Vendor Risk: Effective Management is Essential Michael Masterson Vice President Union Bank Vendor Risk Administration Agenda Importance of Properly Managing the Risks Components of a well-structured vendor risk management process Decentralized to Centralized/Center-Led Tools and Resources Importance of Properly Managing the Risks You can’t pass the responsibility for managing activities in a safe and sound manner and in compliance with all applicable laws and regulations on to the vendor. Decreased direct control requires intensified oversight The bar has been raised Unfair, Deceptive or Abusive Acts and Practices (UDAAP) CFPB Familiar risks…with a twist Strategic/Operational Risk Ill-advised business decisions Products/services that do not help achieve strategic goals Return vs. cost and risk Integrating the internal processes of other organizations with the financial institution’s processes can increase the overall operational complexity. Importance of Properly Managing the Risks Reputation Risk Poor service = dissatisfied customers Negative publicity involving the vendor Compliance Risk Violation of laws, rules, or regulations Nonconformance with internal policies and procedures or ethical standards Increased when the vendor maintains or has access to non-public information Transaction Risk Product delivery errors or failure Inadequate security controls Inadequate business resumption and contingency planning Importance of Properly Managing the Risks Credit Risk Risk to earnings or capital if vendor does not perform or have the financial capacity to fulfill its obligations Other Risks The types of risk introduced by an institution's decision to use a third party cannot be fully assessed without a complete understanding of the resulting arrangement. Therefore, a comprehensive list of potential risks that could be associated with a third-party relationship is not possible. Country Risk Economic, social, and political conditions and events Components of a well-structured vendor risk management process Risk Assessment and Strategic Planning Integration with overall strategic objectives Internal expertise to oversee and manage the activity Cost/benefit relationship Customer expectations with respect to joint marketing and franchising activities Objective assessment of inherent risks Selecting a Third Party and Due Diligence How formal the process is and the level of due diligence depends on the complexity of the service to be performed and the associated risks Components of a well-structured vendor risk management process Comprehensive due diligence involves a review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls. The evaluation of a third party may include the following items: Audited financial statements, annual reports, SEC filings, and other available financial indicators. Significance of the proposed contract on the third party's financial condition. Experience and ability in implementing and monitoring the proposed activity. Business reputation. Qualifications and experience of the company's principals. Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies. Existence of any significant complaints or litigation, or regulatory actions against the company. Ability to perform the proposed functions using current systems or the need to make additional investment. Use of other parties or subcontractors by the third party. Scope of internal controls, systems and data security, privacy protections, and audit coverage. Business resumption strategy and contingency plans. Knowledge of relevant consumer protection and civil rights laws and regulations. Adequacy of management information systems. Insurance coverage. Components of a well-structured vendor risk management process Contract The agreement should include clearly defined and enforceable expectations and obligations of each party Include the right to audit Responsibilities for providing and receiving information Confidentiality and security Regulatory oversight when services are performed for the financial institution Oversight Extent of oversight activities and performance monitoring depends on the nature of the product or service provided and the associated risk Management should dedicate sufficient staff with the necessary expertise to oversee the third party Components of a well-structured vendor risk management process Monitor Financial Condition Analysis should be as comprehensive as the ongoing credit analysis the financial institution would conduct of its borrowers Review adequacy of the insurance coverage Monitor Controls Review audit reports Review vendor policies relating to internal controls and security On-site reviews Review business resumption contingency planning and testing Review compliance with applicable regulations Components of a well-structured vendor risk management process Assess Quality of Service and Support Regularly review documentation of vendor’s performance relative to contractual terms and conditions and SLAs Document and follow-up on performance problems Evaluate the vendor’s ongoing ability to support and enhance the financial institution’s strategic plan and goals Training provided to financial institution employees Review complaints and resolution Discuss performance and operational issues with internal areas the vendor touches Components of a well-structured vendor risk management process Documentation Business plans for new lines of business or products that identify management’s planning process, decision making, and due diligence in selecting a third party List of significant vendors or other third parties Valid current and complete contracts Regular risk management and performance reports Regular reports to the board, or delegated committee, of the results of the ongoing oversight activities Decentralized to Centralized/Center-Led Vendor Risk Management Program Drivers Where to start Responsible personnel should have the requisite knowledge and skills to adequately perform the steps necessary to properly identify and control the risk The need for information Increased use of third parties Executive champions Define manageable pieces Assessment Assemble information Develop the process and tools The importance of understanding at all levels Training Continuous process improvement Tools and Resources Vendor Management Software Agiliance Aravo RSA Archer Ariba Evantix Fortrex/Vendorpoint MetricStream Modulo SAP Vendor Management Groups BITS Vendor Management Special Interest Group (http://www.bits.org/initiatives/) Shared Assessment Group (http://sharedassessments.org/about/) Tools and Resources Regulatory Guidance OCC 2001-47 FDIC FIL-44-2008 FFIEC Outsourcing Technology Services June 2004