Vendor Management: An
Enterprise-wide Focus
Susan Orr, CISA CISM CRISC CRP
Susan Orr Consulting, Ltd.
Why Focus on Vendor Management
• Increased financial regulatory scrutiny
– GLBA and Identity Theft Red Flags Program – Regulatory guidance
• FFIEC Statement on Cloud Computing July 2012 • FRB SR 11-7 Model Risk Management
• OCC 2011-12 Sound Practices for Model Risk Management • FFIEC 2011 Authentication In An Internet Banking
Environment Supplement
• FFIEC 2009 Risk Management of Remote Deposit Capture • FDIC FIL 44-2008 Guidance for Managing Third-Party Risk • OCC 2008-16 Information Security – Application Security • OCC 2001-47 Risk Management Principles
CFPB
• Bulletin 2012-03 - FI ensure third parties do
not present unwarranted risks to consumers
– Conduct due diligence to verify provider’s ability to comply with consumer law
– Request and review provider’s policies and procedures to ensure appropriate oversight – Set clear expectations about enforceable
CFPB
• Bulletin 2012-06
– Marketing materials for credit card add-on products are not deceptive
– Compensation does not create incentives to provide inaccurate information
– Scripts follow specific requirements and have compliance management programs
FRB SR 11-7 and OCC 2011-12
• Validation of Vendor/Third-Party Products
– Appropriate processes for selecting vendor models
• Provide developmental evidence on components, design, intended use
• Determine appropriateness for bank
– Risk assessing to determine exposures and risks – Bank validation of use of the vendor products – Vendor performance monitoring and analysis – Business Continuity
Why Focus on Vendor Management
• Essential part of enterprise-wide risk
management
• Emerging technology
• More reliance on outsourcing and cloud
computing
Vendor Management Focus
• Bank-wide, all vendors/providers
– Develop definition for vendor/provider – Analyze accounts payable
Key Factors of Vendor Management Program
• BOD and senior management awareness
• Prudence of outsourcing relationship
• Needs assessment
• Implementation of effective controls
• Ongoing monitoring
• Documentation of procedures, responsibilities,
reporting
Program Oversight Responsibility
• Board ultimately responsible for ensuring
program in place
• Who has daily oversight:
– Seems to fall in IT
– Should it be the ISO (which is usually IT) – Should it be the risk manager
Vendor Risk Management Program Elements
• Strategic planning • Risk Assessment • Written Program • Repeatable Process/Procedures – Needs requirements – Service providerselection and due diligence
– Contract
– Ongoing monitoring – Continuity
Program Elements:
Strategic Planning
Strategic Planning
• Integration with overall strategic objectives
– Identify role of the relationship in conjunction with business strategy and objectives
– Identify:
• Need/purpose • Benefits
• Costs
Program Elements:
Risk Assessment
Third Party Risk Assessment
• Identify all service providers and vendors =
third party
• Identify risk
• Identify risk mitigation strategies
• Risk rating and ranking
Classification Factors
• Mission critical
• Access to sensitive or confidential information
• Information controlled by service provider
• Volume of transactions
• Concentration of $
• New activity for institution
• New provider
Types of Risks
• Reputation Risk – risk arising from negative
publicity or public opinion
• Strategic Risk – risk arising from adverse
business decisions or failure to implement
appropriate business decisions or to make
invalid assumptions
Types of Risks
• Operational
Risk - loss from inadequate or
failed internal processes, people, systems or
an external event.
• Transactional Risk – risk arising from problems
service or product delivery
Types of Risks
• Credit Risk – risk that those necessary to the
relationship are unable to meet the terms of
the contractual arrangements or otherwise
financially perform as agreed
• Compliance/legal Risk – risk arising from
violations of laws, rules or regulations, or
noncompliance with internal policies and
procedures
Other Potential Risks
• Interest rate
• Liquidity
• Market
• Foreign currency translation
• Country risk
Foreign Based Providers
• Background
• Country Risk/Ability to prosecute
• Compliance Risk
– US Laws – Embargo – Sanctions – OFAC
Failure To Manage/Mitigate
• Regulatory action
• Financial loss
• Reputation issues
• Legal actions
• Impact ability to establish new or continue
current customer relationships
Program Element:
Written Program
Written Program
• Policy Statement
– Reason for development and implementation of the vendor management
program
– Elements of the program – Responsibilities
• Risk Management
– Description of the risk assessment process
• Selection process
– Description of the process
• Due diligence/Approval
– Description/responsibility
• Contracting
– Description of minimum contract requirements
• Oversight and monitoring
Needs Requirement
• Function or activity to be outsourced
• Purpose/need served
• Alignment with institution business objectives
• Budgeted amount
• Minimum standards and service expectations
• Minimum acceptable characteristics
• Security and control requirements • Oversight reports • Business continuity - strategy • Conversion requirements/timing/suppo rt • Training • Contract requirement 24
Selection
• Due Diligence
– Financial status, audited financial statements if available
– Check references
– Legal or regulatory compliance issues
• Complaints
• Litigation
– Technology and systems architecture (specifications)
Contract Elements
• Scope of service • Performance standards • Security and confidentiality • Understanding of GLBA and other applicable laws• Controls
• Notification
requirements and
approval rights for any material changes to services, systems, controls (change management)
• Incident Response Plan and notification of
breach
Contract Elements
• Audit • Reports • DRP/BCP • Subcontracting • Cost• Ownership and license • Duration • Dispute resolution • Limits of Liability • Indemnification • Regulatory compliance • Assignment of contract • Foreign based providers
Contract Elements
• Termination
– Types of terminations
• Normal contract expiration • For cause
• For convenience
• For regulatory or supervisory requirements
– Ongoing Service Requirements – Data Security and Privacy
Service Level Agreement
• Identify significant elements of service
– Processing error rates – System up time
– System down time – Speed of transactions – For websites page
loading speeds • Performance standards – Availability and timeliness of services – Confidentiality and integrity of data – Change control – Security standards compliance – BCP
Monitoring and Oversight
• Financial statements
• Security
• Incident response
• Business continuity
• Pandemic preparedness
Types of Reports
• Patch management
• Change management
• Vulnerability
assessment
• Testing
Monitoring and Oversight
• Types of Audits
– SSAE 16
– Security/Controls Audit – Internal Audit
– AUP (Agreed Upon Procedures – Shared Assessments)
Bank Service Company Act
• FDIC supervised institutions
– Section 7(c)(2)
– Notification of Performance of Bank Services – New servicing relationships by third parties
Supervision of Technology Service
Providers
• FFIEC October 2012
– Examination program • Examination process • Examiner responsibilities • FrequencySummary
• Outsourcing does not reduce risks
• Increases the need for controls and
monitoring
• Increases the oversight over third party
• Ultimately responsibility of the Board
• Regulatory requirement to have a written
program
Questions????
Thank You!!!
Susan Orr CISA, CISM, CRISC, CRP
susan@susanorrconsulting.com