“A bank can outsource a task but cannot outsource the responsibility”
Anatomy of Vendor Risks at Banks:
In today’s world it became inevitable for Banks to outsource and integrate external vendors for effective and efficient operations. Banks sourcing arena extended to entire value chain beyond core processing and information technology to accounting, appraisal management, internal audit, HR, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing etc. Most large banks deal with over 1,000 vendors; many have tens of thousands. Besides the large number of vendors, banks use of Global In-house Centers (GICs) and 3rd party service providers increased from very insignificant levels in early 1990’s to almost 10 times higher by the end of 2015. Historical approach to sourcing indicates that the degree of vendor play varies by LoB – Mortgage, Investment Banking, Credit Card, Corporate Banking, Retail Banking and Treasury Services and further by Function within each LoB, ex: for Credit Card LoB – Origination, Servicing, Collections, Fraud, KP, Customer Care and IT. Ensuring outsourced activities are conducted in a safe and sound manner is bank’s board of directors and senior management responsibility. The irony is enforcement actions and fines banks facing as a result of breaches, cyber-attacks, data security running over billions of dollars mounting bank risk exposure. The following are few common risks in sourcing engagements.
- Strategic Risk: Risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the organization’s strategic goals.
- Compliance risks arise when the services, products, or activities of a service provider fail to comply with applicable U.S. laws and regulations.
- Concentration risks arise when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations.
- Reputational risks arise when actions or poor performance of a service provider causes the public to form a negative opinion about a financial institution
- Country risks arise when a financial institution engages a foreign-based service provider, exposing the institution to possible economic, social, and political conditions and events from the country where the provider is located.
- Operational risks arise when a service provider exposes a financial institution to losses due to inadequate or failed internal processes or systems or from external events and human error.
- Legal risks arise when a service provider exposes a financial institution to legal expenses and possible lawsuits.
- Transaction Risk: Risk arising from problems with service or product delivery such as inadequate capacity, technological failure, human error, or fraud, exposes the organization to transaction risk.
- Credit Risk: Risk that a third party, or any other creditor necessary to the third party relationship, is unable to meet the terms of the contractual arrangements with the organization or to otherwise financially perform as agreed. Credit risk also arises from the use of third parties that market or originate certain types of loans, solicit and refer customers/members, conduct underwriting analysis, or set up product programs for the organization.
Hence having robust vendor risk management program and stringent oversight is deemed necessary for Banks and Financial Institutions that are striving to satisfy the U.S. “Getting to Strong” regulatory mantra. Large banks are integrating comprehensive risk management into their sourcing governance and mid-tier banks most often managing vendor risks at the transaction level. But according to “2015 Vendor Risk Management (VRM) Benchmark Study” by the Shared Assessments Program and Protiviti, the overall VRM maturity rating of <3 on a scale of 5 is alarming and Banks shall focus on advancing vendor checks and controls. Therefore, the Office of the Comptroller of the Currency (OCC) expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that
- Could cause a bank to face significant risk if the third party fails to meet expectations.
- Could have significant customer impacts.
- Require significant investment in resources to implement 3rd relationship and manage the risk.
- Could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.
US Regulatory Landscape:
With the pressing need of ensuring appropriate vendor risk management at banks, the key regulatory bodies like Office of the Comptroller of the Currency (OCC), Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) is marching in step on the topic. Greater attention on status and progress of VRM programs is demonstrating through consistent follow-ups by Federal Financial Institutions Examinations Counsel (FFIEC). Financial Stability Oversight Counsel (FSOC) and Presidents Working Group on Capital Markets (PWG). Other standards and coordinating forums bringing emphasis on assessing and mitigating risks which include – ISO 27000 (International Organization for Standardization: Code of Practice for Information Security Management), COBIT (Control Objectives for Information Technology) and NIST (National Institute of Standards and Technology).
The following are key steps for a bank “Getting to Strong” Regulatory Mantra through establishing robust Vendor Risk Management.
First Step is Assessment of Vendor Risks:
The popular approach to risk assess the vendors is the evaluation of the likelihood and impact of identified vendor risk (Quantity of Inherent Risk) compared with the vendor controls in place (Quality of Mitigating Controls) to derive the Residual Risk rating that determine the degree of risk with each provider.
The Quantity of Inherent Risk inherent with the vendor is determined by evaluating the criticality, access to sensitive data, reliability, and scalability of the vendor. Vendors rated as High or Moderate should then have respective vendor controls evaluated to determine the overall Residual Risk. The key dimensions to consider include, Strategic Risk, Reputation Risk, Operational Risk, Transaction Risk, Compliance Risk and Credit Risk as defined above.
