligence • Contracting • RCA • LCA • Continuous monitoring (KRIs, KCIs) and

oversight – Proper training for those who monitor

• Tracking consumer complaints



Cause vs. Effect in VR

• Cause Event

• Event Effect (aka consequence)

• VR is managed through PCs by managing the “causes”

• VR is managed through DCs and CCs by mitigating “effects”



Cross Border Outsourcing



Cross Border Outsourcing – Life Cycle

• Strategic assessment

• Business case development

• Vendor selection – due diligence

• Contracting

• Service transition

• Post transition management

– monitoring



Cross Border Outsourcing – Inherent Risks

• Financial risk- fraudulent transactions

• Privacy risk for PII

• Brand and reputation risk

• Regulatory risk

• Competitive risk from loss of IP



Cross Border Outsourcing – 9 risks

• Vendor selection risk- lack of due diligence • Strategic risk- inconsistent with organization's

goals • Regulatory compliance risk

– Laws, regulations, policies, oversight, EU data protection, SOX, FFIEC, export restrictions

• Technology risks- – Processes not aligned with organizational

objectives – Business interruptions due to technology failure




• Security risk

– Lack of protection of customer information, IP, and loss of CIA

• Legal risk

– Inability to enforce contractual terms due to legal jurisdiction

• Country risk

– Geopolitical, economic, social issues




• BC risk

– Lack of recovery plans for critical business processes

• Exit strategy risk

– Lack of contract terms for orderly exit from termination of services



Cross Border Outsourcing – Typical Security Requirements

• Logical access – Need to have, need to know, least privilege, proper IAA

• Application development and maintenance – Secure code, application change, source code

management

• Operations – Change control, IRM, network management, media

handling and disposal

• Business continuity – Critical business processes recovery after interruption

within RTO, BC exercises



Cross Border Outsourcing – Typical Security Requirements

• Physical and environmental controls – Parameter, building, equipment, environmental

• Organizational security – SoD, R&R, DOPESS

• Asset classification – Policy-based CIA classes

• Information security policy

• Compliance – regulatory, contractual



Cross Border Outsourcing – 13 missing provisions

• Lack of R&R • Who owns IP? • Assets ownership of by-products • Service definition-

– local holidays, time zone

• SLA- with penalty clauses • Use of sub-contractors • Personnel

– Background check, minimum qualifications, drug testing, right to remove from project



Cross Border Outsourcing – 13 missing provisions

• Documentation

– Logs, documents

• Fees and payment terms

• Legal and regulatory compliance

• Audit rights

• BC and DR requirements

• Security requirements- CIA



The VRM Framework

Vendor Risk Management Framework

Vendor Risk and control Assessment

Identify risk and owner

Assess likelihood and Impact

Identify control and owner

Assess design and performance

Action plans

VR Indicators Identify key

risk and control

indicators

Monitoring KRI, KCI

Action plans

VR events and LCA

Identify and capture internal

and external events

Analyze causes

Action plans

VR due diligence and Contracting

Governance

VR Oversight

1. VRM - Governance

• Board approved vendor policy will be alignment with business objectives

• There will be risk ownership

• There will be control ownership

• Accountability

• Clear direction for management

• VRM is about threats as well as opportunities

2. VRM – Due Diligence

• Vendor assessment prior to on-boarding

– Onsite visit , references, vendor experience, complaints history, internal controls, financial status

• Consumer finance perspective

– Do products and services outsourcing increase consumer harm

– Does 3rd party vendor have proper IC environment


• Does vendor understand and can comply with federal consumer financial law?

• Review of vendor policies, procedures, and IC

• Review of vendor employee training program for employees/agents having consumer contact

• Review of vendor employee training program for employees/agents having compliance responsibility


• Vendor contract stipulating expectations regarding violations e.g. unfair practices, abusive acts, deceptive acts

• Does vendor comply with federal consumer finance laws and has ICs to do that

• Provision to terminate relationship when problems exceed threshold


• 11 Things to look for in Due Diligence – Vendor’s experience – Reputation, complaints, litigation – IC environment and Internal audit – BC and contingency plan – Insurance coverage – Security status- ISO 27001? – Audited financial statements – Qualifications and background – Sufficiency of MIS (computer-based) – Technology recovery plans (DR plans) – Reliance on sub-contractors

3. VRM - Contracting

• Contract should minimize risk of non performance by vendor

• Scope of contract must be precisely defined

• Outsourcer should have contractual right to assess IC environment for vendor

– Internal audit of outsourcer

– SOC 1 and SOC 2 (SSAE 16 and ISAE 3402)


