Presentation on theme: "Vendor Risk: Effective Management is Essential"— Presentation transcript:
1 Vendor Risk: Effective Management is Essential Michael MastersonVice PresidentUnion BankVendor Risk Administration
2 Agenda Importance of Properly Managing the Risks Components of a well-structured vendor risk management processDecentralized to Centralized/Center-LedTools and Resources
3 Importance of Properly Managing the Risks You can’t pass the responsibility for managing activities in a safe and sound manner and in compliance with all applicable laws and regulations on to the vendor.Decreased direct control requires intensified oversightThe bar has been raisedUnfair, Deceptive or Abusive Acts and Practices (UDAAP)CFPBFamiliar risks…with a twistStrategic/Operational RiskIll-advised business decisionsProducts/services that do not help achieve strategic goalsReturn vs. cost and riskIntegrating the internal processes of other organizations with the financial institution’s processes can increase the overall operational complexity.
4 Importance of Properly Managing the Risks Reputation RiskPoor service = dissatisfied customersNegative publicity involving the vendorCompliance RiskViolation of laws, rules, or regulationsNonconformance with internal policies and procedures or ethical standardsIncreased when the vendor maintains or has access to non-public informationTransaction RiskProduct delivery errors or failureInadequate security controlsInadequate business resumption and contingency planning
5 Importance of Properly Managing the Risks Credit RiskRisk to earnings or capital if vendor does not perform or have the financial capacity to fulfill its obligationsOther RisksThe types of risk introduced by an institution's decision to use a third party cannot be fully assessed without a complete understanding of the resulting arrangement. Therefore, a comprehensive list of potential risks that could be associated with a third-party relationship is not possible.Country RiskEconomic, social, and political conditions and events
6 Components of a well-structured vendor risk management process Risk Assessment and Strategic PlanningIntegration with overall strategic objectivesInternal expertise to oversee and manage the activityCost/benefit relationshipCustomer expectations with respect to joint marketing and franchising activitiesObjective assessment of inherent risksSelecting a Third Party and Due DiligenceHow formal the process is and the level of due diligence depends on the complexity of the service to be performed and the associated risks
7 Components of a well-structured vendor risk management process Comprehensive due diligence involves a review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls. The evaluation of a third party may include the following items:Audited financial statements, annual reports, SEC filings, and other available financial indicators.Significance of the proposed contract on the third party's financial condition.Experience and ability in implementing and monitoring the proposed activity.Business reputation.Qualifications and experience of the company's principals.Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies.Existence of any significant complaints or litigation, or regulatory actions against the company.Ability to perform the proposed functions using current systems or the need to make additional investment.Use of other parties or subcontractors by the third party.Scope of internal controls, systems and data security, privacy protections, and audit coverage.Business resumption strategy and contingency plans.Knowledge of relevant consumer protection and civil rights laws and regulations.Adequacy of management information systems.Insurance coverage.
8 Components of a well-structured vendor risk management process ContractThe agreement should include clearly defined and enforceable expectations and obligations of each partyInclude the right to auditResponsibilities for providing and receiving informationConfidentiality and securityRegulatory oversight when services are performed for the financial institutionOversightExtent of oversight activities and performance monitoring depends on the nature of the product or service provided and the associated riskManagement should dedicate sufficient staff with the necessary expertise to oversee the third party
9 Components of a well-structured vendor risk management process Monitor Financial ConditionAnalysis should be as comprehensive as the ongoing credit analysis the financial institution would conduct of its borrowersReview adequacy of the insurance coverageMonitor ControlsReview audit reportsReview vendor policies relating to internal controls and securityOn-site reviewsReview business resumption contingency planning and testingReview compliance with applicable regulations
10 Components of a well-structured vendor risk management process Assess Quality of Service and SupportRegularly review documentation of vendor’s performance relative to contractual terms and conditions and SLAsDocument and follow-up on performance problemsEvaluate the vendor’s ongoing ability to support and enhance the financial institution’s strategic plan and goalsTraining provided to financial institution employeesReview complaints and resolutionDiscuss performance and operational issues with internal areas the vendor touches
11 Components of a well-structured vendor risk management process DocumentationBusiness plans for new lines of business or products that identify management’s planning process, decision making, and due diligence in selecting a third partyList of significant vendors or other third partiesValid current and complete contractsRegular risk management and performance reportsRegular reports to the board, or delegated committee, of the results of the ongoing oversight activities
12 Decentralized to Centralized/Center-Led Vendor Risk Management Program DriversResponsible personnel should have the requisite knowledge and skills to adequately perform the steps necessary to properly identify and control the riskThe need for informationIncreased use of third partiesWhere to startExecutive championsDefine manageable piecesAssessmentAssemble informationDevelop the process and toolsThe importance of understanding at all levelsTrainingContinuous process improvement
13 Tools and ResourcesVendor Management SoftwareAgilianceAravoRSA ArcherAribaEvantixFortrex/VendorpointMetricStreamModuloSAPVendor Management GroupsBITS Vendor Management Special Interest Group (Shared Assessment Group (
14 Tools and Resources Regulatory Guidance OCC 2001-47 FDIC FIL-44-2008 FFIEC Outsourcing Technology Services June 2004