Vendor Risk Management (Banks and Financial Institutions) Speaker: Jay Ranade/Ram Engira CIA, CRMA, CRISC, CBCP,CISA,CISSP,CISM,ISSAP,CGEIT Director of Education Risk Management Professionals Intl. New York City, USA jayranade@aol.com jranade@edeltaconsulting.com jayranade@nyu.edu ranadej@stjohns.edu Phone +1-917-971-9786
Vendor Risk Management Instructor Jay Ranade CIA, CRMA, CRISC, CISA, CISSP, CISM, CBCP, CGEIT, ISSAP Risk Management Professionals Intl. jayranade@aol.com jranade@edeltaconsulting.com jayranade@nyu.edu ranadej@stjohns.edu New York City Cell +1-917-971-9786
Instructor Introduction Jay, a certified CISA, CISM, CISSP, and CBCP, is an internationally renowned expert on computers, communications, disaster recovery, IT Security, and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, operating systems, languages, and systems. He also has an imprint with McGraw-Hill with more than 300 books called Jay Ranade Series. He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal. The New York Times critically acclaimed his book called the Best of Byte. He is currently working on a number of books on various subjects such as IT Audit, IT Security, Business Continuity, and IT Risk Management. Jay has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. He was a member of the ISACA International's Publications Committee(2005-07). He also teaches graduate-level classes on Information Security Management and Ethical Risk Management at New York University. Jay is also adjunct professor at St John s University and teaches Accounting Information Systems, IT Auditing, Internal Auditing, and Operational Risk Management. 3
Instructor Introduction Ram Engira has more than 22 years of experience collected through some of Wall Street s largest firms. He has fundamental business operation and technology skills, especially surrounding key initiatives in Banking, trading & investment bank arenas. Ram is currently working as a senior vice President/Senior IT Infrastructure Manager for the Retail Bank O&T division at a major financial firm. He works for the business office focused on strategic planning, proper business & technology alignment, client service delivery management, business realignment, engagement planning and Risk Management. He is a subject matter expert in BCP/DR, Enterprise and IT Risk Management, Information security and Infrastructure optimization. Ram is involved with BCP/DR, Information Security, System Auditing from both strategic and tactical points of view. Ram is among the industry leaders in planning and executing Data Center Consolidation programs and infrastructure virtualization leading to IT optimization. Ram is also an adjunct professor at St. John s University and New York Institute of Technology (NYIT) teaching Master s level courses in Business continuity planning, enterprise Risk Management and IT security and auditing as well as Database Management systems.
Instructor s Information Contact information jranade@edeltaconsulting.com JAYRANADE@AOL.COM ranadej@stjohns.edu jayranade@nyu.edu USA +1-917-971-9786 Risk Management Professionals International 5
What is RISK 6
Types of Risks 97 types of risks Credit risk, market risk, liquidity risk, IT risk, sovereign risk, political risk, IT risk, Operational Risk And by the way- Vendor Risk which is a subset of Operational Risk 7
Organizational Focus Mitigate risk to the organization Focus is on controls Comply with laws and regulations Focus is on compliance Usually in regulated industry 8
Facts about risk It is part of life It is part of doing business You can avoid it, mitigate it, accept it, transfer it Controls are not free Controls slow down business Controls cost money Balance controls and benefit 9
Categories of Vendor Risk Controls Directive controls- policy Preventive controls Detective controls Corrective controls - IRM Compensating controls Deterrent controls- SLA penalties 10
Types of Vendor Risk Controls Controls can be any of the following six Policy Standard Procedure Process Organizational structure Physical entity 11
Why use Vendors? 12
Reasons for using vendors. Reduce cost Increase performance Access specific expertise lacking in organization Increase product offerings 13
Common 3 rd Party Relationships 14
Common Vendor Relationships 3 rd party product providers e.g. credit card providers, auto dealers, mortgage brokers Loan servicing providers e.g. flood insurance monitoring, debt collection, foreclosure activities Disclosure preparers e.g. related SW, 3 rd party documentation preparation 15
