Planning to Fail or Failing to Plan – Strategic Risk

Vendor risk management is an ongoing process—one that begins with due diligence before a contract is signed and continues with monitoring throughout the length of the relationship. This blog series on the Top 10 risks will help you more effectively address how third-party vendor risk throughout every department in your financial institution.

#7 Strategic Risk

The future doesn’t always work out the way we think it will. You know it—and I know it.

Yet we work and struggle and try to prepare for it. We spend hours assessing industry trends and trying to figure out which way the winds will blow. We do everything thing we can to position our organizations for success, balancing short-term needs with long-term goals—but not everyone else is that careful.

Strategic risk is the possibility that a company doesn’t make decisions that support its long-term goals. Companies that aren’t managed well and make poor strategic decisions may provide sub-par products or services or even close shop. They can leave your institution in the lurch—failing to provide critical products and services.

The OCC says this can happen when:

  • risks aren’t properly assessed;
  • not enough thought and due diligence are put into new products, business lines or activities; or
  • when the company undertakes an action that’s not consistent with the company’s goals or doesn’t provide the expected return on investment. [1]

Assessing Strategic Risk

The key areas to look at when assessing strategic risk include:

  • Know the age of a company and the size of its market.
  • Understand who runs the show including senior management, board of directors and relevant committees.
  • Operational controls and audits. Ensure operational controls are monitored and addressed through internal and external audits.
  • Vendor management. FIs need vendor management programs and so do vendors. This includes third-party oversight and monitoring, and identification and resolution of information security-related risks.
  • Business continuity. There should be protocols to mitigate or prevent business interruptions and then recovery promptly.
  • Outsourcing and offshoring. Know where operations and personnel and subcontractors are located.

Notice that transaction, operational, country and cybersecurity risks are all included when assessing strategic risk. That makes it essential that any method used to conduct a strategic risk assessment should leverage these overlaps to maximize efficiency.