Post on 16-Jul-2015
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
1
JOIN. ENGAGE. LEAD.
KEY CHALLENGES FACING VENDOR RISK MANAGEMENT PROGRAMS Third-Party/Vendor Risk Management Survey Results
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
2
JOIN. ENGAGE. LEAD.
THE THIRD-PARTY/VENDOR RISK MANAGEMENT SURVEY
The survey was conducted between June and August 2014 by RMA, in association with
MetricStream. It sought to:
1. Capture the range of practices in third-party/vendor risk management (VRM) over a cross section of RMA member institutions.
2. Gather detailed information on some of the key challenges that banks and other financial institutions are facing
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
3
JOIN. ENGAGE. LEAD.
SURVEY FOCUS
Vendor management
framework
Vendor selection and monitoring
process
Critical vendors and critical activities
Fourth-party suppliers.
Tools and techniques Contracts
Reporting Regulatory and compliance
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
4
JOIN. ENGAGE. LEAD.
WHAT WE FOUND
• For most of the responding organizations, the vendor management programs are still in their nascent stage.
1.
• Third party relationships have evolved beyond the traditional models of goods and service providers.
2.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
5
JOIN. ENGAGE. LEAD.
VENDOR MANAGEMENT FRAMEWORK
Some of the bigger organizations surveyed have
thousands of supplier relationships to manage—extremely difficult without
mature vendor governance framework.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
6
JOIN. ENGAGE. LEAD.
VENDOR SELECTION AND MONITORING PROCESS
Financial institutions should conduct continuous in-depth assessments on the third-
party’s capability to perform the activities commensurate
with the risk and complexity of the relationship.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
7
JOIN. ENGAGE. LEAD.
VENDOR SELECTION AND MONITORING PROCESS (CONT.)
Each institution surveyed has multiple areas or SMEs for vendor selection and due diligence of third parties.
Information security Information technology
BCM Legal
Key groups conducting
secondary supplier risk assessments
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
8
JOIN. ENGAGE. LEAD.
CRITICAL VENDORS
• “Critical activities” include: • Significant bank functions. • Shared services, such as:
• internal audit • Information technology
OCC Guidance
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
9
JOIN. ENGAGE. LEAD.
CRITICAL VENDORS (CONT.)
• For most of the surveyed organizations, the number of enterprise critical suppliers ranges from 3 to 15.
• Risk and risk and spend are the primary factors when segmenting suppliers on the basis of criticality.
0% 20% 40% 60% 80% 100%
Conduct site visits, especially for critical
vendors.
Have defined, or are in the process of
defining, the critical activities in their
institution.
73%
97%
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
10
JOIN. ENGAGE. LEAD.
FOURTH PARTY SUPPLIERS
0 10 20 30 40 50 60 70
Done when the primary supplier notifies them of a new material fourth party
Perform due diligence at time of sourcing/contracting the 3rd party
4th party suppliers identified at RFP stage
No due diligence on 4th parties
13%
20%
50%
67%
% of Respondents
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
11
JOIN. ENGAGE. LEAD.
TOOLS AND TECHNIQUES
Organizations need to gain a clearer understanding of their third party’s business processes and technologies that will be used to support the outsourced activity.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
12
JOIN. ENGAGE. LEAD.
CONTRACTS After your bank selects a third party, your bank should negotiate a contract that clearly defines the rights and responsibilities of the parties involved. The majority of our survey participants use contracts.
20% use standard contracts
37% use standard contracts
“with exceptions”
57% of surveyed
institutions use
contracts
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
13
JOIN. ENGAGE. LEAD.
REPORTING
Survey Responses
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
14
JOIN. ENGAGE. LEAD.
REPORTING (CONT.)
Monitor third parties continuously to ensure that they comply with all applicable laws and regulations,
and operate in line with the bank’s policies and expectations.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
15
JOIN. ENGAGE. LEAD.
REGULATORY AND COMPLIANCE
72% of the institutions surveyed conduct annual validation of regulatory compliance and effectiveness of the vendor risk management framework.
0%
10%
20%
30%
40%
50%
60%
70%
80%
72%
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
16
JOIN. ENGAGE. LEAD.
REGULATORY AND COMPLIANCE (CONT.)
Based on the most recent regulatory examination.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
17
JOIN. ENGAGE. LEAD.
CONCLUSIONS
The survey offered a good indication of the preparedness of financial institutions to manage the current challenges, risks, and complexities related to vendor risk management.
Companies must keep pace with the new sanctions, frequent regulatory changes, increasing complexity, and a diverse and multi-tiered vendor network.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
18
JOIN. ENGAGE. LEAD.
CONCLUSIONS (CONT.)
Organizations need to manage newer risks arising from emerging technologies and trends, such as increasing mobility and the use of social media.
Some of the leading organizations understand the value of integrating their vendor information with their overall business processes, products, and services.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
19
JOIN. ENGAGE. LEAD.
Read about RMA’s Third-Party/Vendor Risk Management Survey here: http://www.rmahq.org/tools-publications/surveys-studies/third-party-vendor-risk-management-survey
LEARN MORE
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
20
JOIN. ENGAGE. LEAD.
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management.
Visit our blog at http://rmablog.rmahq.org/
RMA is a member-driven professional association whose sole purpose is to advance sound risk principles in the financial services industry.
RMA helps its members use sound risk principles to improve institutional performance and financial stability, and enhance the risk competency of individuals through information, education, peer sharing, and networking.
Become a member today.