Selecting a Third Party and Due Diligence

advertisement
Vendor Risk:
Effective Management is Essential
Michael Masterson
Vice President
Union Bank
Vendor Risk Administration
Agenda
 Importance of Properly Managing the Risks
 Components of a well-structured vendor risk
management process
 Decentralized to Centralized/Center-Led
 Tools and Resources
Importance of Properly Managing the Risks
 You can’t pass the responsibility for managing activities in a safe and
sound manner and in compliance with all applicable laws and
regulations on to the vendor.
 Decreased direct control requires intensified oversight
 The bar has been raised


Unfair, Deceptive or Abusive Acts and Practices (UDAAP)
CFPB
 Familiar risks…with a twist

Strategic/Operational Risk
 Ill-advised business decisions
 Products/services that do not help achieve strategic goals
 Return vs. cost and risk
 Integrating the internal processes of other organizations with
the financial institution’s processes can increase the overall
operational complexity.
Importance of Properly Managing the Risks



Reputation Risk
 Poor service = dissatisfied customers
 Negative publicity involving the vendor
Compliance Risk
 Violation of laws, rules, or regulations
 Nonconformance with internal policies and procedures
or ethical standards
 Increased when the vendor maintains or has access to
non-public information
Transaction Risk
 Product delivery errors or failure
 Inadequate security controls
 Inadequate business resumption and contingency
planning
Importance of Properly Managing the Risks

Credit Risk


Risk to earnings or capital if vendor does not perform
or have the financial capacity to fulfill its obligations
Other Risks


The types of risk introduced by an institution's decision
to use a third party cannot be fully assessed without a
complete understanding of the resulting arrangement.
Therefore, a comprehensive list of potential risks that
could be associated with a third-party relationship is
not possible.
Country Risk
 Economic, social, and political conditions and events
Components of a well-structured vendor risk
management process
 Risk Assessment and Strategic Planning
 Integration with overall strategic objectives
 Internal expertise to oversee and manage the activity
 Cost/benefit relationship
 Customer expectations with respect to joint marketing
and franchising activities
 Objective assessment of inherent risks
 Selecting a Third Party and Due Diligence
How formal the process is and the level of due
diligence depends on the complexity of the service to
be performed and the associated risks
Components of a well-structured vendor
risk management process

Comprehensive due diligence involves a review of all available information about a
potential third party, focusing on the entity's financial condition, its specific relevant
experience, its knowledge of applicable laws and regulations, its reputation, and the
scope and effectiveness of its operations and controls. The evaluation of a third party
may include the following items:

Audited financial statements, annual reports, SEC filings, and other available
financial indicators.

Significance of the proposed contract on the third party's financial condition.

Experience and ability in implementing and monitoring the proposed activity.

Business reputation.

Qualifications and experience of the company's principals.

Strategies and goals, including service philosophies, quality initiatives, efficiency
improvements, and employment policies.

Existence of any significant complaints or litigation, or regulatory actions against
the company.

Ability to perform the proposed functions using current systems or the need to
make additional investment.

Use of other parties or subcontractors by the third party.

Scope of internal controls, systems and data security, privacy protections, and
audit coverage.

Business resumption strategy and contingency plans.

Knowledge of relevant consumer protection and civil rights laws and regulations.

Adequacy of management information systems.

Insurance coverage.
Components of a well-structured vendor risk
management process
 Contract
 The agreement should include clearly defined and
enforceable expectations and obligations of each party
 Include the right to audit
 Responsibilities for providing and receiving information
 Confidentiality and security
 Regulatory oversight when services are performed for
the financial institution
 Oversight
 Extent of oversight activities and performance
monitoring depends on the nature of the product or
service provided and the associated risk
 Management should dedicate sufficient staff with the
necessary expertise to oversee the third party
Components of a well-structured vendor risk
management process


Monitor Financial Condition
 Analysis should be as comprehensive as the ongoing
credit analysis the financial institution would conduct
of its borrowers
 Review adequacy of the insurance coverage
Monitor Controls
 Review audit reports
 Review vendor policies relating to internal controls and
security
 On-site reviews
 Review business resumption contingency planning
and testing
 Review compliance with applicable regulations
Components of a well-structured vendor risk
management process

Assess Quality of Service and Support
 Regularly review documentation of vendor’s
performance relative to contractual terms and
conditions and SLAs
 Document and follow-up on performance problems
 Evaluate the vendor’s ongoing ability to support and
enhance the financial institution’s strategic plan and
goals
 Training provided to financial institution employees
 Review complaints and resolution
 Discuss performance and operational issues with
internal areas the vendor touches
Components of a well-structured vendor risk
management process
 Documentation
 Business plans for new lines of business or products
that identify management’s planning process, decision
making, and due diligence in selecting a third party
 List of significant vendors or other third parties
 Valid current and complete contracts
 Regular risk management and performance reports
 Regular reports to the board, or delegated committee,
of the results of the ongoing oversight activities
Decentralized to Centralized/Center-Led
Vendor Risk Management Program

Drivers




Where to start








Responsible personnel should have the requisite knowledge
and skills to adequately perform the steps necessary to
properly identify and control the risk
The need for information
Increased use of third parties
Executive champions
Define manageable pieces
Assessment
Assemble information
Develop the process and tools
The importance of understanding at all levels
Training
Continuous process improvement
Tools and Resources
 Vendor Management Software









Agiliance
Aravo
RSA Archer
Ariba
Evantix
Fortrex/Vendorpoint
MetricStream
Modulo
SAP
 Vendor Management Groups
 BITS Vendor Management Special Interest Group

(http://www.bits.org/initiatives/)
Shared Assessment Group (http://sharedassessments.org/about/)
Tools and Resources
 Regulatory Guidance



OCC 2001-47
FDIC FIL-44-2008
FFIEC Outsourcing Technology Services June
2004
Download