The FDIC Office of Inspector General’s (OIG) deep dive into the state of vendor management has revealed widespread deficiencies including business continuity planning, vendor management, contract management, internal controls and cybersecurity. This is part two of a five-part blog series that looks at the report’s findings.
Third-party vendor management is all about managing risk. It’s an issue that regulators have been pressing for years, yet it seems that not every financial institution (FI) is getting the message.
At least that’s my interpretation of the FDIC’s Office of Inspector General’s (OIG) recent review of 48 third-party service provider contracts between 19 FIs and their vendors. The reviews focused on contract provisions related to business continuity planning (BCP) and cybersecurity incidents.
By now every FI should know that the board and management are responsible for identifying, assessing, measuring, monitoring and controlling risk. This includes third-party relationships. FI’s are just as responsible for the actions and regulatory compliance of vendors performing activities on behalf of the institution as they are for those conducted in-house. This includes having policies and procedures in place for proper vendor management.
FDIC guidance offers a framework for an effective third-party risk management process with four elements:
Guidance recommends a third-party vendor risk assessment matrix. This is a list of all current relationships, spelling out which are involved in critical activities and what risks those activities pose.
It should also review all available information for insights into a vendor’s financial condition, reputation and experience.
Are banks following the recommended guidance? Most aren’t. In the words of the OIG:
“Although results varied widely, we did not see evidence, in the form of risk assessments or contract due diligence, that most of the FDIC-supervised FIs we reviewed fully considered and assessed the potential impact and risk that TSPs and their subcontractors could have on the FI’s ability to manage its own business continuity planning and incident response and reporting operations.”
Of the 48 contracts sampled across 19 institutions:
The risk assessments also ranged in quality. Many used simple checklists while a few performed comprehensive reviews that analyzed all the appropriate categories of risk. For example, just 4 of the 19 FIs could document that they considered the risks of allowing subcontracting even though all but one of them permitted subcontracting in their contracts. The same is true of due diligence, with just a handful doing a deep dive into financials, compliance, business continuity planning, cybersecurity and other critical areas.
This is a serious problem. While the framework isn’t mandatory, each of these steps is a necessary building block for measuring, monitoring and mitigating risk. Remove a step and vendor management fails.
If an FI doesn’t assess the potential risks of working with a specific vendor, then the FI won’t know which areas of the relationship will require the most attention, or if the relationship is even worth pursuing. It won’t know what controls are needed to monitor the vendor or structure the contract to ensure controls are in place. Without due diligence, it won’t know what a vendor is doing to address potentials risks. Without a well-structured contract, the FI won’t have the tools to monitor and review its vendor. And without ongoing monitoring, the FI won’t know if risk is increasing, decreasing or remaining steady.
As the OIG notes in its report, while “FIs typically identified critical service providers and documented those that had access to sensitive or personally identifiable information… the contracts did not always include provisions to effectively address these risks.” (See a discussion of contracts findings here.)
It even found that some FIs “appeared to have risk management procedures that they did not follow or fully implement.”
Vendor management isn’t just an exercise. It’s a vital, ongoing process that begins with risk assessment and never lets up. Yet clearly many FIs are skipping steps, leaving gaping holes in their overall enterprise risk management (ERM).
Nvendor is a complete vendor management solution that helps manage third-party risk impacts on your organization. Our systematic approach uncovers opportunities to reduce internal costs, decrease external costs, and most importantly, to discern and alleviate your risk.
If your institution needs help with vendor management, give us a call.