Criticality and Vendor Oversight Podcast
Is your vendor critical to your operations?
When determining your level of oversight on a vendor, you’ll clearly want to determine the criticality first - whether the vendor is critical or non critical. This is an essential and ongoing process for mitigating vendor risk. Listen to this podcast to help guide you through the process.
Hello everyone and thank you for joining me today for our Third Party Thursday podcast. I’m Steve Greenfield, Director of Third Party Risk here at Venminder.
The question submitted was: Other than criticality, what drivers do you believe drive the level of oversight you exercise over a third party? This is a great question, and I was thankful that I had the opportunity to answer it for the listener. Often times in vendor risk management, I think we fall foul on 2 behaviors:
- We tend to over simplify our approach or throw common sense completely out of the window and come down with a bad case of paralysis by analysis. I’d encourage a common sense that takes into consideration the vendor type or service and really think about how the use of the particular vendor may have an impact on your organization or your consumer.
When determining your level of oversight on a vendor, you’ll clearly want to determine the criticality of the vendor. And there is a simple litmus test. If the vendor suffers a system outage for 1, 2, 3 days, could your organization actually function? Examples may include your core processing system or loan origination system. In these instances, it’s highly unlikely that you will have a back up system simply because of the cost of licensing a product you aren’t using on a full-time basis or the cost of managing a secondary system which requires systems updates with regards to regulatory compliance updates. Frankly, keeping your primary core or LOS system is a full-time task.
- The other drivers which complement the initial criticality rating can be linked to the 'What If Scenario' approach. The 'what if' approach is simply looking at what could go wrong with the use of a vendor and how it may impact areas such as reputational, litigation, financial, regulatory compliance, operational and strategic risks.
The key is that many of these risks may apply regardless of if the vendor has been classified as a critical or high risk vendor, so in some respects the oversight practices may be very similar. The difference might be that should a high risk vendor fail because of XYZ, they should be easier to replace to minimize disruption. The difference here is that with the critical vendor, not only would you perform the appropriate due diligence, but you have to really focus on the fundamentals such as BCP, DR etc. There is a fine line between critical and high risk vendors.
A stand out risk is clearly potential harm to your consumer. Negative consumer impact is one of the primary goals of every regulatory agency and has been well demonstrated by the enforcement actions listed under UDAAP by the Consumer Finance Protection Bureau and others such as the OCC, FDIC and FTC. These risk factors of failing to serve or mislead a consumer are good pointers in driving your level of oversight and this leads into regulatory compliance.
In many cases, your vendor will fall under the same regulatory requirements as the financial institution so it’s important to recognize that each vendor have a robust compliance management framework. The rule of thumb for your internal vendor risk management team is that they understand regulatory compliance and how each regulation applies to the different vendor types. Examples may include Sub-servicing and ECOA, an AMC and Appraisal Independence Requirements or a Credit Reporting Agency and the Fair Credit Reporting Act.
Outside of criticality and regulatory compliance - data security of your consumers NPPI data will really force your organization to drill down on not only your internal controls but that of your third and fourth party vendors. With data breaches being traced back to a third party 63% of the time, this highlights that data privacy risk is everywhere. In some regards, I think this levels the playing field in terms of risk among many vendor types. Even a non critical vendor may be accessing NPPI and should the vendor suffer a data breach, you will be left with managing through a very messy process of root cause analysis and answering to your board and the examiners.
As a final thought on an additional driver, I would highlight the fact that assessment findings can help in determining the actual frequency of the oversight practice. Critical and high risk rated vendors should have a minimum annual assessment which covers financial BCP, DR, information security and based on the findings and remediation required, the frequency could actually increase. Use SLA performance data and first line of business feedback to help determine where your focus needs to be. By doing so, you’ll have developed an oversight program based on fundamental best practices and common sense. Do not overthink it.
I hope you found this podcast helpful. If you haven’t already done so, please subscribe to our Third Party Thursday series. I am Steve Greenfield, Director of Third Party Risk at Venminder. Until next time, trust but verify.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.