Vendor risk management is an ongoing process—one that begins with due diligence before a contract is signed and continues with monitoring throughout the length of the relationship. This blog series on the Top 10 risks will help you more effectively address third-party vendor risk throughout every department in your financial institution.
People aren’t very understanding of outages—especially when that outage interferes with a customer’s ability to view or access funds.
Customers don’t want to hear that a data center across the country flooded, a cyberattack overwhelmed systems or a piece of equipment failed. They don’t care about excuses, and they definitely don’t want to hear you blame your vendor. In their eyes, it’s your fault.
Regulators feel that way too.
That’s why transaction risk is one of the 10 biggest vendor management risks facing financial institutions. Transaction risk is the risk that a third party will fail to provide products and services as expected—adversely impacting the institution or its customers. Transaction risk differs from operational risk in that it focuses on contingency planning—though the two share many overlapping areas.
Mitigating transaction risk isn’t just good business. It’s a requirement of the FFIEC IT Examination Handbook Business Continuity Planning and Appendix J: Strengthening the Resilience of Outsourced Technology Services and other regulatory guidance. That's why an FI must evaluate a vendor’s business resilience controls to minimize financial loss and mitigate adverse effects of service interruptions.
Assessing Transaction Risk
This is best accomplished by addressing the following areas with vendors:
Planning. While a vendor might not be able to fully disclose the details of its business continuity plan for security reasons, there are still plenty of ways to assess a vendor’s preparedness and potential risk, including test results.
Threat management. Vendors should conduct a periodic business impact analysis to identify and assess the likelihood and impact of threats that could interfere with their ability to meet service level agreements.
Recovery. Recovery capabilities should be assessed and monitored commensurate with the criticality of services provided.
Data protection. Data should be meticulously protected with physical and cyber security controls and protocols to prevent unauthorized access to confidential data.
Incident response. An incident response and management policy or plan should outline security breach and incident management.
Subcontractors. Vendors should conduct their own risk assessments of all major risks, including credit, liquidity, transaction and reputation risk, among others.