First of a two-part series on third-party risk. For the second article, click here.
Activities can be outsourced, liabilities can’t.
Financial firms may understand the legal distinction, but when it comes to managing the risk involved with using external technology providers, they are too often falling asleep at the wheel, warn operations and IT experts. The reason: there are simply too many vendors involved and a chaotic mess of disparate internal guidelines and technology.
There is plenty of pressure on banks and fund managers to get their houses in order, in in terms of vendor oversight. If the prospect of massive unforeseen clean-up expenses isn’t enough to drive change, the potential for reputational risk and regulatory actions might be the clinchers. In 2013 the Office of the Comptroller of the Currency and Federal Reserve set requirements for how banks should monitor their external technology vendors. Last year, the Securities and Exchange Commission warned it would be expecting fund management firms to prove they have mitigated their cybersecurity risk. Since critical firm and customer data is typically held by external parties outside the four walls of buy-side firms, it stands to reason that those third-party providers will have to be the target of greater scrutiny.
“Operational, reputational and financial risk are just a few of the risks involved,” explains Shahryar Shaghaghi, a partner in the CIO advisory practice of global consultancy Kurt Salmon in New York. Bottom line: savvy financial firms doing business with external IT providers should brace themselves to handle a wide range of glitches ranging from the commonplace data hacking to an unforeseen natural disaster and even a change in corporate structure or potential bankruptcy.
How are financial firms faring in monitoring their partners? While the financial industry is considereded the frontrunner in vendor risk management compared to other business sectors, it doesn’t mean that banks and fund managers are tooled up to meet the regulatory requirements. A study of 36 financial firms just released by global consultancy Ernst & Young found that only 11 percent of external vendors are subject to risk monitoring, while only 36 percent of respondents increased the number of suppliers subject to monitoring. Despite claiming vendor risk management is a top priority, less than 15 percent of chief information officers will leverage data analytics and business intelligence to manage it, predicts Christopher Ambrose, vice president of research and specialist in vendor management at for Stamford, Conn-based Gartner Group.
Those numbers may reflect one of the thorniest problems in bringing vendor risk management up to full speed — constraints on funding and resources — according to three procurement managers at US fund management shops and broker-dealers contacted by FinOps Report. “Given our limited budgets and technology constraints, we are refining our procedures to accomplish what is manageable,” says one at a US asset management firm.
Internal Chaos
Just what is “manageable” under these circumstances? In firms without centralized vendor risk management departments, the most urgent task may be shaking out the variety of opinions and established processes that don’t necessarily add up to a coherent corporate policy and procedure that will serve as a firmwide template, suggests Sean Cronin, vice president in Concord, Mass of ProcessUnity, which offers vendor risk management software. In monitoring multiple vendors or disparate lines of business, the differences may include how potential glitches are defined, who is contacted in the event of concerns, and the criteria for pulling the plug on a vendor relationship gone sour.
What is needed at the most basic level, consultants and practitioners alike tell FinOps, is a three-pronged approach in the form of an air-tight service level agreement (SLA), a solid workflow process verify that the vendor’s work meets requirements, and an escalation plan in the event something goes wrong. Of course, it can’t hurt to have a contingency plan in mind for a worse-case scenario.
SLAs are written by legal, compliance and external counsel as a means of setting expectations for the external provider. Input is also provided by the business line using the vendor — typically either a trading desk, a middle-office reconciliations or other department, or a back-office clearance and settlement unit — as to what they want the IT vendor to accomplish.
Obviously the vendor must actually be capable of meeting the terms of their SLAs, and Cronin recommends that financial firms perform extensive due-diligence. Asking for five-year financial statements, vendor policies surrounding information security and business continuity, and procedures to manage fourth-party risk are just the tip of the iceberg in the panoply of questions posed. Of course, financial firms need to do their own checking from news sources and other information providers to understand the vendor’s competitive landscape, financial outlook and other factors which could warn of future glitches or disasters.
When it comes to monitoring how well the vendors are faring after contracts are signed, no one recommends a one-size-fits-all approach, because it would be unnecessarily costly and time-consuming. “The frequency and intensity of how vendors are monitored should be risk-driven based on the type of risk, the likelihood of its occurrence and its impact to the firm,” explains Ambrose. “If the risk is due to the business criticality of a supplier, and one where the cost to switch is high or the availability of alternative sources is low, the real risk is the impact of business disruption.”
