Operational Risk – Foreseeing the Unforeseen Costs of Outsourcing

Vendor risk management is an ongoing process—one that begins with due diligence before a contract is signed and continues with monitoring throughout the length of the relationship. This blog series on the Top 10 risks will help you more effectively address how third-party vendor risk throughout every department in your financial institution.

#9 – Operational Risk

Sometimes it seems like nothing in life is simple. Even activities meant to streamline operations and improve efficiency and offerings—like outsourcing products and services to a third-party vendor—can be complicated and involve risk to the bottom line.

That’s why operational risk is one of the top 10 vendor management risks facing financial institutions. Operational risk is the risk of financial loss when processes, people or systems fail. Sometimes it’s the result of external events like a power outage, fire or flood. Other times it’s the vendor’s own internal issue, such as fraud, a hardware or software failure or an accounting error.

Operational risk can hurt a financial institution in many ways—from failed controls that cause a vendor to violate laws or regulations to poor management oversight. In fact, operational risk is the most encompassing vendor management risk—overlapping with every other form of risk on the top 10 list.

While it’s impossible to guarantee that processes, people and systems are perfect, there are steps FIs can take to mitigate these risks. The key is ensuring that vendors carefully and consistently follow suitable and effective internal controls.

These areas include:

Data privacy. Governing access to electronic data and systems containing confidential client data is essential.   

Threat assessment. There should be procedures to identify, assess and mitigate reasonably foreseeable internal and external threats.

Governance. Both the board and management should play a role in oversight.

User access. Policies and procedures should be in place to limit system access and eliminate non-active users or those who violate policies.

Employee evaluations and training. Personnel should undergo background checks and regular reviews and training.

Monitoring. Systems should be monitored with controls to detect attempted and unauthorized intrusions into customer information systems.

Incident response. There should be a plan of action when unauthorized access to information systems or facilities is suspected or detected.

Data security. Measures should protect confidential customer information and systems from destruction, loss, or damage due to environmental hazards, failures or disasters.

Data processing and transactions. Policies and controls should ensure that processing and data transmissions are complete and accurate.

 Subcontractor oversight. Due diligence, monitoring and oversight of critical third-party vendors is necessary.

It’s a large task but entirely manageable with the right systems in place to leverage the work of other risk assessments.