Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Transcription

1 Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

2 Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red Flags Program Regulatory guidance FFIEC Statement on Cloud Computing July 2012 FRB SR 11-7 Model Risk Management OCC Sound Practices for Model Risk Management FFIEC 2011 Authentication In An Internet Banking Environment Supplement FFIEC 2009 Risk Management of Remote Deposit Capture FDIC FIL Guidance for Managing Third-Party Risk OCC Information Security Application Security OCC Risk Management Principles 2

3 CFPB Bulletin FI ensure third parties do not present unwarranted risks to consumers Conduct due diligence to verify provider s ability to comply with consumer law Request and review provider s policies and procedures to ensure appropriate oversight Set clear expectations about enforceable consequences for violations Establish internal controls and ongoing monitoring for compliance with consumer law 3

4 CFPB Bulletin Marketing materials for credit card add-on products are not deceptive Compensation does not create incentives to provide inaccurate information Scripts follow specific requirements and have compliance management programs 4

5 FRB SR 11-7 and OCC Validation of Vendor/Third-Party Products Appropriate processes for selecting vendor models Provide developmental evidence on components, design, intended use Determine appropriateness for bank Risk assessing to determine exposures and risks Bank validation of use of the vendor products Vendor performance monitoring and analysis Business Continuity 5

6 Why Focus on Vendor Management Essential part of enterprise-wide risk management Emerging technology More reliance on outsourcing and cloud computing 6

7 Vendor Management Focus Bank-wide, all vendors/providers Develop definition for vendor/provider Analyze accounts payable Include IT, but not exclusively IT 7

8 Key Factors of Vendor Management Program BOD and senior management awareness Prudence of outsourcing relationship Needs assessment Implementation of effective controls Ongoing monitoring Documentation of procedures, responsibilities, reporting 8

9 Program Oversight Responsibility Board ultimately responsible for ensuring program in place Who has daily oversight: Seems to fall in IT Should it be the ISO (which is usually IT) Should it be the risk manager Should it be the compliance officer 9

10 Vendor Risk Management Program Elements Strategic planning Risk Assessment Written Program Repeatable Process/Procedures Needs requirements Service provider selection and due diligence Contract Ongoing monitoring Continuity Termination 10

11 Program Elements: Strategic Planning 11

12 Strategic Planning Integration with overall strategic objectives Identify role of the relationship in conjunction with business strategy and objectives Identify: Need/purpose Benefits Costs Legal issues 12

13 Program Elements: Risk Assessment 13

14 Third Party Risk Assessment Identify all service providers and vendors = third party Identify risk Identify risk mitigation strategies Risk rating and ranking 14

15 Classification Factors Mission critical Access to sensitive or confidential information Information controlled by service provider Volume of transactions Concentration of $ New activity for institution New provider Markets products or services High risk activities 15

16 Types of Risks Reputation Risk risk arising from negative publicity or public opinion Strategic Risk risk arising from adverse business decisions or failure to implement appropriate business decisions or to make invalid assumptions 16

17 Types of Risks Operational Risk - loss from inadequate or failed internal processes, people, systems or an external event. Transactional Risk risk arising from problems service or product delivery 17

18 Types of Risks Credit Risk risk that those necessary to the relationship are unable to meet the terms of the contractual arrangements or otherwise financially perform as agreed Compliance/legal Risk risk arising from violations of laws, rules or regulations, or noncompliance with internal policies and procedures 18

19 Other Potential Risks Interest rate Liquidity Market Foreign currency translation Country risk Pricing 19

20 Foreign Based Providers Background Country Risk/Ability to prosecute Compliance Risk US Laws Embargo Sanctions OFAC 20

21 Failure To Manage/Mitigate Regulatory action Financial loss Reputation issues Legal actions Impact ability to establish new or continue current customer relationships 21

22 Program Element: Written Program 22

23 Written Program Policy Statement Reason for development and implementation of the vendor management program Elements of the program Responsibilities Risk Management Description of the risk assessment process Selection process Description of the process Due diligence/approval Description/responsibility Contracting Description of minimum contract requirements Oversight and monitoring Description of oversight and monitoring 23

24 Needs Requirement Function or activity to be outsourced Purpose/need served Alignment with institution business objectives Budgeted amount Minimum standards and service expectations Minimum acceptable characteristics Security and control requirements Oversight reports Business continuity - strategy Conversion requirements/timing/suppo rt Training Contract requirement 24

25 Selection Due Diligence Financial status, audited financial statements if available Check references Legal or regulatory compliance issues Complaints Litigation Technology and systems architecture (specifications) BCP and pandemic preparedness Insurance coverage/bonding 25

26 Contract Elements Scope of service Performance standards Security and confidentiality Understanding of GLBA and other applicable laws Controls Notification requirements and approval rights for any material changes to services, systems, controls (change management) Incident Response Plan and notification of breach 26

27 Contract Elements Audit Reports DRP/BCP Subcontracting Cost Ownership and license Duration Dispute resolution Limits of Liability Indemnification Regulatory compliance Assignment of contract Foreign based providers 27

28 Contract Elements Termination Types of terminations Normal contract expiration For cause For convenience For regulatory or supervisory requirements Ongoing Service Requirements Data Security and Privacy Documentation and Knowledge transfer 28

29 Service Level Agreement Identify significant elements of service Processing error rates System up time System down time Speed of transactions For websites page loading speeds Performance standards Availability and timeliness of services Confidentiality and integrity of data Change control Security standards compliance BCP Help desk support 29

30 Monitoring and Oversight Types of Reports Financial statements Security Incident response Business continuity Pandemic preparedness Patch management Change management Vulnerability assessment Testing 30

31 Monitoring and Oversight Types of Audits SSAE 16 Security/Controls Audit Internal Audit AUP (Agreed Upon Procedures Shared Assessments) FFIEC Regulatory Examination

32 Bank Service Company Act FDIC supervised institutions Section 7(c)(2) Notification of Performance of Bank Services New servicing relationships by third parties 32

33 Supervision of Technology Service Providers FFIEC October 2012 Examination program Examination process Examiner responsibilities Frequency 33

34 Summary Outsourcing does not reduce risks Increases the need for controls and monitoring Increases the oversight over third party Ultimately responsibility of the Board Regulatory requirement to have a written program 34

35 Questions???? Thank You!!! Susan Orr CISA, CISM, CRISC, CRP