Quality of Mitigating Controls refers to how well risks are identified, understood, and controlled. A rating of Weak, Adequate, or Strong is determined through interviews and assessment with Organization managers. The following table details the dimensions considered in determining the Quality of Mitigating Controls
- Responsibility: Level of Board and/or senior management involvement with overseeing vendor management program. Training on vendor products and services. Alignment of vendor with the Organization’s strategic goals.
- Policies and Procedures: Written policies governing the use of the vendor. Operational procedures that provide instructions for activities using the vendor’s products and services.
- Vendor Selection: Descriptions of the Organization’s expectations and due diligence efforts involved in the selection of the vendor.
- Contracts: Contract durations, termination, and assignment with vendor including use of escrow agreements, legal counsel involvement, rights and responsibilities, and service level agreements.
- Ongoing Monitoring: Monitoring policies and procedures that review the financial strength of the vendor, service level metrics, key vendor personnel, and alignment of the vendor with the Organization’s business strategy. The review of the vendor’s internal control environment.
- Information Security: The protection of confidential information through the review of the vendor’s information security environment.
Finally Residual Risk Rating of the vendor is determined by comparing Quantity of Inherent Risk) with the vendor controls in place (Quality of Mitigating Controls).
Second step is Understanding Bank’s Risk Appetite and Segment the Risks:
After determining the residual risk rating of Vendors, bank has to evaluate its own Risk appetite which is one of the essential concepts that must be understood and consistently applied to be able to reap the strategic benefits out of this emerging perspective on governance and risk management. Risk appetite is the amount and type of risk that a bank is willing to pursue or retain (ISO/IEC guide 73:2009). Similarly, the COSO’s Enterprise Risk Management Framework defines risk appetite as the “amount of risk an entity is willing to accept in pursuit of value” clearly recognizing the opportunity dimension. The COSO framework also recognizes that is reflective of the entity’s risk management philosophy, which in turn influences the entity’s culture and operating style.
Risk appetite is about establishing a strategic boundary between the amount of risk that a bank is willing and able to take as an integral part of its business model / profitability on one hand and the level at which it wants to expose itself to “bad things happening” on the other, together with a set of strategic, financial and operational risk parameters and tolerances.
Regulator’s perspectives on risk include both institution-specific and systemic risk arising from risk concentration. So risk segmentation is an important phenomena for a bank that goes in tandem to measuring risk appetite to define VRM measures aligning with criticality of the sourced services. By overlaying risk appetite and vendor residual risk rating, the risk segmentation of bank’s services typically fall into one of the following three major clusters.
- Tier I services (or vendors) are critical activities that warrant individual focus and dedicated resources to asses and manage risks, including specific actionable plans for key risk exposures
- Tier II services are typically those activities with lesser-value exposure and operational sensitivity. These services require moderate time, attention and resources
- Tier III services are low-risk activities, which may be managed as a group or on an exception-basis only
On a Ongoing Basis Taking a Life Cycle Based Approach to Vendor Risk Management:
The OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the bank’s organizational structures. An effective third-party risk management process follows a continuous life cycle for all relationships and incorporates the following phases:
- Planning: Developing a plan to manage the relationship is often the first step in the third-party risk management process. This step is helpful for many situations but is necessary when a bank is considering contracts with third parties that involve critical activities.
- Due diligence and third-party selection: Conducting a review of a potential third party before signing a contract5 helps ensure that the bank selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank’s risk appetite.
- Contract negotiation: Developing a contract that clearly defines expectations and responsibilities of the third party helps to ensure the contract’s enforceability, limit the bank’s liability, and mitigate disputes about performance.
- Ongoing monitoring: Performing ongoing monitoring of the third-party relationship once the contract is in place is essential to the bank’s ability to manage risk of the third-party relationship.
- Termination: Developing a contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.
In addition, a bank should perform the following throughout the life cycle of the relationship as part of its risk management process:
- Oversight and accountability: Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank’s third-party risk management process with its enterprise risk management framework enables continuous oversight and accountability.
- Documentation and reporting: Proper documentation and reporting facilitates oversight, accountability, monitoring, and risk management associated with third-party relationships.
- Independent reviews: Conducting periodic independent reviews of the risk management process enables management to assess whether the process aligns with the bank’s strategy and effectively manages risk posed by third-party relationships.