Third Party Risk Q&A: Risk Assessments

During our recent three day  Vendor Management Bootcamp, we had a lot of GREAT questions come in. It was simply impossible to get to them all during the live sessions, so we have worked with the various speakers to compile the answers and make them available for all here.

Below you will find the questions and the speaker responses from Day 1, Session 2.

Day 1 - Session 2 
Risk Assessment Workshop

This session was led by Venminder's Chief Risk Officer, Branan Cooper, who led walked attendees through a risk assessment questionnarie and guided in how to think about the answers. 

The following answers were kindly provided by:

Branan Cooper Chief Risk Officer Venminder, Inc.

Q1: What are the "3 threshold questions you should ask" for vendor criticality? 

Answer: "The questions are: Would a sudden loss of this vendor cause a material disruption to your institution? Would a sudden loss of this vendor impact your customer? Would the time to recover be greater than one business day? "Download our handy infographic that expands on this. 

Q2: Have you had difficulties in discussions with a business line to determine if a product or service from the third party is Mission Critical or really just Business Critical to the business line instead of Mission Critical to the company?

Answer: "Yes, many times. Often had to risk rate at the business line level then aggregate at the company level."

Q3: What about private companies, such as Cox Cable? They won't provide any due diligence and they are rated as high risk.

Answer: "It requires some creativity - such as onsite visits, questionnaires, periodic meetings - and the willingness to either walk away from the relationship, make the best of what you can get or seek a formal exception (hopefully a process provided for this is in your policy or program document) from your Board."

Q4: How do you arrive at an overall vendor risk rating if your risk assessment process is activity driven? (e.g. you have a supplier/vendor delivering various types of services)

Answer: "Risk rate at the service/product level and then aggregate to the overall company level. Happens quite frequently – remember the FIS example I discussed in the session."

Q5: Should we differentiate between "vendors" and "third party relationships"? Or do we treat everyone the same?

Answer: "Eventually, we came to the realization that while we need to be "risk-based" in the approach, it's appropriate to treat anyone involved in the delivery of product or service to the customer or to the institution as a third party and thus, though risk-based, treat them the same generally. In other words, treat them all as third party relationships, even if they are just a classic supplier."

Q6: Would you recommend the same risk assessment for establishing initial inherent risk as well as periodic risk assessment?

Answer: "No, in the periodic one, I would add in performance based questions to evaluate whether they are performing (SLA's, reporting, expense or revenue thresholds, etc) as anticipated."

Q7: What is your perspective on performing an initial inherent risk assessment and if third parties meet a risk rating of Medium and higher they then go on to a more in-depth risk review and due diligence assessments. Medium Low and Low would not continue.

Answer: "My only caution in doing that is making sure that you have considered all factors. At first guess many people (if you have delegated any of this to the line of business) would say "oh, a shred vendor is low risk" when, in fact, they are high risk... If you're confident that it's an accurate pinpointing that's fine, but he'd still also subject all to due diligence requirements."
For more information related to risk assessments, download our whitepaper.

Q8: Today's discussion seems to be vendor specific. Have you seen organizations that risk assess every project addendum to a vendor's MSA?

Answer: "Certainly – we often looked at each new project and process as an opportunity for a risk assessment, particularly if we felt it would change the overall risk profile for the organization (adoption of mobile banking is easiest example). On this bootcamp we had a very wide range of banks and credit unions in terms of sophistication."

Q9: When should the risk assessment be completed? Guidance suggests doing it for the product or service being outsourced, but some of the questions are vendor-specific. 

Answer: "I would do it for both the vendor and the specific product. I'd also do it any time a new product or service or new third party is being added. Obviously, some discretion and business discretion need to be applied so you're not spending time on each insignificant item (minor product or service)."

Q10: Regarding your discussion on this question: Is the vendor required to provide independent third party review of infosec system...were you thinking required by an examiner or by our own infosec area? 

Answer: "Whichever is most appropriate – typically, we would ask for any reports by an examiner and then have our infosec team review. Absent that, I'd certainly have your infosec team do it."

