Vendor Management in 3 Parts. Part 2 – Risk Assessment (or, “will they or won’t they?”)


Vendor Management in 3 Parts. Part 2 – Risk Assessment (or, “will they or won’t they?”)

In Part 1 I said that vendor management, just as any other risk management endeavor, consists of 3 basic phases;

  1. Identify the risk
  2. Assess the risk, and
  3. Control the risk

I also discussed why risk identification was a more difficult task today because of the “access to data” question, and also because “data” includes not just NPI, but confidential data as well.  Everyone from your technology providers to the office cleaning crew could have access to non-public or confidential data, and as a result must be included in Phase 2; the risk assessment.  The good news is that even though all vendors must be assessed, only a handful will required significant follow-up in terms of controls reviews (phase 3).

So in this post I will discuss how the risk assessment of vendors has changed over the last few years.  Traditionally assessing a vendor was limited to determining the extent to which the vendor had access to (and could possibly disclose) non-public customer information (NPI).  This grew out of GLBA, specifically the privacy and security elements of the legislation.  Today regulators expect a much broader assessment of third-party risk.  In addition to NPI, you must also assess vendor access to confidential information, such as HR records, Board reports, strategic plans and unaudited financials.  You should also understand how a failure of the vendor’s product might affect your ability to deliver critical products or services to your customers.  Does the vendor provide interdependencies to critical products?  If they failed, how many of your services would fail too?  Additionally, how difficult (costly & time consuming) would it be to find an alternate vendor, should the need arise?

In a recent speech to a community bankers group, Thomas J. Curry (current FFIEC chairman and Comptroller of the Currency) stated:

“While they have important benefits and are in many ways an essential part of business, it can be easy for financial institutions to become overly dependent upon third parties and overly-trusting. But just because these contractors have long client lists and hard-to-duplicate expertise doesn’t mean they are infallible.”

So vendor risk assessments really come down to determining “will they or won’t they?”:

  • Will they or won’t they…disclose customer NPI?
  • Will they or won’t they…disclose confidential information?
  • Will they or won’t they…fail?
  • Will they or won’t they…meet the terms of the contract?
  • Will they or won’t they…continue to meet our strategic objectives?
  • Will they or won’t they…properly manage their third-party relationships?

Once these questions have been addressed (i.e. asked and answered) you have a good idea of the raw, or inherent, risk level.  Now you are expected to…

“…have risk management practices in place that are commensurate with that risk.”  

Asking the right “will they or won’t they” questions are the key to accurately assessing inherent risk.  The next step is to manage (i.e. control) the risk at acceptable levels.  More on that in Part 3.


 

[poll id=”9″]

Print Friendly, PDF & Email
Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

5 comments

  1. A few quick questions/comments:

    Is anyone using the Shared Assessments trusted framework? Companies evaluating their vendors on a risk assessment checklist/excel or other internal database is really passé and not effective.

    Based on cybersecurity risks stemming from third parties, is Right to Audit clause in contract and is the organization’s audit budget adequate to resourcefully conduct such audits of third parties?

    1. Thanks for the comment. I was an enthusiastic supporter of the Shared Assessments Agreed Upon Procedures (AUP) for some time. I still like their standardized approach to data gathering and analysis, and I agree that the old spreadsheet model will no longer cut it. I lost a bit of my enthusiasm for them when they moved away from a focus on financial institutions by removing cross-references to the FFIEC guidance. I lost a bit more when they started charging for them. Still an excellent tool for both vendors and institutions to baseline their expectations and responses.

      The right-to-audit clause is something the FFIEC has been requiring in contracts for some time. However, you are correct…it’s not likely that an institution would exercise that right!

  2. Speaking of Right to Audit clauses, we have a very hard time getting our larger critical vendors to agree. Even those that are specifically TSPs for FIs. Smaller vendors that we have more sway over are easier to get them to agree. But we’ve found the larger vendors, and I won’t give names, simply won’t comply. We document this and move on. I’ve had several conversations about this with other colleagues, but no one has a real solution.

    Thoughts?

    1. Thanks for your comment! I guess no company wants a customer poking around in their business, but the guidance (see Monitoring and Reporting section) is clear that “right-to-audit” is a best practices component of any critical outsourced relationship. Of course assurance of appropriate vendor controls can also be obtained via third-party audit reports (such as a SOC 1 or SOC 2), but the right-to-audit” clause should still be a part of the contract. Essentially it’s you saying “we don’t have to take your word for it”, but in the end it’s your decision how you handle the vendor if they refuse to provide it. Documenting your efforts will at least prove that you tried. I have to think that more and more will allow the clause if we continue to ask for it.

      1. Thanks, Tom. Appreciate your reply.

        I agree with you, especially on that last sentence. If we all demand for it in the aggregate, eventually pressure should mount.

        I just have never been comfortable with regulators expecting the clause, yet not requiring TSPs to accept them. It makes it very difficult for community banks to get the clause accepted in a contract.

Write a Comment