Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1
Risk Management Guidance 2
3
Appendix J: 4 - Key Elements Third Party Management Third Party Capacity Testing with Third Party TSPs Cyber Resilience
Risk Management Program 5
Life Cycle 6
Risk management process through out the life cycle of relationship includes: Plan outlining bank s strategy, inherent risks; how select, assess, and oversee 3rd parties. Proper selection due diligence Contracts outlining roles and responsibilities Ongoing monitoring of activities and performance Termination contingency plans Roles/responsibilities for overseeing the relationship and risk management process Documentation and reporting - oversight, accountability, monitoring, risk management Management reviews to ensure alignment with strategic goals and objectives of the bank 7
More comprehensive and rigorous oversight and management of relationships that involve critical activities such as: Significant bank functions (payments, clearing, settlements) Significant shared services (information technology) Activities that create significant risk if 3rd party fails to meet expectations, Could have significant customer impact Require significant investment in resources to implement and manage the 3rd party Could have major impact on operations if have to find alternate 3rd party or bring in-house 8
Oversight and Accountability Board Senior Management Employees managing relationships 9
Board and Sr. Mgmt Board Establish and approve policies governing use. Establish risk management program Senior Mgmt Ensure policies execution Oversee development and implementation of program Report to Board 10
A bank s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution. - OCC and CFPB 11
FDIC FIL 44-2008: An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships to the same extent as if the activity were handled within the institution. 12
Committee Not a regulatory requirement but a good practice. 13
Committee End user management Compliance officer Risk officer Technology officer Audit - liaison Legal - liaison 14
Planning Discuss inherent risks Outline strategic purposes Assess complexity Cost vs. benefit Affect on strategic initiative Impact to dual employees Customer interaction Security Contingency plans Laws and regulations Selection aligns with bank policies and practices Detail selection, assessment, and oversight of compliance with contract Presented and approved by BOD 15
Strategic Planning Integration with overall strategic objectives Identify the role of the relationship in conjunction with the business strategy and objectives Identify Need/purpose Benefits Costs Legal issues 16
Risk Assessment Identify all third party relationships Identify the risk Identify risk mitigations strategies Risk rate and rank 17
HR/ Payroll processor Operations (wires, ACH, ATM Core) IT Trust Cash Management Enterprise-wide Law Firms Marketing Accounting Lending Facilities/ Security Company 18
Classification Factors Mission critical Access to NPI Information controlled by the third party Volume of transactions Concentration of $ New activity New relationship Market products or services High risk activities Cloud computing Subcontracting/Foreign based contractors Foreign based company 19
Types of Risk Reputation - risk arising from negative publicity or public opinion. Strategic - risk arising from adverse business decisions or failure to implement appropriate business decisions or to make invalid assumptions. Transactional - risk arising from problems with service or product delivery 20
Types of Risk Operation - risk from inadequate or failed internal processes, people, systems, or an external event. Credit - risk that those necessary to the relationship are unable to meet the terms of the contractual arrangement or perform as agreed financially. 21
Types of Risk Compliance/legal - risk arising from violations of law, rules, regulations or noncompliance with internal policies and procedures. Concentration - arises when outsourced services or products are provided by a limited number of providers or are concentrated in limited geographic locations. 22
Potential Risk Interest rate Liquidity Market Foreign currency translation Country risk Pricing 23
Foreign Based Background Country risk/ability to prosecute Compliance risk US Laws Embargo Sanctions OFAC 24
Specific Risk with Technology Reliability Security Scalability Compatibility 25
Failure to Manage/Mitigate Regulatory action Financial loss Reputation issues Legal actions Impact ability to establish new or continue current customer relationships 26
Written Program Elements Overview of program Responsibilities Risk management process Needs assessment Due diligence and selection Contracting Oversight and Monitoring How monitor/manage problems with 3rd party How monitor performance with SLA Termination Contingency Approval process 27
Needs Assessment Function/activity Purpose/need served Alignment with strategic plan Budgeted amount Minimum standards/ expectations Minimum acceptable characteristics Security/control Oversight reports BCP Conversion/Training Contract requirements 28
Due Diligence/Selection Conduct on all potential 3rd parties prior to selection Don t rely solely on prior knowledge or experience Should be commensurate with level of risk and complexity of relationship onsite visits may be useful for full understanding of operations and capacity Broaden scope as necessary 29
Due Diligence/Selection Financial status Strategies and goals References Legal/regulatory compliance issues Resilience: BCP/Pandemic preparedness/incident Response Risk management/information security Qualifications, background, reputation of principals Employee background checks Insurance coverage Experience and reputation 30
Due Diligence/Selection Internal controls Facilities management Training Security of systems Privacy/confidentiality Maintenance and retention of records Use of subcontractors Physical security Systems development Technology/system specs Service support/delivery Resource management Fee Structure Conflicting contract arrangement with others 31
Business Resiliency Ensure third party service provider has a third party risk management program Third Party Service Provider s ability: To provide critical services to all its clients Meet stated RTOs and RPOs 32
Lack of resilience/failure of TSP Financial Institution clients take over operations Convert New TSP takes over existing operations Bring in-house 33
Financial Performance and Condition Most recent financials Sustainability FI relationship on SP financial condition SP commitment to contracted services SP review of financial condition of any subcontractor Other current issues SP may be facing that may affect future financial performance Insurance coverage 34
Contract Elements Scope of service Performance Standards/ Benchmarks Security/Confidentiality GLBA/Confidentiality Compliance with Laws, Regulation, Guidance Security/Controls Change management Incident response BCP/DR Right to Audit and Remediation MIS Oversight reports 35