Q11: Is it a requirement to conduct onsite visits for vendors?

Answer: "No, but it's certainly a best practice, particularly if you are unable to obtain the documentation needed for a Critical third party. I've had to do onsite visits to processors to have the chance to see their business continuity plan, for example. It can be costly, so hopefully, even for those intending to do site visits, you're not visiting all vendors, just Critical or High risk ones."
For more information on what to review for Critical third parties, download our infographic.

Q12: How to deal with private companies (not listed entities) not willing to provide financial statements? 

Answer: "Consider alternatives such as an accountant's statement, a meeting between your financial analysts and theirs, pulling a Dun & Bradstreet, asking for references... but sometimes they simply won't provide and then you need to decide if you are willing to continue to work with them. Either way, document the effort."

Q13: How do you know if a vendor was subjected to an enforcement action?

Answer: "Require them to disclose it. The major regulators make enforcement actions public monthly. You can also usually find them in easy Google news or Google searches. "Make sure you know how to also learn from those enforcement actions - read our blog post on this topic.

Q14: If you have a critical vendor that provides multiple products, do you perform a risk assessment for each product or just one for the vendor? 

Answer: "Generally each product. Remember the FIS example discussed in the webinar."

Q15: Could you specify again what a reasonable break out of low, medium, high is? You mentioned about 20% high is normal? 

Answer: "Varies heavily by institution, but if you have more than 25% of your vendors coming out as High inherent risk, I'd make sure you are calibrating it right – seems kind of high!"

Q16: Who should complete the VRA? Vendor Relationship Owner or Vendor Risk Manager?

Answer: "Ideally, the Vendor Risk Manager with significant input from all of the subject matters experts, particularly the relationship owner – that's the best practice, since it centralizes it and ensures accountability. But, it can be done by the relationship owner, and I've seen that model work as well – just requires terrific follow up."

Q17: We have heard from examiners that if a vendor handles sensitive customer information, they should be considered "Critical" for vendor management purposes. Any comments on that?

Answer: "In the definition I used, they would be High risk. Critical to me is business disruption. If they offer that as a specific recommendation, of course, defer to their direction to your institution but as you heard Mike Morris from PKM say as well, the rating systems used vary widely."
For the 3 key questions to ask to determine criticality, download our infographic.

Q18: Often a vendor provides the SOC for the Colo facility but not for the vendor themselves. If the vendor has access to NPPI should they be declined? 

Answer: "I would ask them why they cannot provide for the vendor themselves. That would certainly raise many concerns for me – but perhaps there is a good reason. It may be the type of thing that you are willing to move away from the vendor for being unable to provide (sometimes, let's say start up or small company, they just havent gotten there yet, but it would certainly raise concerns)."

Q19: Is there increased due diligence required for an insider affiliate vendor versus a non-insider (not affiliated with our organization) such as a leasing company?

Answer: "Absolutely – Due diligence should be risk based and tailored to the concerns you may have with a third party, not to mention the type of relationship."

Q20: Citing the FIS example, do you support assessing a third party at the highest level 1x vs. for each individual contract/service provided? More applicable for critical third parties. 

Answer: "I support doing it at the product or subsidiary (or platform) level and then aggregating but always being conservative as possible."

Q21: FFIEC Outsourcing manual has some guidelines on what due diligence to do against vendor vetting and access - page 26.

Answer: "Agreed – we have tried to capture each of those in our risk assessment and due diligence processes that apply to the majority of our clients. Obviously certain financial institutions and certain lines of business may have additional due diligence requirements or risk assessment questions that are very specific."

Q22: Does your clients have governance teams for critical third parties? Can you describe the structure? 

Answer: "In my experience, the best structure is one in which all of third party risk management is independent of the lines of business (to avoid undue influence) and reporting to the risk committee or the board. Thus, they would be responsible for all third party risk activities, with particular and appropriate level of attention paid to Critical third parties"

 Learn how else we can help you, download our samples.