Common Vendor Relationships Technology providers e.g. web development, software vendors Outsourced compliance functions e.g. fair lending reviews, compliance audits, compliance monitoring 16
Common 3 rd Party Risks 17
Common Vendor Risks Compliance risk Laws, regulations, rules Reputation risk Law violations, dissatisfied customers Operational risk People, processes, systems, external events Transaction risk Service delivery issues Credit risk 3 rd party not able to meet contract terms 18
Vendor Risk Types Examples Deceptive vendor marketing Credit discrimination Privacy issues (data loss or leakage) GLBA issue UDAP unfair deceptive acts or practices UDAP not always apparent, may be commonly accepted bank practices Solution: Oversee vendors as you would a department in your bank 19
What practices Increase Vendor Risk? 20
Bad Practices Overreliance on 3 rd party vendors Expertise in staffing vendors, products, and services does not mean expertise in compliance and regulations. Failure to monitor vendor Monitoring is variation in risk. You can not outsource accountability 21
Bad Practices Failure to retain knowledgeable staff Vendor staff has expertise but organization s staff does not know vendor activities. Risk is to the organization. NO clear expectations set Contracts must include consumer protection requirements Other expectations 22
Bad Practices GIGO effect Not providing enough information to vendor to do job Vendor activities in violations No verification process whether vendor complying with the law/regulation or not 23
Some Examples of Vendor Risks 24
Examples of Vendor Risk Flood insurance monitoring Vendor is used to monitor flood insurance Vendor s error in calculating required coverage Civil money penalty (CMP) lawsuits HAMP Program Home affordable-loan modification program Vendor delay in processing Vendor sending duplicate applications 25
Examples of Vendor Risk Credit Card Administration Vendors to market credit cards programs Balance transfer Non-disclosure of fees, UDAP violation CFPB has enforcement actions against 3 major credit card issuers in 2013 Disclosure generation software Vendor SW generates consumer disclosures Regulatory changes need SW changes/alignment Management depends on vendor to make changes 26
Examples of Vendor Risk Revenue enhancement 3 rd party offer for revenue enhancement For many products and services Compliance issues not considered 3 rd party payment processors (TPPP) Customers use accounts to process payments for merchant clients TPPP issued payments for merchants in high risk illegal activity Can also result in UDAP risk 27
What is a Vendor RISK 28
Bank s Vendor Risk Banks use third party vendors to Outsource internal operations Provide products and services to customers that they do not provide Lend their name for services or activities to others for a fee Why use 3 rd party? Resource constraint with bank Provide additional products and services Provide expertise not available with the bank 29
Regulator s concern Does outsourcing create more risk? Can financial institution Identify such risk Manage/Control this risk Monitor this risk Two aspects of regulator s concern Financial institution s business and solvency Consumer s protection from harm 30
Regulator s concern 3 rd party vendors are not subject to banking and financial reporting requirements 3 rd party vendor s lack of accountability to regulators So, banks and non-banks subject to civil and criminal penalties Because they have the accountability 31
Regulator s new tools Bank Service Company Act When 3 rd party performing function for bank operations, regulators treat 3 rd party subject to act Bank Service Company Act, 12 USC 1861-1867(c). Sec. 1861 Regulator can examine operations of 3 rd party as if they are performed by the bank Dodd-Frank Act - Consumer Finance Protection Bureau (CFPB) has jurisdiction over any person that provides material service to bank (or nonbank) for consumer financial product or service 32
VRM Facts You outsource responsibility, not accountability Board and senior management own that CFPB - financial institutions responsible for actions of companies they CONTRACT Financial institutions expected to manage such risk 33
So what 7 things do you do? Proper vendor governance 3 rd party due diligence Contracting RCA LCA Continuous monitoring (KRIs, KCIs) and oversight Proper training for those who monitor Tracking consumer complaints 34
