In Part 1 I said that vendor management, just as any other risk management endeavor, consists of 3 basic phases;
- Identify the risk
- Assess the risk, and
- Control the risk
I also discussed why risk identification was a more difficult task today because of the “access to data” question, and also because “data” includes not just NPI, but confidential data as well. Everyone from your technology providers to the office cleaning crew could have access to non-public or confidential data, and as a result must be included in Phase 2; the risk assessment. The good news is that even though all vendors must be assessed, only a handful will required significant follow-up in terms of controls reviews (phase 3).
So in this post I will discuss how the risk assessment of vendors has changed over the last few years. Traditionally assessing a vendor was limited to determining the extent to which the vendor had access to (and could possibly disclose) non-public customer information (NPI). This grew out of GLBA, specifically the privacy and security elements of the legislation. Today regulators expect a much broader assessment of third-party risk. In addition to NPI, you must also assess vendor access to confidential information, such as HR records, Board reports, strategic plans and unaudited financials. You should also understand how a failure of the vendor’s product might affect your ability to deliver critical products or services to your customers. Does the vendor provide interdependencies to critical products? If they failed, how many of your services would fail too? Additionally, how difficult (costly & time consuming) would it be to find an alternate vendor, should the need arise?
In a recent speech to a community bankers group, Thomas J. Curry (current FFIEC chairman and Comptroller of the Currency) stated:
“While they have important benefits and are in many ways an essential part of business, it can be easy for financial institutions to become overly dependent upon third parties and overly-trusting. But just because these contractors have long client lists and hard-to-duplicate expertise doesn’t mean they are infallible.”
So vendor risk assessments really come down to determining “will they or won’t they?”:
- Will they or won’t they…disclose customer NPI?
- Will they or won’t they…disclose confidential information?
- Will they or won’t they…fail?
- Will they or won’t they…meet the terms of the contract?
- Will they or won’t they…continue to meet our strategic objectives?
- Will they or won’t they…properly manage their third-party relationships?
Once these questions have been addressed (i.e. asked and answered) you have a good idea of the raw, or inherent, risk level. Now you are expected to…
“…have risk management practices in place that are commensurate with that risk.”
Asking the right “will they or won’t they” questions are the key to accurately assessing inherent risk. The next step is to manage (i.e. control) the risk at acceptable levels. More on that in Part 3.