virtual vendors' (managing fourth party risk)
DESCRIPTION
A discussion of the changing dynamics and challenges of third-party risk management in a virtualized, cloud-driven solution space…TRANSCRIPT
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Virtual Vendors;Cloudy Compliance
A discussion of the changing dynamics andchallenges of third-party risk managementin a virtualized, cloud-driven solution space…
Lee BeachySVP, Risk Management TeamBank of New Hampshire
© 2014 L. Beachy04/10/2023 1
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
The man asks a troubling question.
“Are we changing as fast as the world around us?”
04/10/2023 © 2014 L. Beachy 2
Third Party Risk Management for Banks New York City, NY May 13-14, 201404/10/2023 © 2014 L. Beachy 3
Third Party Risk Management for Banks New York City, NY May 13-14, 201404/10/2023 4
Regulatory Perspectives on TPR
‘Guidance’ vs regulation Material ‘TPR’ in strategic plan Awareness of ‘criticality’ Standards for TPR / contracts Clear ‘onboarding’ by risk or
compliance function Scope of contractual provisions Compliance across TP boundaries
FDIC‘Us Too!’
Explicit TP contract authority? Deeper CMS assessments?
(for complaints, BSA, KYC, etc.) BSA focus on TP payment services More focus on exit strategies? Document, document, document!
Third Party Risk Management for Banks New York City, NY May 13-14, 201404/10/2023 © 2014 L. Beachy 5
Vendor A
Ven
dor
B
Vendor CV
endor D
Vendor E
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Key Drivers Virtualization = Abstraction
It works for you, and it also works for them. The ‘cloud economy’ Drift / expansion in the solutions market Broader maturity spectrums
From ‘newbies’ to ‘proven providers’ New Frontiers (for malicious actors)
(from perimeter to procurement)
04/10/2023 © 2014 L. Beachy 6
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Amalgamation can hide risk
Contract (‘Your Solution’)
Sales
Admin
Production Management
Risk
Audit
OperationsDaily QC
04/10/2023 © 2014 L. Beachy 7
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Risk (across organizational lines)
Contract (‘Your Solution’)
Production
Operations
04/10/2023 © 2014 L. Beachy 8
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
What has changed?
Solution Provider(Highly integrated)
04/10/2023 © 2014 L. Beachy 9
Provider IaaS Support
We have been used to:
We should be expecting:
Example only: reality may present far more parties than three!
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Dancing with Elephants…
04/10/2023 © 2014 L. Beachy 10
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Two Approaches A cascade model
An integrationmodel
04/10/2023 © 2014 L. Beachy 11
Vendor
Sub ASub-Sub E
Sub-Sub G
Sub B Sub-Sub J
• Prime
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
What else gets outsourced? Audit? Enterprise risk management? Compliance? Other management skill sets?
Supply chain knowledge Business workflow analytics
04/10/2023 © 2014 L. Beachy 12
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Concentration in Supply Chains
04/10/2023 © 2014 L. Beachy 13
“This surprising cause and effect taught multinational organizations somehard lessons about supply chain sensitivity, and caused some to rethinktheir procurement interdependencies from risk perspective as well as a cost calculation.”
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Lessons? * Visibility being able to track and monitor supply chain events and
patterns as (or before) they happen. Catch supply chain issues before they develop into problems.
Flexibility being able to promptly adapt to problems without significantly increasing operational costs.
Collaboration being able to work effectively with supply chain partners (through symbiotic, trust-based relationships) in order to avoid disruptions and achieve common goals.
Control having clear policies, monitoring and control mechanisms to help ensure that proper procedures and processes are actually followed.
04/10/2023 © 2014 L. Beachy 14
* Kelly Marchese, Siva Paramasivam and Michael Held, Deloitte Consulting in Industry Week; Mar 9, 2012.
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
The Transparency Spectrum
For the really essential stuff — make sure that it is an independent third-party who is producing the control review and compliance documents.
Audit
Make the proof of performance‡ a part of their deliverables!SLAs and service metrics belong on a providers side of the deal.
Attestation
Think carefully, realistically, and theoretically about the recursive third-party factors before you sign!!
AgreementLanguage
Take great notes during the sales or renewal cycle.If they said it or promised it then it needs to get into their contract!
Assertion
04/10/2023 © 2014 L. Beachy 15
‡ including trans-organizational performance!
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Understanding Roles
04/10/2023 © 2014 L. Beachy 16
What is essential to your success?
What must you control and document?
What KPIs do you have to have?
OK.Now WHO exactly
does this stuff?
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
The alternative? It is funny
— unless ithappens to you!
Example: Who uses OpenSSL?
04/10/2023 © 2014 L. Beachy 17
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Questions & Assessments Set the stage:
“Cloud solutions are changing the structure of both technology and business relationships. This tool is designed to collect information regarding the total service solution that the bank is considering – including any strategic partnerships that are material to your service operations and the bank’s risk considerations. If your organization does not attest to and assume responsibility for these partnerships (for example, co-location services, IaaS vendors, or third-party security teams), the bank may seek to obtain due diligence documentation from them directly in order to fully evaluate the suitability of the proposed solution.”
04/10/2023 © 2014 L. Beachy 18
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Questions & Assessments Ask for specifics:
04/10/2023 © 2014 L. Beachy 19
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Questions & Assessments Drill into the details:
Describe your risk management program as it may apply to third-party organizations (supply-chain / procurement risks). Please address both initial assessments as well as on-going risk monitoring by your organization’s management team.
Do the representations and statements in this document address only your organization or are you also attesting to the operations and service obligations of the third-parties (above) with which you have contracted services?
Does the solution provided include functions involving consumer or account information that would support the detection of identity theft? If so, please include a summary of your ‘Red Flags’ identity theft program.
If the solution involves direct BNH customer interaction (such as ‘customer comments or feedback’), please describe the procedure and policy for handling same. How will these communications be passed along to BNH?
How does your organizational policy for data retention integrate to that of your customers? How is this implemented and communicated as a part of a customer implementation project?
04/10/2023 © 2014 L. Beachy 20
Third Party Risk Management for Banks New York City, NY May 13-14, 2014
Don’t Ignore In-House Risks Managing operating function versus
service provider management. What risks increase? What ones decrease? Keep critical functions from becoming
assumed ‘utility’ functions! Indirect management may decompose
management decision-making.
04/10/2023 © 2014 L. Beachy 21
Third Party Risk Management for Banks New York City, NY May 13-14, 201404/10/2023 © 2014 L. Beachy 22
Lee BeachySVP, Risk Management Group Bank of New [email protected] www.linkedin.com/in/lelandbeachy @_ljb_