When data security is the issue, Ambrose recommends classifying vendors based on the importance of the data involved. The highest tier of data might be data that’s the “secret sauce” of a firm such as formulas and intellectual property. Confidential customer and employee data could take the second tier, with sales forecasts in the third tier. Publicly available data would fall all the way down to the fourth tier.
Lots of Cooks
Just who should monitor the vendor depends on the size of the financial firm, its budget and oversight philosophy. The largest banks and broker-dealers might have centralized procurement departments that handle all vendor relationships working with dedicated vendor risk management departments or even enterprise risk management departments. Such procurement departments will likely have content experts familiar with the type of vendor and contracts involved.
That’s not often the case with fund management teams or mid-tier banks and broker-dealers which depend far more heavily on the end-users to monitor vendor performance, says Shaghaghi. In fact, vendor oversight could involve multiple parties, each with their own skin in the game, in ad hoc oversight committees. In addition to the procurement department, the front-middle and back office end users could become involved as well as the IT department, and last but not least the head of data security who is already preparing to for regulatory audits on cybersecurity.
“Procurement will often perform financial due diligence, information security will look at security controls, certifications and data privacy while the legal department may review contract clauses and sources for information on pending litigation or the probability of mergers and acquisitions,” explains Ambrose. To neutralize the potential for conflicting interests to wreak havoc on the monitoring process, he suggests that all of the stakeholders should fall under a single oversight and governance body that looks across all risk areas to ensure consistent policies and methodology.
Such a methodology should include objectives and policies for the firm to follow, specific procedures which the vendor must follow, periodic testing of those policies and procedures, independent third party audits, and on-site control assessments. Vendor self-assessments alone won’t be enough.
Since so many units might be involved in a rather complex process, how can they ensure they are on the same page? Phone conversations won’t cut it and neither will emails. “Unfortunately, far too often financial firms rely on ad hoc proprietary means to communicate amongst departments with no documentation on who decided what and when,” says Cronin.
Indeed, E&Y’s study shows that 47 percent of respondents still use spreadsheets to track any problems with their vendors. Even those which rely on software are likely to use different software packages for different functions of vendor risk management such as contract inventory, supplier inventory, online control assessment, issue management, risk acceptance and documentation. Even worse, each business line might be using different software packages.
“Given that the issue of vendor risk management is such a relatively new one, the technology involved is all over the board in terms of functionality and use,” says Chris Ritterbush, executive director of financial services at Ernst & Young. Manual intervention or a plug-in might be involved in linking any vendor risk management system into a broader risk reporting system or an issue management system.
In some cases, enterprise-wide risk management specialists or operational risk specialists never find out about a potential problem with a vendor until months after the problem has surfaced, if at all. Sometimes the board of directors don’t find out either, increasing the potential for embarrassment for the firm. E&Y’s study showed that 74 percent of firms gave senior management reports on suppliers with breeches or incidents, but only 40 percent had process for providing such information to the board of directors. While 37 percent of respondents told senior management when vendors were terminated, only nine percent told their boards.
Depending on just how much risk a vendor presents, how severe the vendor’s shortcoming is and the potential financial cost to the firm if something goes wrong, it stands to reason that divorce is a distinct possibility. Of course, a split shouldn’t be taken lightly, say IT and operations experts. Legal, compliance and finance departments will need to be consulted as to the possible speed, cost and risk of the changeover.
A better idea? Rather than thinking the marriage will last forever — or at least for the entire duratuion of the contract — financial firms should operate on the better safe than sorry motto, and have a replacement waiting in the wings. Such a scenario would certainly go a long way to avoiding service disruption and disgruntled end customers, says Ritterbush.
“Nothing lasts forever these days and certainly not a vendor contract,” one US fund management compliance manager tells FinOps. “We try to anticipate problems before they arrive. The worst thing isn’t a vendor failing to perform; the worst thing is us not having a back-up plan.”
His advice: plan to succeed and plan to fail at the same time.
Leave a Comment
You must be logged in to post a comment.