The FDIC Office of Inspector General’s (OIG) deep dive into the state of vendor management has revealed widespread deficiencies including business continuity planning, vendor management, contract management, internal controls and cybersecurity. This is the first of five-part blog series that looks at the report's findings.
The only thing worse than having a critical system go down is having a critical system go down and having no idea when and in what condition it will come back up.
Many pages of regulatory guidance have been written to guard against this situation, yet a recent analysis conducted by the FDIC’s Office of Inspector General finds that just half of vendor contracts it reviewed “explicitly included business continuity provisions.”
When a financial institution (FI) outsources to a third-party vendor, it’s responsible for ensuring the vendor has a business continuity plan to promptly recover and resume operations in the event of a disruption. These plans include a business impact analysis, a risk assessment, risk management, and risk monitoring and testing, the OIG notes.
This can only be done effectively when the FI can “coordinate its risk management processes with the service provider’s operations and plans.” Unfortunately, most contracts don’t include the level of detail necessary to make this happen. In fact, nearly half don’t even require vendors to have a business continuity plan.
Even when they do require plans, they rarely include enough detail to be effective. For instance, the contracts the OIG reviewed didn’t detail vendor responsibilities for critical areas like ongoing risk management, potential events, internal and external dependencies or how they’d service all its clients in the event of a disaster. In the worst cases, vendor contracts actually limited a vendor’s responsibilities if a vendor struck.
Even if a vendor was fully prepared to deal with a disaster, FIs have no way to prove it. An astounding 44 percent of contracts didn’t address auditing or reporting. Those FIs have controls for monitoring vendors or testing their performance. They have no way of knowing if vendors are living up to regulatory or institutional requirements. Their business continuity plans aren’t plans. It’s just hope..
Then there’s the fact that not all reports are the same. Many vendors offer to provide SOC reports, but a contract that requires SOC reports can still fall short of the mark if the vendor turns over low-level SOC-1 reports that focus on “financial statement controls.” SOC-2 or SOC-3 reports, which offer insights into security, processing and data confidentiality controls, are far more valuable, but vendors are far less likely to provide them unless contractually specified.
What is a critical system failure and how long should it take to recover from one? That’s a question essentially left up to the vendor in 80 percent of contracts because they don’t include performance standards. Even in the rare cases where performance is defined, there’s often no mention of how a vendor would remedy the situation, including timeframes for recovery.
Even if it weren’t a regulatory requirement, every financial institution should be aware of critical vendor’s business continuity planning efforts. Well-written contracts define key business continuity terms, require evidence of ongoing business continuity planning and detail performance standards. It’s the only way to know your financial institution will be able to recover from unexpected disruptions.
Wondering how risk affects your ability to continue business as usual when disaster strikes? Ncontinuity is the flexible, user-focused business continuity planning (BCP) solution for your organization. With our interactive dashboard and tools, you’ll be assured of business continuity resiliency throughout your institution and in your third-party vendor relationships. Ncontinuity works with our cybersecurity, risk management and vendor management solutions, creating comprehensive risk management for your organization.