Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Transcription

1 Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1

2 Risk Management Guidance 2

3 3

4 Appendix J: 4 - Key Elements Third Party Management Third Party Capacity Testing with Third Party TSPs Cyber Resilience

5 Risk Management Program 5

6 Life Cycle 6

7 Risk management process through out the life cycle of relationship includes: Plan outlining bank s strategy, inherent risks; how select, assess, and oversee 3rd parties. Proper selection due diligence Contracts outlining roles and responsibilities Ongoing monitoring of activities and performance Termination contingency plans Roles/responsibilities for overseeing the relationship and risk management process Documentation and reporting - oversight, accountability, monitoring, risk management Management reviews to ensure alignment with strategic goals and objectives of the bank 7

8 More comprehensive and rigorous oversight and management of relationships that involve critical activities such as: Significant bank functions (payments, clearing, settlements) Significant shared services (information technology) Activities that create significant risk if 3rd party fails to meet expectations, Could have significant customer impact Require significant investment in resources to implement and manage the 3rd party Could have major impact on operations if have to find alternate 3rd party or bring in-house 8

9 Oversight and Accountability Board Senior Management Employees managing relationships 9

10 Board and Sr. Mgmt Board Establish and approve policies governing use. Establish risk management program Senior Mgmt Ensure policies execution Oversee development and implementation of program Report to Board 10

11 A bank s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution. - OCC and CFPB 11

12 FDIC FIL : An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships to the same extent as if the activity were handled within the institution. 12

13 Committee Not a regulatory requirement but a good practice. 13

14 Committee End user management Compliance officer Risk officer Technology officer Audit - liaison Legal - liaison 14

15 Planning Discuss inherent risks Outline strategic purposes Assess complexity Cost vs. benefit Affect on strategic initiative Impact to dual employees Customer interaction Security Contingency plans Laws and regulations Selection aligns with bank policies and practices Detail selection, assessment, and oversight of compliance with contract Presented and approved by BOD 15

16 Strategic Planning Integration with overall strategic objectives Identify the role of the relationship in conjunction with the business strategy and objectives Identify Need/purpose Benefits Costs Legal issues 16

17 Risk Assessment Identify all third party relationships Identify the risk Identify risk mitigations strategies Risk rate and rank 17

18 HR/ Payroll processor Operations (wires, ACH, ATM Core) IT Trust Cash Management Enterprise-wide Law Firms Marketing Accounting Lending Facilities/ Security Company 18

19 Classification Factors Mission critical Access to NPI Information controlled by the third party Volume of transactions Concentration of $ New activity New relationship Market products or services High risk activities Cloud computing Subcontracting/Foreign based contractors Foreign based company 19

20 Types of Risk Reputation - risk arising from negative publicity or public opinion. Strategic - risk arising from adverse business decisions or failure to implement appropriate business decisions or to make invalid assumptions. Transactional - risk arising from problems with service or product delivery 20

21 Types of Risk Operation - risk from inadequate or failed internal processes, people, systems, or an external event. Credit - risk that those necessary to the relationship are unable to meet the terms of the contractual arrangement or perform as agreed financially. 21

22 Types of Risk Compliance/legal - risk arising from violations of law, rules, regulations or noncompliance with internal policies and procedures. Concentration - arises when outsourced services or products are provided by a limited number of providers or are concentrated in limited geographic locations. 22

23 Potential Risk Interest rate Liquidity Market Foreign currency translation Country risk Pricing 23

24 Foreign Based Background Country risk/ability to prosecute Compliance risk US Laws Embargo Sanctions OFAC 24

25 Specific Risk with Technology Reliability Security Scalability Compatibility 25

26 Failure to Manage/Mitigate Regulatory action Financial loss Reputation issues Legal actions Impact ability to establish new or continue current customer relationships 26

27 Written Program Elements Overview of program Responsibilities Risk management process Needs assessment Due diligence and selection Contracting Oversight and Monitoring How monitor/manage problems with 3rd party How monitor performance with SLA Termination Contingency Approval process 27