• Requirements must be defined, understood, and enforceable

• Performance measures and benchmarks defined

• Responsibility to communicate information

• Ownership and licensing of bank’s data, HW, SW, IP, and documentation

• Security- confidentiality, integrity, availability


• BC/DR plans • Indemnifications holding 3rd party harmless for

negligence • Insurance coverage requirement • Process for dispute resolution • Limits on liability of bank for non-performance of

vendor • Termination considerations • Customer complaints resolution process • Contract enforcement jurisdiction for foreign-based

vendor

4. VRM - RCA

• 3rd party focus for RM and CFPB focus for consumer impacting vendors

• Imbedding VRM in the BPs

• Establishing risk owner and control owner

– Not always the same

– Risk ownership is business

– Control ownership is operations mostly

4. VRM - RCA

• Develop RM FW for 3rd party vendors

– Stratify based on risk to the organization

• Identify consumer facing vendors (CFPB)

• Identify laws and regulations for each product and stages of product lifecycle

• Map vendors and laws (many to many relationship)

– Which laws apply to which vendor

Typical VR RCA Risk Register

ID Risks Owner(s) of the risk

I L S Controls Owner(s) of the control

D P E

1 Weakness in outsourced information security system

CK 4 3 12 ZK 4 4 16

KW 4 3 12

CK 3 3 9

2 Over-selling credit cards by vendor

CK 4 3 12 Staff Training TB 3 3 9

Credit scoring EL 4 4 16

Forward business planning ZK 3 3 9

3 Over-deployment of management resources on regulatory issues

RU CK 3 4 12 Monthly review of budget against actual

TJ 3 4 12

Corporate governance CK 4 4 16

Monthly meetings between CEO and head of compliance

CK 2 2 4

4 Failure to understand the outsourcing –related regulations

AB 3 3 9 TB 3 4 12

TB 2 2 4

5 Over dependency on outsourcing

CK 3 3 9 SLA CK&EL 4 4 16

Outsourcing monitoring CK&EL 4 4 16

Due diligence CK 4 3 12

Policy CK 3 4 12

5. VRM - LCA

• LCA is for

– Solidifying PCs

• Shows due diligence

– Always document LCA for regulators (and yourself)

• Maintain event database

– Helps in statistical analysis

– Need 30-35 data items

6. VRM Monitoring- Indicators

• KRIs and KCIs

– Monitor variation in risk and controls

• Can be leading, co-, or lagging

– Leading predict impending issues

– Lagging are detective

• Keep RCA and indicators together in RR

7. VRM - Oversight

• Review vendors periodically

– Vendor’s risk and RM

– Vendor’s performance and KPIs

• Changes in regulatory environment and its alignment with vendor services

– Provision in vendor contract

• Assessment of vendor IC environment by the organization

7. VRM - Oversight

• Evaluation – SLAs, risk-based vendor reviews, vendor performance reviews, process for issues escalation

• Gap analysis for 3rd party oversight and reporting processes – Update procedures to close gap

• Complaint processing – Complaint tracking, follow-up, resolution,

reporting, CMMI maturity

7. VRM - Oversight

• Regulator’s guidance for oversight

– Risk management practices of vendor

– Vendor ICs for compliance, QA, personnel changes, contingency planning

– Documentation

– QoS and assessment support

VRM Timeline

• Refer to figure on next foil

• Timeline is to implement FW

• Includes implementing 6 VRM FW processes – And staff to do that

• Important aspect is to have a software tool to capture or create OR data

• Proper governance, management, and controls – Tone at the tope, tune in the middle, and policies

Example timeline for implementing an Vendor Risk Management programme

0-3 months 3-6 months 6-9 months 9-12 months 12-15 months

Policy

RCA

Events and losses

Technology tool

Staffing

Due Diligence and Contracting

Indicators

Reporting

VRM Policy

Risk matrix

Initiative capture

Selection Implement’n

Requirements review

Due Diligence Process

KCIs captured / reviewed

Summarised reporting of RCAs and KCIs

Risk Committee meetings

RCA

Bus line and Dept

Risk Status Report

KRIs identified, captured and combined with KCI’s

Contracting, SLA process

Recruitment/ staffing

Rollout (initially pilot)

Loss causal analysis linked to RCA’s

Embedded Vendor risk and control assessments, including risk champions

Questions

Vendor Risk Management - Love From the Other...

Documents

Transcript of Vendor Risk Management - Love From the Other...