Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Virtual Vendors;Cloudy Compliance

A discussion of the changing dynamics andchallenges of third-party risk managementin a virtualized, cloud-driven solution space…

Lee BeachySVP, Risk Management TeamBank of New Hampshire

© 2014 L. Beachy04/10/2023 1

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

The man asks a troubling question.

“Are we changing as fast as the world around us?”

04/10/2023 © 2014 L. Beachy 2

Third Party Risk Management for Banks New York City, NY May 13-14, 201404/10/2023 © 2014 L. Beachy 3

Third Party Risk Management for Banks New York City, NY May 13-14, 201404/10/2023 4

Regulatory Perspectives on TPR

‘Guidance’ vs regulation Material ‘TPR’ in strategic plan Awareness of ‘criticality’ Standards for TPR / contracts Clear ‘onboarding’ by risk or

compliance function Scope of contractual provisions Compliance across TP boundaries

FDIC‘Us Too!’

Explicit TP contract authority? Deeper CMS assessments?

(for complaints, BSA, KYC, etc.) BSA focus on TP payment services More focus on exit strategies? Document, document, document!

Third Party Risk Management for Banks New York City, NY May 13-14, 201404/10/2023 © 2014 L. Beachy 5

Vendor A

Ven

dor

B

Vendor CV

endor D

Vendor E

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Key Drivers Virtualization = Abstraction

It works for you, and it also works for them. The ‘cloud economy’ Drift / expansion in the solutions market Broader maturity spectrums

From ‘newbies’ to ‘proven providers’ New Frontiers (for malicious actors)

(from perimeter to procurement)

04/10/2023 © 2014 L. Beachy 6

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Amalgamation can hide risk

Contract (‘Your Solution’)

Sales

Admin

Production Management

Risk

Audit

OperationsDaily QC

04/10/2023 © 2014 L. Beachy 7

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Risk (across organizational lines)

Contract (‘Your Solution’)

Production

Operations

04/10/2023 © 2014 L. Beachy 8

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

What has changed?

Solution Provider(Highly integrated)

04/10/2023 © 2014 L. Beachy 9

Provider IaaS Support

We have been used to:

We should be expecting:

Example only: reality may present far more parties than three!

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Dancing with Elephants…

04/10/2023 © 2014 L. Beachy 10

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Two Approaches A cascade model

An integrationmodel

04/10/2023 © 2014 L. Beachy 11

Vendor

Sub ASub-Sub E

Sub-Sub G

Sub B Sub-Sub J

• Prime

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

What else gets outsourced? Audit? Enterprise risk management? Compliance? Other management skill sets?

Supply chain knowledge Business workflow analytics

04/10/2023 © 2014 L. Beachy 12

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Concentration in Supply Chains

04/10/2023 © 2014 L. Beachy 13

“This surprising cause and effect taught multinational organizations somehard lessons about supply chain sensitivity, and caused some to rethinktheir procurement interdependencies from risk perspective as well as a cost calculation.”

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Lessons? * Visibility being able to track and monitor supply chain events and

patterns as (or before) they happen. Catch supply chain issues before they develop into problems.

Flexibility being able to promptly adapt to problems without significantly increasing operational costs.

Collaboration being able to work effectively with supply chain partners (through symbiotic, trust-based relationships) in order to avoid disruptions and achieve common goals.

Control having clear policies, monitoring and control mechanisms to help ensure that proper procedures and processes are actually followed.

04/10/2023 © 2014 L. Beachy 14

* Kelly Marchese, Siva Paramasivam and Michael Held, Deloitte Consulting in Industry Week; Mar 9, 2012.

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

The Transparency Spectrum

For the really essential stuff — make sure that it is an independent third-party who is producing the control review and compliance documents.

Audit

Make the proof of performance‡ a part of their deliverables!SLAs and service metrics belong on a providers side of the deal.

Attestation

Think carefully, realistically, and theoretically about the recursive third-party factors before you sign!!

AgreementLanguage

Take great notes during the sales or renewal cycle.If they said it or promised it then it needs to get into their contract!

Assertion

04/10/2023 © 2014 L. Beachy 15

‡ including trans-organizational performance!

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Understanding Roles

04/10/2023 © 2014 L. Beachy 16

What is essential to your success?

What must you control and document?

What KPIs do you have to have?

OK.Now WHO exactly

does this stuff?

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

The alternative? It is funny

— unless ithappens to you!

Example: Who uses OpenSSL?

04/10/2023 © 2014 L. Beachy 17

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Questions & Assessments Set the stage:

“Cloud solutions are changing the structure of both technology and business relationships. This tool is designed to collect information regarding the total service solution that the bank is considering – including any strategic partnerships that are material to your service operations and the bank’s risk considerations. If your organization does not attest to and assume responsibility for these partnerships (for example, co-location services, IaaS vendors, or third-party security teams), the bank may seek to obtain due diligence documentation from them directly in order to fully evaluate the suitability of the proposed solution.”

04/10/2023 © 2014 L. Beachy 18

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Questions & Assessments Ask for specifics:

04/10/2023 © 2014 L. Beachy 19

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Questions & Assessments Drill into the details:

Describe your risk management program as it may apply to third-party organizations (supply-chain / procurement risks). Please address both initial assessments as well as on-going risk monitoring by your organization’s management team.

Do the representations and statements in this document address only your organization or are you also attesting to the operations and service obligations of the third-parties (above) with which you have contracted services?

Does the solution provided include functions involving consumer or account information that would support the detection of identity theft? If so, please include a summary of your ‘Red Flags’ identity theft program.

If the solution involves direct BNH customer interaction (such as ‘customer comments or feedback’), please describe the procedure and policy for handling same. How will these communications be passed along to BNH?

How does your organizational policy for data retention integrate to that of your customers? How is this implemented and communicated as a part of a customer implementation project?

04/10/2023 © 2014 L. Beachy 20

Third Party Risk Management for Banks New York City, NY May 13-14, 2014

Don’t Ignore In-House Risks Managing operating function versus

service provider management. What risks increase? What ones decrease? Keep critical functions from becoming

assumed ‘utility’ functions! Indirect management may decompose

management decision-making.

04/10/2023 © 2014 L. Beachy 21

Third Party Risk Management for Banks New York City, NY May 13-14, 201404/10/2023 © 2014 L. Beachy 22

Lee BeachySVP, Risk Management Group Bank of New Hampshirebeachy@banknh.com www.linkedin.com/in/lelandbeachy @_ljb_