28 Needs Assessment Function/activity Purpose/need served Alignment with strategic plan Budgeted amount Minimum standards/ expectations Minimum acceptable characteristics Security/control Oversight reports BCP Conversion/Training Contract requirements 28

29 Due Diligence/Selection Conduct on all potential 3rd parties prior to selection Don t rely solely on prior knowledge or experience Should be commensurate with level of risk and complexity of relationship onsite visits may be useful for full understanding of operations and capacity Broaden scope as necessary 29

30 Due Diligence/Selection Financial status Strategies and goals References Legal/regulatory compliance issues Resilience: BCP/Pandemic preparedness/incident Response Risk management/information security Qualifications, background, reputation of principals Employee background checks Insurance coverage Experience and reputation 30

31 Due Diligence/Selection Internal controls Facilities management Training Security of systems Privacy/confidentiality Maintenance and retention of records Use of subcontractors Physical security Systems development Technology/system specs Service support/delivery Resource management Fee Structure Conflicting contract arrangement with others 31

32 Business Resiliency Ensure third party service provider has a third party risk management program Third Party Service Provider s ability: To provide critical services to all its clients Meet stated RTOs and RPOs 32

33 Lack of resilience/failure of TSP Financial Institution clients take over operations Convert New TSP takes over existing operations Bring in-house 33

34 Financial Performance and Condition Most recent financials Sustainability FI relationship on SP financial condition SP commitment to contracted services SP review of financial condition of any subcontractor Other current issues SP may be facing that may affect future financial performance Insurance coverage 34

35 Contract Elements Scope of service Performance Standards/ Benchmarks Security/Confidentiality GLBA/Confidentiality Compliance with Laws, Regulation, Guidance Security/Controls Change management Incident response BCP/DR Right to Audit and Remediation MIS Oversight reports 35

36 Contracts Responsibilities for providing, receiving, retaining information Cost and compensation Ownership and license Indemnification Dispute Resolution Limits on liability Default and termination Subcontracting Foreign based 3rd parties Duration Assignment of contract 36

37 OCC Contracts: Stipulate performance of activities by external parties subject to OCC examination oversight including access to all work papers, drafts, and other materials. OCC generally has authority to examine and regulate functions/operations provided by 3rd parties to same extent as bank. 37

38 Service Level Agreement Identify significant elements of service Processing error rates System uptime/downtime Speed Performance Availability/timeliness of service Confidentiality/integrity of data Change control Help desk 38

39 Ongoing Monitoring Compliance with legal and regulatory requirements Insurance coverage Key personnel knowledge Ability to effectively manage risk Confidentiality/integrity of systems/ information Adequacy of training Process for adjusting policies, procedures, controls in response to change threats/vulnerabilities/breaches Information technology used/ management of information systems Business continuity/dr Subcontracting Consumer complaints and remediation 39

40 Ongoing Monitoring Ensure customer base is segregated from other clients (especially cloud provider) Internal controls Assess adequacy of control environment SSAE 16, SOC 2 FFIEC Examination Security incidents Onsite visits as needed/ Escalation of oversight activities when fail to meet: Performance Compliance Control Viability expectations 40

41 Ongoing Monitoring Types of reports Financial Patch management Pen testing Security assessments Audits Incident response BCP/pandemic 41

42 SSAE 16 SOC 1 - Internal controls over financial reporting (ICFR) SOC 2 - Specifically designed for data centers, MSSPs, SAS vendors, cloud computing and technology providers 42

43 SOC 2 Trusted Service Principles Security of systems Availability of systems Processing integrity Confidentiality of information Privacy of information 43

44 Independent Review Senior management should ensure periodic independent reviews are conducted on 3rd party risk management processes, especially critical activities. Internal audit or independent audit Report to Board 44

