The FDIC Office of Inspector General’s (OIG) deep dive into the state of vendor management has revealed widespread deficiencies including business continuity planning, vendor management, contract management, internal controls and cybersecurity. This is part two of a five-part blog series that looks at the report’s findings.
Part 2: Vendor Management
Third-party vendor management is all about managing risk. It’s an issue that regulators have been pressing for years, yet it seems that not every financial institution (FI) is getting the message.
At least that’s my interpretation of the FDIC’s Office of Inspector General’s (OIG) recent review of 48 third-party service provider contracts between 19 FIs and their vendors. The reviews focused on contract provisions related to business continuity planning (BCP) and cybersecurity incidents.
By now every FI should know that the board and management are responsible for identifying, assessing, measuring, monitoring and controlling risk. This includes third-party relationships. FI’s are just as responsible for the actions and regulatory compliance of vendors performing activities on behalf of the institution as they are for those conducted in-house. This includes having policies and procedures in place for proper vendor management.
FDIC guidance offers a framework for an effective third-party risk management process with four elements:
- Risk assessment. This phase reviews the potentials risks and benefits of outsourcing to a specific vendor and how that risk fits in with the bank’s overall risk tolerance and strategic plan. The FI should “identify performance criteria, internal controls, reporting needs, and contractual requirements that are critical to the FI's ongoing assessment and control of specific identified risks,” with particular attention to information security and customer privacy, notes the OIG summary of the FDIC’s June 2008 FIL, Guidance for Managing Third-Party Risk.
Guidance recommends a third-party vendor risk assessment matrix. This is a list of all current relationships, spelling out which are involved in critical activities and what risks those activities pose.
- Due diligence in selecting a third-party service provider. Assess the scope and effectiveness of a vendor’s operations and controls by reviewing:
- Internal controls, systems and data security, privacy protections, and audit coverage;
- Business resumption strategy and contingency plans; and
- Use of other third-party subcontractors.
It should also review all available information for insights into a vendor’s financial condition, reputation and experience.
- Contract structuring and review. Make sure the expectations and responsibilities of the institution and vendor are clearly defined in writing in the contract.
- Ongoing monitoring. Proper oversight involves monitoring the vendor’s “quality of service, risk management practices, financial condition, and applicable controls and reports.”
Are banks following the recommended guidance? Most aren’t. In the words of the OIG:
“Although results varied widely, we did not see evidence, in the form of risk assessments or contract due diligence, that most of the FDIC-supervised FIs we reviewed fully considered and assessed the potential impact and risk that TSPs and their subcontractors could have on the FI’s ability to manage its own business continuity planning and incident response and reporting operations.”
Of the 48 contracts sampled across 19 institutions:
- Less than half (42 percent) completed a vendor risk assessment that considered a vendor’s access to sensitive data and a due diligence review addressing risk management systems and performance
- Half had no documentation to demonstrate due diligence
- 7 percent only completed a risk assessment
- 11 percent only completed the due diligence portion
- 11 did nothing
The risk assessments also ranged in quality. Many used simple checklists while a few performed comprehensive reviews that analyzed all the appropriate categories of risk. For example, just 4 of the 19 FIs could document that they considered the risks of allowing subcontracting even though all but one of them permitted subcontracting in their contracts. The same is true of due diligence, with just a handful doing a deep dive into financials, compliance, business continuity planning, cybersecurity and other critical areas.
This is a serious problem. While the framework isn’t mandatory, each of these steps is a necessary building block for measuring, monitoring and mitigating risk. Remove a step and vendor management fails.
If an FI doesn’t assess the potential risks of working with a specific vendor, then the FI won’t know which areas of the relationship will require the most attention, or if the relationship is even worth pursuing. It won’t know what controls are needed to monitor the vendor or structure the contract to ensure controls are in place. Without due diligence, it won’t know what a vendor is doing to address potentials risks. Without a well-structured contract, the FI won’t have the tools to monitor and review its vendor. And without ongoing monitoring, the FI won’t know if risk is increasing, decreasing or remaining steady.
As the OIG notes in its report, while “FIs typically identified critical service providers and documented those that had access to sensitive or personally identifiable information… the contracts did not always include provisions to effectively address these risks.” (See a discussion of contracts findings here.)
It even found that some FIs “appeared to have risk management procedures that they did not follow or fully implement.”
Vendor management isn’t just an exercise. It’s a vital, ongoing process that begins with risk assessment and never lets up. Yet clearly many FIs are skipping steps, leaving gaping holes in their overall enterprise risk management (ERM).
Nvendor is a complete vendor management solution that helps manage third-party risk impacts on your organization. Our systematic approach uncovers opportunities to reduce internal costs, decrease external costs, and most importantly, to discern and alleviate your risk.
If your institution needs help with vendor management, give us a call.