Contracts Responsibilities for providing, receiving, retaining information Cost and compensation Ownership and license Indemnification Dispute Resolution Limits on liability Default and termination Subcontracting Foreign based 3rd parties Duration Assignment of contract 36
OCC Contracts: Stipulate performance of activities by external parties subject to OCC examination oversight including access to all work papers, drafts, and other materials. OCC generally has authority to examine and regulate functions/operations provided by 3rd parties to same extent as bank. 37
Service Level Agreement Identify significant elements of service Processing error rates System uptime/downtime Speed Performance Availability/timeliness of service Confidentiality/integrity of data Change control Help desk 38
Ongoing Monitoring Compliance with legal and regulatory requirements Insurance coverage Key personnel knowledge Ability to effectively manage risk Confidentiality/integrity of systems/ information Adequacy of training Process for adjusting policies, procedures, controls in response to change threats/vulnerabilities/breaches Information technology used/ management of information systems Business continuity/dr Subcontracting Consumer complaints and remediation 39
Ongoing Monitoring Ensure customer base is segregated from other clients (especially cloud provider) Internal controls Assess adequacy of control environment SSAE 16, SOC 2 FFIEC Examination Security incidents Onsite visits as needed/ Escalation of oversight activities when fail to meet: Performance Compliance Control Viability expectations 40
Ongoing Monitoring Types of reports Financial Patch management Pen testing Security assessments Audits Incident response BCP/pandemic 41
SSAE 16 SOC 1 - Internal controls over financial reporting (ICFR) SOC 2 - Specifically designed for data centers, MSSPs, SAS vendors, cloud computing and technology providers 42
SOC 2 Trusted Service Principles Security of systems Availability of systems Processing integrity Confidentiality of information Privacy of information 43
Independent Review Senior management should ensure periodic independent reviews are conducted on 3rd party risk management processes, especially critical activities. Internal audit or independent audit Report to Board 44
FRB - BCP Ensure DR/BCP exists Assess adequacy and effectiveness of the plan and alignment to bank s plan Test SP s BCP on periodic basis Maintain an exit strategy in event that SP is unable to perform Document roles and responsibilities for maintaining and testing the SP s plan 45
Appendix J: Business Resiliency Ensure DR/BCP exists Assess adequacy and effectiveness of the plan and alignment to bank s plan Test SP s BCP on periodic basis Maintain an exit strategy in event that SP is unable to perform Document roles and responsibilities for maintaining and testing the SP s plan 46
Termination Contingency Plan Management should ensure relationships terminate in an efficient manner. Have a plan to bring service in-house if no alternate 3rd parties 47
Appendix D: MSSP 2012 update to FFIEC Outsourcing Technology Service Handbook Reliance increases risk 39
MSSP Services Network boundary protection IDS/IPS Event log management/ alerting AV and Web content filtering services Email hosting Patch management Security software management Incident response management DLP Information security consulting services 40
MSSP Management Regular risk management program plus Contract with SLA Strategies for transparency/accountability Communications Review of MSSP processes, infrastructure, control environment 41
MSSP Management Risk Assessment: Due Diligence, Ongoing Risk Elements Business Processes Info Security Infrastructure Access Management and Control Data handling BCP/DRP Incident Response Awareness and Training Application Development/ Systems Integration Malware protection 51
MSSP Management Education/Awareness Training content/frequency Financial institution understanding of reports, audits, security testing 42
Cyber Security Risk Assessment Tool Domain 4 - External Dependency Management Connections Relationship Management
Document and Report Current inventory/risk assessment Approved plans to use 3rd party Due diligence results Analysis of costs Regular reports to Board on internal control testing and monitoring Audits, security reviews, compliance with SLA Regular reports to Board on overall risk management process Executed contract Regular risk management and performance reports from 3rd party 54
Bank Service Company Act FDIC supervised institutions Section 7(c)(2) Notification of Performance of Bank Services New servicing relationships by 3rd parties 45
Technology Outsourcing: Informational Tools for Community Bankers Effective Practices for Selecting a Service Provider Tools to Manage Technology Providers Performance Risk: Service Level Agreements Techniques for Managing Multiple Service Providers FDIC 30
Effective Practices for Selecting a Service Provider Resource in addressing specific challenges Not an exam procedure or official guidance Informational tool 31
Effective Practices Objectives in the Selection Process Evaluation and Selection Negotiating the Contract 32
Contracts Exit clause that allows FI to cancel for reasons such as failure to perform SLA should be stated Clear understanding of current and anticipated future requirements of service Obtain list of all key personnel and any subcontractors, consultants or third parties on which service delivery depends 33
Technology service providers encompass a broad range of entities including but not limited to affiliated entities, nonaffiliated entities, and alliances of companies providing products and services. This may include but is not limited to: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. Other terms used to describe Service Providers include vendors, subcontractors, external service provider (ESPs) and outsourcers. 34
Tools to Manage Risk: SLA SLA key component in structuring successful outsourcing contract Service category (system availability or response time) Acceptable range of service quality Definition of what is being measured Formula for calculating the measure Credit/penal,es for achieving/ failing performance targets Frequency and interval of measurement 35
Measure service activity results against defined service levels Examine measured results to identify problems or determine causes Take appropriate action to correct failed activities, functions, or processes Continuously guide service providers through feedback sessions based on objectively measured performance metrics 36
Successful SLA Identify performance and risk factors that are most crucial Make sure metrics measure what you want Focus on your goals Be specific, ensure everyone understands the terms and that terms are clear measured Measure performance provided to you not aggregate to all clients 37
Techniques for Managing Multiple SPs Use a lead contractor who is responsible for establishing subcontracts with other providers and managing their performance Use Inter-provider Operating Agreements 38
Thank You Susan Orr www.susanorrconsulting.com susan@susanorrconsulting.com 630.499.0276 65