45 FRB - BCP Ensure DR/BCP exists Assess adequacy and effectiveness of the plan and alignment to bank s plan Test SP s BCP on periodic basis Maintain an exit strategy in event that SP is unable to perform Document roles and responsibilities for maintaining and testing the SP s plan 45

46 Appendix J: Business Resiliency Ensure DR/BCP exists Assess adequacy and effectiveness of the plan and alignment to bank s plan Test SP s BCP on periodic basis Maintain an exit strategy in event that SP is unable to perform Document roles and responsibilities for maintaining and testing the SP s plan 46

47 Termination Contingency Plan Management should ensure relationships terminate in an efficient manner. Have a plan to bring service in-house if no alternate 3rd parties 47

48 Appendix D: MSSP 2012 update to FFIEC Outsourcing Technology Service Handbook Reliance increases risk 39

49 MSSP Services Network boundary protection IDS/IPS Event log management/ alerting AV and Web content filtering services hosting Patch management Security software management Incident response management DLP Information security consulting services 40

50 MSSP Management Regular risk management program plus Contract with SLA Strategies for transparency/accountability Communications Review of MSSP processes, infrastructure, control environment 41

51 MSSP Management Risk Assessment: Due Diligence, Ongoing Risk Elements Business Processes Info Security Infrastructure Access Management and Control Data handling BCP/DRP Incident Response Awareness and Training Application Development/ Systems Integration Malware protection 51

52 MSSP Management Education/Awareness Training content/frequency Financial institution understanding of reports, audits, security testing 42

53 Cyber Security Risk Assessment Tool Domain 4 - External Dependency Management Connections Relationship Management

54 Document and Report Current inventory/risk assessment Approved plans to use 3rd party Due diligence results Analysis of costs Regular reports to Board on internal control testing and monitoring Audits, security reviews, compliance with SLA Regular reports to Board on overall risk management process Executed contract Regular risk management and performance reports from 3rd party 54

55 Bank Service Company Act FDIC supervised institutions Section 7(c)(2) Notification of Performance of Bank Services New servicing relationships by 3rd parties 45

56 Technology Outsourcing: Informational Tools for Community Bankers Effective Practices for Selecting a Service Provider Tools to Manage Technology Providers Performance Risk: Service Level Agreements Techniques for Managing Multiple Service Providers FDIC 30

57 Effective Practices for Selecting a Service Provider Resource in addressing specific challenges Not an exam procedure or official guidance Informational tool 31

58 Effective Practices Objectives in the Selection Process Evaluation and Selection Negotiating the Contract 32

59 Contracts Exit clause that allows FI to cancel for reasons such as failure to perform SLA should be stated Clear understanding of current and anticipated future requirements of service Obtain list of all key personnel and any subcontractors, consultants or third parties on which service delivery depends 33

60 Technology service providers encompass a broad range of entities including but not limited to affiliated entities, nonaffiliated entities, and alliances of companies providing products and services. This may include but is not limited to: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. Other terms used to describe Service Providers include vendors, subcontractors, external service provider (ESPs) and outsourcers. 34

61 Tools to Manage Risk: SLA SLA key component in structuring successful outsourcing contract Service category (system availability or response time) Acceptable range of service quality Definition of what is being measured Formula for calculating the measure Credit/penal,es for achieving/ failing performance targets Frequency and interval of measurement 35

62 Measure service activity results against defined service levels Examine measured results to identify problems or determine causes Take appropriate action to correct failed activities, functions, or processes Continuously guide service providers through feedback sessions based on objectively measured performance metrics 36

63 Successful SLA Identify performance and risk factors that are most crucial Make sure metrics measure what you want Focus on your goals Be specific, ensure everyone understands the terms and that terms are clear measured Measure performance provided to you not aggregate to all clients 37

64 Techniques for Managing Multiple SPs Use a lead contractor who is responsible for establishing subcontracts with other providers and managing their performance Use Inter-provider Operating Agreements 38

65 Thank You Susan Orr