By John Graetz
Banks already have mature controls and approaches to help mitigate many IT and security risks. Now they should consider applying the same rigor to managing the risks that come with their vendor relationships.
As banks increase their reliance on third-party vendors, including for many IT capabilities, they may also be taking on something far less desirable: mounting risk. If a data breach occurs, a disruption to online banking services strikes, or a product or service misfires, customers are likely to blame the bank, not the vendor, which could potentially affect the bank’s reputation and financial viability.
As the complexity and volume of vendor arrangements grows, concern among bank leaders is mounting that they are losing control of many business processes and activities, and that the resulting blind spots are increasing their risk exposure. Moreover, regulators such as the Consumer Financial Protection Board (CFPB) have intensified their scrutiny of banks’ risk management practices, both in general and with vendor risk in particular.
Effectively managing third-party vendors—and the risk that comes with their use—is one capability banks can’t afford to outsource.
Categorizing Vendor Risks
Some banks have thousands of relationships with third-party vendors. While a single vendor may provide several different services, the risks associated with each arrangement can be quite different. Plus, vendors differ greatly—some offer services that may be more critical to banks than others and some may have more robust risk management.
Given this complexity, it can help to divide vendor risks into categories such as strategic, reputational, compliance, operational (including information security), and business continuity. For example, a vendor with most of its resources and operations in one location may pose a concentration risk. If a natural disaster strikes, the vendor may be unable to provide services. If neither the vendor nor the bank has contingency plans in place, the bank could be exposed to all manner of other risks.
A deliberate approach to mapping risk exposures is a prerequisite for effectively allocating risk management resources. With such a map in place, banks may then prioritize each risk and apply an appropriate mix of policies, procedures, and controls to keep them in check.
Three Lines of Defense
Banks can consider three lines of defense to enhance their risk management capabilities. This same approach can be applied generally and specifically to the area of managing vendor risk.
The first line of defense entails establishing shared responsibility for risk management and controls for each business relationship between the vendor and the bank. That said, ultimate responsibility lies with the bank. For example, banks should determine which activities are too strategic or too risky to outsource; conduct vendor due diligence prior to signing third-party agreements; and provide sufficient oversight of vendor controls.
The second line of defense involves defining and implementing an enterprise strategy, policies and standards, and monitoring risk, compliance, and controls across vendor relationships.
The third line of defense is the creation of an internal audit or equivalent function to continually monitor and assess the effectiveness of the first two lines of defense. This may include regular and targeted reviews to see that vendor risk management practices are adequately designed and operating according to bank policies and regulatory requirements.
Other Emerging Capabilities
In addition to new governance models, banks today have access to a host of evolving tools and capabilities to support their efforts. These include:
Risk analysis and management tools. Banks may choose from a growing selection of tools that offer specific capabilities for gauging and managing vendor risk. These tools are able to link supplier inventories, statements of work, contracting authorities, and more, giving leaders a detailed look at the risks (and risk characteristics) of third-party relationships and contracts. They may also report on the effectiveness of controls and risk management practices used to mitigate relationship risks.
Additionally, risk modeling technologies offer a framework for managing both the inherent and residual risks of the supplier base. While tools of this nature aren’t new, powerful new versions may help bank leaders identify and prioritize vendor risks. From there, banks may apply a mix of controls, resources, and investments commensurate with the threat level presented by each.
Enterprisewide performance monitoring. While many banks can monitor the performance of service-level agreements (SLAs) at an individual supplier or relationship level, they may be unable to monitor their collective performance. New enterprise scorecards may provide greater transparency into these high-risk relationships. Using these tools, for example, banks may assess how hundreds of important, high-risk relationships are performing across the board—without having to delve deeply into each one.
Contract review. In negotiations with third-party suppliers and contractors, individual business units may be excluding certain terms and conditions that could help lower risk. In some cases, banks may have to conduct audits of hundreds or even thousands of contracts to verify that certain clauses have been included. Evolving tools can help banks scour their contracts and confirm that certain terms and conditions are embedded.
Customer management. While customer complaints and satisfaction are not new concerns in the financial services industry, many banks today have expanded their efforts in this area to include vendor offerings. This is also an emerging concern for regulators like the CFPB, which has already taken enforcement action in some cases. As a result, banks are motivated to strengthen current processes or implement new ones to adequately monitor, report, escalate, and resolve third-party customer issues.
While regulatory scrutiny and compliance pressures may offer plenty of reasons to take a closer look at vendor risk, bank leaders also understand that forging stronger and safer vendor relationships may become a business imperative. As an example, banks may be franchising their names to vendors, which in turn are offering more banking and non-banking products and services on the bank’s behalf. If not handled properly, fallout from these joint marketing arrangements could potentially damage a bank’s reputation and significantly impact its customer base and bottom line.
This article was written by John Graetz and originally published on deloitte