140 likes | 322 Views
Vendor Risk: Effective Management is Essential. Michael Masterson Vice President Union Bank Vendor Risk Administration. Agenda. Importance of Properly Managing the Risks Components of a well-structured vendor risk management process Decentralized to Centralized/Center-Led
E N D
Vendor Risk:Effective Management is Essential Michael Masterson Vice President Union Bank Vendor Risk Administration
Agenda • Importance of Properly Managing the Risks • Components of a well-structured vendor risk management process • Decentralized to Centralized/Center-Led • Tools and Resources
Importance of Properly Managing the Risks • You can’t pass the responsibility for managing activities in a safe and sound manner and in compliance with all applicable laws and regulations on to the vendor. • Decreased direct control requires intensified oversight • The bar has been raised • Unfair, Deceptive or Abusive Acts and Practices (UDAAP) • CFPB • Familiar risks…with a twist • Strategic/Operational Risk • Ill-advised business decisions • Products/services that do not help achieve strategic goals • Return vs. cost and risk • Integrating the internal processes of other organizations with the financial institution’s processes can increase the overall operational complexity.
Importance of Properly Managing the Risks • Reputation Risk • Poor service = dissatisfied customers • Negative publicity involving the vendor • Compliance Risk • Violation of laws, rules, or regulations • Nonconformance with internal policies and procedures or ethical standards • Increased when the vendor maintains or has access to non-public information • Transaction Risk • Product delivery errors or failure • Inadequate security controls • Inadequate business resumption and contingency planning
Importance of Properly Managing the Risks • Credit Risk • Risk to earnings or capital if vendor does not perform or have the financial capacity to fulfill its obligations • Other Risks • The types of risk introduced by an institution's decision to use a third party cannot be fully assessed without a complete understanding of the resulting arrangement. Therefore, a comprehensive list of potential risks that could be associated with a third-party relationship is not possible. • Country Risk • Economic, social, and political conditions and events
Components of a well-structured vendor risk management process • Risk Assessment and Strategic Planning • Integration with overall strategic objectives • Internal expertise to oversee and manage the activity • Cost/benefit relationship • Customer expectations with respect to joint marketing and franchising activities • Objective assessment of inherent risks • Selecting a Third Party and Due Diligence How formal the process is and the level of due diligence depends on the complexity of the service to be performed and the associated risks
Components of a well-structured vendor risk management process • Comprehensive due diligence involves a review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls. The evaluation of a third party may include the following items: • Audited financial statements, annual reports, SEC filings, and other available financial indicators. • Significance of the proposed contract on the third party's financial condition. • Experience and ability in implementing and monitoring the proposed activity. • Business reputation. • Qualifications and experience of the company's principals. • Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies. • Existence of any significant complaints or litigation, or regulatory actions against the company. • Ability to perform the proposed functions using current systems or the need to make additional investment. • Use of other parties or subcontractors by the third party. • Scope of internal controls, systems and data security, privacy protections, and audit coverage. • Business resumption strategy and contingency plans. • Knowledge of relevant consumer protection and civil rights laws and regulations. • Adequacy of management information systems. • Insurance coverage.
Components of a well-structured vendor risk management process • Contract • The agreement should include clearly defined and enforceable expectations and obligations of each party • Include the right to audit • Responsibilities for providing and receiving information • Confidentiality and security • Regulatory oversight when services are performed for the financial institution • Oversight • Extent of oversight activities and performance monitoring depends on the nature of the product or service provided and the associated risk • Management should dedicate sufficient staff with the necessary expertise to oversee the third party
Components of a well-structured vendor risk management process • Monitor Financial Condition • Analysis should be as comprehensive as the ongoing credit analysis the financial institution would conduct of its borrowers • Review adequacy of the insurance coverage • Monitor Controls • Review audit reports • Review vendor policies relating to internal controls and security • On-site reviews • Review business resumption contingency planning and testing • Review compliance with applicable regulations
Components of a well-structured vendor risk management process • Assess Quality of Service and Support • Regularly review documentation of vendor’s performance relative to contractual terms and conditions and SLAs • Document and follow-up on performance problems • Evaluate the vendor’s ongoing ability to support and enhance the financial institution’s strategic plan and goals • Training provided to financial institution employees • Review complaints and resolution • Discuss performance and operational issues with internal areas the vendor touches
Components of a well-structured vendor risk management process • Documentation • Business plans for new lines of business or products that identify management’s planning process, decision making, and due diligence in selecting a third party • List of significant vendors or other third parties • Valid current and complete contracts • Regular risk management and performance reports • Regular reports to the board, or delegated committee, of the results of the ongoing oversight activities
Decentralized to Centralized/Center-LedVendor Risk Management Program • Drivers • Responsible personnel should have the requisite knowledge and skills to adequately perform the steps necessary to properly identify and control the risk • The need for information • Increased use of third parties • Where to start • Executive champions • Define manageable pieces • Assessment • Assemble information • Develop the process and tools • The importance of understanding at all levels • Training • Continuous process improvement
Tools and Resources • Vendor Management Software • Agiliance • Aravo • RSA Archer • Ariba • Evantix • Fortrex/Vendorpoint • MetricStream • Modulo • SAP • Vendor Management Groups • BITS Vendor Management Special Interest Group (http://www.bits.org/initiatives/) • Shared Assessment Group (http://sharedassessments.org/about/)
Tools and Resources • Regulatory Guidance • OCC 2001-47 • FDIC FIL-44-2008 • FFIEC Outsourcing Technology Services June 2004