Cause vs. Effect in VR Cause Event Event Effect (aka consequence) VR is managed through PCs by managing the causes VR is managed through DCs and CCs by mitigating effects 35
Cross Border Outsourcing 36
Cross Border Outsourcing Life Cycle Strategic assessment Business case development Vendor selection due diligence Contracting Service transition Post transition management monitoring 37
Cross Border Outsourcing Inherent Risks Financial risk- fraudulent transactions Privacy risk for PII Brand and reputation risk Regulatory risk Competitive risk from loss of IP 38
Cross Border Outsourcing 9 risks Vendor selection risk- lack of due diligence Strategic risk- inconsistent with organization's goals Regulatory compliance risk Laws, regulations, policies, oversight, EU data protection, SOX, FFIEC, export restrictions Technology risks- Processes not aligned with organizational objectives Business interruptions due to technology failure 39
Cross Border Outsourcing 9 risks Security risk Lack of protection of customer information, IP, and loss of CIA Legal risk Inability to enforce contractual terms due to legal jurisdiction Country risk Geopolitical, economic, social issues 40
Cross Border Outsourcing 9 risks BC risk Lack of recovery plans for critical business processes Exit strategy risk Lack of contract terms for orderly exit from termination of services 41
Cross Border Outsourcing Typical Security Requirements Logical access Need to have, need to know, least privilege, proper IAA Application development and maintenance Secure code, application change, source code management Operations Change control, IRM, network management, media handling and disposal Business continuity Critical business processes recovery after interruption within RTO, BC exercises 42
Cross Border Outsourcing Typical Security Requirements Physical and environmental controls Parameter, building, equipment, environmental Organizational security SoD, R&R, DOPESS Asset classification Policy-based CIA classes Information security policy Compliance regulatory, contractual 43
Cross Border Outsourcing 13 missing provisions Lack of R&R Who owns IP? Assets ownership of by-products Service definition- local holidays, time zone SLA- with penalty clauses Use of sub-contractors Personnel Background check, minimum qualifications, drug testing, right to remove from project 44
Cross Border Outsourcing 13 missing provisions Documentation Logs, documents Fees and payment terms Legal and regulatory compliance Audit rights BC and DR requirements Security requirements- CIA 45
The VRM Framework 46
Vendor Risk Management Framework Governance Vendor Risk and control Assessment Identify risk and Identify control owner and owner Assess likelihood Assess design and Impact and performance Action plans VR due diligence and Contracting VR Indicators Identify key risk and control indicators Action plans Monitoring KRI, KCI VR events and LCA Identify and capture internal and external events Action plans Analyze causes VR Oversight
1. VRM - Governance Board approved vendor policy will be alignment with business objectives There will be risk ownership There will be control ownership Accountability Clear direction for management VRM is about threats as well as opportunities
2. VRM Due Diligence Vendor assessment prior to on-boarding Onsite visit, references, vendor experience, complaints history, internal controls, financial status Consumer finance perspective Do products and services outsourcing increase consumer harm Does 3 rd party vendor have proper IC environment
2. VRM Due Diligence Does vendor understand and can comply with federal consumer financial law? Review of vendor policies, procedures, and IC Review of vendor employee training program for employees/agents having consumer contact Review of vendor employee training program for employees/agents having compliance responsibility
2. VRM Due Diligence Vendor contract stipulating expectations regarding violations e.g. unfair practices, abusive acts, deceptive acts Does vendor comply with federal consumer finance laws and has ICs to do that Provision to terminate relationship when problems exceed threshold
2. VRM Due Diligence 11 Things to look for in Due Diligence Vendor s experience Reputation, complaints, litigation IC environment and Internal audit BC and contingency plan Insurance coverage Security status- ISO 27001? Audited financial statements Qualifications and background Sufficiency of MIS (computer-based) Technology recovery plans (DR plans) Reliance on sub-contractors
