2. 2
Principal & Founder – 3W Partners LLC
25 Years – Fortune 500 Companies
• Telecom
• Financial Services
Leadership Roles in
• Global Vendor Management
• Ops / Strategy / Re-engineering
• Outsourcing / Training
TL9001 (“ISO for telecom”)
• Certified Lead Auditor
Audited by…
Regulators
Gov’t Entities
Ratings Agencies
Others
OCC, OTS, CFPB
Fannie, Freddie, GAO
Moody’s, Fitch, S&P
ISO, Accounting firms
3. 3
Third-Party Oversight & Governance (TPOG)
Brief History
Why the intense focus on vendors?
What led us here?
Changing Landscape
Financial Crisis ~2008
Vendor management Prior to… and Now
Heightened regulator focus areas
What Regulators Expect
12 Key Dimensions
Good resources to self-educate
Technology & Tools
Increase you chances of success
4. 4
Financial Crisis 2008
Prior to the Crisis
Vendor focus very limited:
• Business continuity
• Financial strength
• Credit risk
Activities were outsourced
• Unfortunately, so was
vendor responsibility and
accountability
Post-mortem
Vendors seen as a major
contributing factor to the
crisis
Inadequate oversight from
financial institutions
Resulted in massive fraud and consumer distress
Hidden risks when relationships are not managed closely
5. 5
Regulatory Response to the Financial Crisis
Regulators have a renewed focus on third-party
oversight
OCC
CFPB
Federal Reserve Board
FDIC
NCUA
Considerable Attention
Institutions must bear responsibility for supplier misdeeds
• Numerous “casualties” already
Major focus on consumer interaction with vendors
Enterprise-wide engagement, especially executives
Push for independent reviews
Will focus on 12 Key Dimensions today
6. 6
What I often see within the industry
Programs are not overly mature
Many organizations only do the basics
Financials
Continuity of business
Data and site security
Hard to budget for vendor risk management
Silo’s - Protecting turf
Minimal coordination
Not sharing best practices
Led by single group
Versus cross-section of the enterprise
Not part of larger enterprise-wide Risk Program
Minimal investment
Have we learned anything from the financial crisis?
7. 7
Recent examples… and consequences
Collectively, they paid a total of more than $530 million to settle complaints
of deceptive selling and predatory behavior by their third-party suppliers.
Net Message: No one ever remembers the vendor name
Source: http://www.mckinsey.com/insights/risk_management/managing_when_vendor_and_supplier_risk_becomes_your_own
July 2013
8. 8
OCC
CFPB
Federal Reserve Board
FDIC
NCUA
On Third-Party Oversight & Governance
OCC Bulletin 2013-29
• OCC Bulletin 2001-47
• OCC Bulletin 2002-16: Foreign-Based Third-Party Service Providers
Bulletin 2012-03 Service Providers
SR 13-19 Guidance on Managing Outsourcing Risk
• SR 00-4 (SUP): Outsourcing of Information Technology and Transaction
• Processing
Letter: Guidance For Managing Third-Party Risk
• FDIC Compliance Manual, December 2012
• FIL-44-2008: Guidance for Managing Third-Party Risk
• FIL-50-2001: Bank Technology Bulletin: Technology Outsourcing
Information Documents
Supervisory Letter No.: 07-01
Fortunately, expectations resemble one another
9. 9
These cover most regulatory expectations
Risk Classification
Due Diligence
On-Boarding
Contracts
Compliance
Audits
MIS / Reporting
Scorecards
Annual Certifications
Complaint Handling
Escalations
Governance
Execute these well… satisfy your regulator(s)
10. 10
For effective third-party oversight
Risk Classification
Risk-based segmentation
Scope and intensity of oversight is defined here
Must consider risks to…
• Legal & Regulatory
• Reputation
• Sensitivity of data
• Process complexity
• Customer interface/impact
• Public or private vendor
Other Considerations
• Domestic
• Offshore
• Core Bank Function
• Non-Core
• Number of similar suppliers
• Percent of volume handled
• Strategic (High)
• Major (Med)
• Basic (Low)
11. 11
Due Diligence
Assess the process of how suppliers are…
• Sought
• Vetted
• Selected (and retained)
Consider vendor questionnaire and evaluation
matrix
On-Boarding
Have a plan to implement the vendor relationship
• Technology, telecom, recruit, train (including compliance), etc.
