Previously we have talked about some of the biggest operational risk challenges facing financial institutions in the new environment. However, whilst topics such as technology and manual processes might be high on the agenda at the moment, a risk type which has been growing in profile and is notoriously difficult to capture and manage is vendor risk. As we continue to operate in an environment of unprecedented uncertainty, the question is what can financial institutions look for in a vendor to give them the reassurance that they won’t be exposed to unnecessary or unacceptable levels of risk?
Understanding the risk
Vendor risk, or third party or outsourcing risk as it is sometimes known, refers to the risk exposure a firm incurs when working with a solution provider. We have seen over the past few years how this risk can come in many shapes and sizes, such as a third party suffering a data breach or cyber attack, exposing a bank’s data, sales people in an outsourced call centre engaging in practices which breached selling regulations, with the bank in question held responsible, and unexpected operational failures at a third party causing headline-making IT outages at high street banks. Whilst this risk is always present, it can also be managed effectively through selecting the right partners and building strong relationships with them.
The question of how to do this is particularly pertinent for financial institutions, which are held to a higher standard on third party risk, due to both their complexity and the crucial role they play in supporting the infrastructure of day to day life and commerce. Regulatory bodies such as the OCC in the U.S. and Singapore's MAS have had stringent guidelines for managing such risks in place for some time, whilst the Bank of England released a consultation paper on the topic towards the end of last year. However, now that we are all operating in an environment of unprecedented uncertainty and change, banks and other financial institutions are realizing for themselves that the relationships they have with third parties could expose them to additional risk at an already challenging time, just as vendors and partners are also realizing that they must step up their efforts to offer support and reassurance to their customers.
Work with your vendor to bring solutions....and opportunity
What are the opportunities then for financial institutions to manage and mitigate this risk? Your operational risk team will – or should – be using key risk indicators to identify and monitor potential problems. But there is also a role to be played by both those in the business and the vendors they work with when new partnerships are being developed. Financial institutions need to think carefully about who they align themselves with in the current environment in order to derive maximum value from the relationship and avoid incurring additional risk exposure in what is already a complex and volatile environment. And a good vendor should be willing and able to support this process by engaging with their customers’ questions and providing transparent information and reassurance.
Financial institutions are expected by regulators to conduct appropriate due diligence on third parties they are working with. When onboarding new vendors, firms should ask themselves – what are the questions I need to ask this provider to make sure they can really deliver what they say they can? An absolutely key tool here is the proof of concept. Not only does this give customers the chance to challenge vendors, to ask them to really demonstrate that they can indeed live up to the shiny promises of their marketing collateral, but it also enables both sides to get a feel for how their working relationships might develop and to what extent their cultures and practices are a good fit for each other.
Vendors also need to engage with their customers on another crucial question, “What are the elements of this relationship which will hit me and the business the hardest if something goes wrong?” Financial institutions are used to asking themselves these kinds of questions, and should ensure that their vendors have demonstrated willingness to engage and to provide transparency and reassurance on these points, enabling the firm to put effective mitigation strategies and robust business continuity plans in place.
Unsurprisingly given the world we live in, and some of the high profile incidents which have occurred over recent years, data and security is very much at the forefront of vendor risk management. Firstly, vendors themselves need to demonstrate that they understand the importance of data security. Customers should ask potential partners what kind of security accreditations they have in place and what support and training they can offer on this topic, as well as ensuring that they understand how and where their data is being used, stored, and transferred by third parties. However, there is also the question of data quality and accuracy to consider. Whether their own internal data, or data provided by a vendor or other third party, the more parties involved in an activity or transaction, the greater the consequences of data discrepancies. This is why many financial institutions are now seeking expert help to ensure the accuracy and timeliness of their data in order to minimize the chances of a dispute.
Vendors who are serious about partnering with financial institutions also need to demonstrate an appreciation for the regulatory scrutiny these companies are exposed to, meaning that requirements for managing this risk are more complex, documentation of these efforts is more onerous, and the consequences of a breach far more severe. Regulated firms should ask themselves, has my vendor demonstrated an understanding of my obligations and requirements? Do they seem comfortable working in a highly regulated environment?
Beyond the checklist
Ultimately though, vendor risk goes beyond KRIs and numbers, particularly for those on the ground on complex project implementations, which may require working side by side with a partner for months or even years. This is where we come back to proof of concept. This shouldn’t just be about vendors proving technical capabilities, but also showing you what kind of people they are to work with. How do they handle difficult situations, are they open to being challenged, do they take a collaborative approach? This allows financial institutions to answer the question – do I trust this vendor to do the best for me and my firm? And also to ask themselves - does our organisation have the kind of culture which views vendors as partners? As well as the proof of concept experience, firms can also look to see if potential vendors have been able to build successful, long term partnerships with other financial institutions, and seek information as to how these projects have worked and what vendors have learned from them. For example, from our long standing partnership with ANZ which began in 2011 and continues to this day, we learned that blending our teams to work in a collaborative style delivers the best results and enables us to explore future opportunities for digital innovation together.
Vendor risk shouldn’t – and doesn’t – stop financial institutions from working with third parties, particularly in technically demanding areas where a strong commitment to investment in R&D and new technology is required. The key is in choosing the right partner – one with a true belief in a collaborative approach, evidence of successful long term partnerships, and a respect for and understanding of the complex space in which you operate. By seeking vendors who are willing to provide proof points around these topics, financial institutions can be assured that their trusted partners will stand with them side by side as they face the challenges of the new operating environment.