3. VRM - Contracting Contract should minimize risk of non performance by vendor Scope of contract must be precisely defined Outsourcer should have contractual right to assess IC environment for vendor Internal audit of outsourcer SOC 1 and SOC 2 (SSAE 16 and ISAE 3402)
3. VRM - Contracting Requirements must be defined, understood, and enforceable Performance measures and benchmarks defined Responsibility to communicate information Ownership and licensing of bank s data, HW, SW, IP, and documentation Security- confidentiality, integrity, availability
3. VRM - Contracting BC/DR plans Indemnifications holding 3 rd party harmless for negligence Insurance coverage requirement Process for dispute resolution Limits on liability of bank for non-performance of vendor Termination considerations Customer complaints resolution process Contract enforcement jurisdiction for foreign-based vendor
4. VRM - RCA 3 rd party focus for RM and CFPB focus for consumer impacting vendors Imbedding VRM in the BPs Establishing risk owner and control owner Not always the same Risk ownership is business Control ownership is operations mostly
4. VRM - RCA Develop RM FW for 3 rd party vendors Stratify based on risk to the organization Identify consumer facing vendors (CFPB) Identify laws and regulations for each product and stages of product lifecycle Map vendors and laws (many to many relationship) Which laws apply to which vendor
Typical VR RCA Risk Register ID Risks Owner(s) of the risk 1 Weakness in outsourced information security system 2 Over-selling credit cards by vendor 3 Over-deployment of management resources on regulatory issues 4 Failure to understand the outsourcing related regulations 5 Over dependency on outsourcing I L S Controls Owner(s) of the control D P E CK 4 3 12 ZK 4 4 16 CK 4 3 12 RU CK 3 KW 4 3 12 CK 3 3 9 Staff Training TB 3 3 9 Credit scoring EL 4 4 16 Forward business planning ZK 3 3 9 4 12 Monthly review of budget against actual TJ 3 4 12 Corporate governance CK 4 4 16 Monthly meetings between CK 2 2 4 CEO and head of compliance AB 3 3 9 TB 3 4 12 TB 2 2 4 CK 3 3 9 SLA CK&EL 4 4 16 Outsourcing monitoring CK&EL 4 4 16 Due diligence CK 4 3 12 Policy CK 3 4 12
5. VRM - LCA LCA is for Solidifying PCs Shows due diligence Always document LCA for regulators (and yourself) Maintain event database Helps in statistical analysis Need 30-35 data items
6. VRM Monitoring- Indicators KRIs and KCIs Monitor variation in risk and controls Can be leading, co-, or lagging Leading predict impending issues Lagging are detective Keep RCA and indicators together in RR
7. VRM - Oversight Review vendors periodically Vendor s risk and RM Vendor s performance and KPIs Changes in regulatory environment and its alignment with vendor services Provision in vendor contract Assessment of vendor IC environment by the organization
7. VRM - Oversight Evaluation SLAs, risk-based vendor reviews, vendor performance reviews, process for issues escalation Gap analysis for 3 rd party oversight and reporting processes Update procedures to close gap Complaint processing Complaint tracking, follow-up, resolution, reporting, CMMI maturity
7. VRM - Oversight Regulator s guidance for oversight Risk management practices of vendor Vendor ICs for compliance, QA, personnel changes, contingency planning Documentation QoS and assessment support
VRM Timeline Refer to figure on next foil Timeline is to implement FW Includes implementing 6 VRM FW processes And staff to do that Important aspect is to have a software tool to capture or create OR data Proper governance, management, and controls Tone at the tope, tune in the middle, and policies
Example timeline for implementing an Vendor Risk Management programme Policy RCA Events and losses Technology tool Staffing VRM Policy Risk matrix Initiative capture Requirements review Bus line and Dept RCA Selection Implement n Risk Committee meetings Loss causal analysis linked to RCA s Recruitment/ staffing Rollout (initially pilot) Embedded Vendor risk and control assessments, including risk champions Due Diligence and Contracting Indicators Reporting Due Diligence Process KCIs captured / reviewed Summarised reporting of RCAs and KCIs Contracting, SLA process KRIs identified, captured and combined with KCI s Risk Status Report 0-3 months 3-6 months 6-9 months 9-12 months 12-15 months
Questions