Critical: System Entitlements
• Limit vendor access to only what is “required”
• Have a revocation process
o Consider revoking within 24-hours of leaving
12. 12
Contracts
Regulators have specific expectations regarding vendor contracts
Examples of often-overlooked clauses:
• Use of subcontractors
• Termination for default
• Compliance with laws
• Privacy policy (sensitive info)
• Electronic Transportable Media
• Right to audit
• Licensing
• Indemnification
• Notification of complaints
• Handling of media inquiries
• Service level monitoring
• Limitation of liability
• GSA “Excluded Party List”
• HUD’s “Limited Denial of Participation”
What is required of you …
Is also required of ALL members of your “supply chain.”
Make it contractual.
13. 13
Compliance
Identify all relevant compliance requirements and document how
requirements are being met
Regulatory updates and change management process effectiveness
• Flow down to vendors (operations, contracts, scorecards, etc.)
Audits
Do your vendors...
• “Say what they do?” (via Policy & Procedure Manual)
• “Do what they say?” (can vendors demonstrate it?)
Have an audit schedule and comprehensive plan
Ensure risks are documented and controls are in place.
Risk Classification
• Strategic (High)
• Major (Med)
• Basic (Low)
“Potential” Audit Frequency
• Twice per year
• Once per year
• Every other year
14. 14
MIS / Reporting
You need timely and effective reporting in all supplier relationships.
Demonstrate you have sufficient visibility and control.
Hard to achieve safety and soundness without robust reporting
Scorecards
Identify key performance indicators (KPI)s, track and report on them.
Document vendor improvement plans.
• Drive accountability.
Regular reviews.
• Evidence of follow-up and actions
o Warning notices
o Training, certification
o Volume adjustments
o Expanded or decreased scope of work
15. 15
Annual Certifications
Re-certify vendors annually.
No more
• Financials
• Licensing
• Insurance
• Data security
• Capacity / Staffing
• SLA performance
• Process reviews
• Compliance
• Customer impact
• Fees & incentives
• Use of subcontractors
• Training (especially compliance)
• Business continuity
• Audit results
• Complaints
• Media attention
• Pending litigation
• Mergers & Acquisitions
• Ownership changes
• Compensation practices
Keeping up with all changes: Yours, vendors, regulators, etc.
• Assessing the impacts annually, at minimum.
Very labor intensive dimension
Due Diligence
16. 16
Complaint Handling
Requires an effective method of capturing, responding to and
resolving complaints.
• Especially where suppliers are involved.
Complaint source and severity: Major, Moderate, Minor.
Linkage of root cause back to the operation.
Report to senior leadership.
Escalations
Define your future reactions
When supplier problems arise, must have effective identification,
escalation and management of issues.
Escalate to appropriate levels. Special review committee?
Examples:
• Bad press
• Multiple system outages
• Multiple complaints
• SLAs repeatedly not met
• Downgraded financials
• Fraud event
• Audit findings
17. 17
Governance
Senior executive and/or Board Member engagement
• “Fingerprints everywhere”
o Drive and approve policy
o Monitor vendor platform (via regular readouts)
At-will access to vendor results
o Sign-off on vendor selection and recertification (and action/exit)
o Audit trail of their engagement
Proposed: Two Tier Governance Model
Executive
Committee
Operations
Committee
Drive Vendor…
• Performance / Quality
• Control & Compliance
• Risk & Change Mgmt.
• Audits
• Volume Allocations
• Contingency plans
Sets “TONE at the TOP”
• Strategic Alignment
• Risk appetite
• Policy
• Verify adequate oversight
• Ask questions
• Approve, Suspend & Terminate
18. Extremely useful when managing vendors and risks
Centralized repository; Security
Portal for easy access
Clear, actionable management reports and well-designed workflow
systems
• Essential for accountability across the institution
Measure your level of dependence on critical suppliers
Build vs. Buy
Building a new third-party risk application from scratch is a big
undertaking;
• So too is enhancing a current risk tool to perform new functions
Consider “off-the-shelf” workflow and risk-management tools
18
19. Healthy, transparent and compliant
Consistency across vendors
• OK to manage according to risk segmentation
Documentation
• Policy & procedure; Roles & responsibilities
• Audit trail
Performance based criteria
Adequate staffing for oversight
• Number of resources
• Skill and competency
Executive engagement
• “Fingerprints everywhere”
19
Third-party relationships must be good for financial institution,
its vendors and consumers
Leverage technology where possible
20. 20
For a copy of today’s presentation…
Scott Roller
Principal / Founder
3W Partners LLC
scott@3Wpartners.net
636.448.3713 cell
www.3Wpartners.net