Essential Guide

Browse Sections
Manage Learn to apply best practices and optimize your operations.

Vendor management process for financial services

In this video get tips from expert Eric Holmquist on how to create an enterprise vendor management process to optimize security and minimize risk. Topics include risk assessment, due diligence best practices, common mistakes financial firms make in their vendor management programs, and managing cloud service providers.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact [email protected]  

Vendor management process for financial services

Eric Holmquist: Clearly, there is a regulatory component that banks are
required to maintain active vendor management for regulations, but the
reality is there is actually quite a bit of risk here. What we found is that
this is a pretty significant area of risk, and banks really have to manage
this very proactively because it is an area where they have very little
control, but the risk is still there.

Clearly, you got the basic elements which is certainly a due diligence
process which are done better or worse by different companies, but taking
certain steps to really analyze your companies. The main thing here really
is risk assessment and accountability. I think these areas where we see
challenges as a step of really understanding what your risk is with
any given third party, and really making sure you got clear accountability
for performing due diligence, for performing monitoring, because the steps
do not really matter if you do not have, number one, people need to
prioritize these third parties, in terms of the riskier ones, and, two,
people that are clearly tasked with understanding that risk and managing
that risk.

The mechanics of it are pretty straightforward; it is usually a combination
of both internal and external assessments. I think the real trick is really
getting down to risk assessments and really understanding what the risk
profile is, then scaling the due diligence appropriately, depending on the
level of risk. Certainly, those larger concentrations of data or more
critical services are going to be subject to a greater level of scrutiny
The real trick is being able to understand what those risk profiles look
like and developing a scaled response that is proportionate with the risk

I think this is one where a couple things can happen. Number one, again, it
goes back to accountability, you got to have somebody that is specifically
tasked with monitoring. I think this is also an instance where it is very
helpful having a risk committee that can also be responsible for reporting
mechanism, because you need your group of subject matter experts to be in
the conversation when talking about monitoring. It is one thing to have
somebody looking at all the things they are looking at, but are the
appropriate subject matter experts actually analyzing some of this
documentation they are getting?

I think the other piece that is really important is just making sure that
the relationship managers understand this is not a compliance exercise. If
it ever gets to the point where it becomes 'check the box,' you are really
not managing risk any more. You got to understand this is a dynamic
process, sometimes, it is a messy process, but it is a matter of really
looking at what they are hearing from their third parties and understanding
what that means, not just filling out forms.

Absolutely not. Even though this is a new area and it is an area that is
getting a lot of talk, it really is not a new area. At the end of the day,
it falls under the heading of, you outsource a process, but you certainly
cannot outsource a risk, and this is no different than any other third
party. The questions are the same. What kind of information are they going
to have? Who is going to have access to that information? What are the
controls that are in place? Understanding who your provider is. Again, just
understanding what is the risk profile of using this third party? There is
nothing new to cloud computing, it is just taking a different approach to
managing the process, and you just have to understand what those risks are,
and proactively manage those risks.

I have to say the two biggest mistakes that I think I see people doing is,
number one, not properly risk rating. Taking their portfolio third parties
and putting some categorization around them to just say, 'What are the risk
profiles of these?' and coming up with the relative ranking of which third
parties are riskier than others, so I can focus my resources appropriately.
The second thing, is trying to turn it into a compliance exercise. Instead
of taking information that you receive from third parties and really
analyzing it, and more often than not, having conversations with them about
it, not just what is on the form. If banks could just do those two things
of really developing comprehensive methods of risk rating their third
parties so they can prioritize, and really taking the time to analyze this
documentation's due diligence versus just receiving it and
filing it away, I think banks would do an infinitely better job of really
understanding where their risks are, and much more, proactively managing
those risks.


View All Videos