How to Handle Problematic Third-Party Vendors
Many companies rely heavily on third-party vendors to help meet both contractual obligations and consumer demand. With such business relationships, however, comes the potential for disruptive natural and human-made events risks.
Even the most reliable vendors can suddenly and unexpectedly perform poorly, causing a previously healthy and mutually beneficial relationship to head south. When faced with such a dilemma, what can be done to fix a problematic vendor’s performance? And at what point is the decision made to terminate a relationship with a vendor?
vendor performance reviews,
How Much Vendor Oversight Should Your Company be Performing?
It’s a common practice for enterprises to conduct due diligence on any prospective third-party vendor. But why do so many organizations fail to regularly evaluate their existing vendors?
A poorly managed vendor oversight program can be a point of pain for any institution hoping to function smoothly and efficiently. Without a consistent program for managing vendor risk, banks and financial institutions, in particular, face non-compliance with government regulations. This can not only pose financial risks but can also diminish a company’s reputation.
vendor risk management,
vendor performance reviews
The Importance of Fourth-Party Vendor Tracking
Third-party vendor breaches are on the rise, but what about fourth-party risk? A fourth party is a subcontractor to your vendor, someone your vendor relies on or subcontracts to. The effectiveness of your vendor and the risk to you increasingly depends on fourth parties as your vendors outsource and subcontract critical activities.
They go by a lot of names, including providers and strategic partners, and can provide bill pay, mobile banking, core processing, legal or other services.
Let VendorInsight® Perform Your On-Site Vendor Visits
Vendors are increasingly important for banks as they can perform consulting, process transactions, reduce costs and implement controls, all while directing your focus to core business functions and objectives. How many of your bank’s products depend on multiple vendors? How many of your vendors are managing your customers’ private data? For these reasons, regulators have been demanding that banks keep closer tabs on their relationships with third-party vendors.
Is Hiring a Vendor Manager Worth the Hassle?
Whether managing risk in one department or throughout the enterprise, analyzing and selecting the best vendor at the right price, delivered in a timely fashion, is a critical part of the risk management process.
That’s where vendor managers come in. A vendor manager facilitates the relationship between their business and its vendors while meeting contractual obligations and compliance.
vendor management outsourcing,
Similarities Between VendorInsight® and Green Icebergs in Antarctica
Icebergs are normally blue but some few Antarctic icebergs are green, and scientists may know why. These icebergs contain high levels of iron and may have a greater purpose. As the green icebergs float out into the ocean and melt, they deliver the iron to phytoplankton who benefit from it as a nutrient.
Delivering Vendor Risk Management Solutions
In this current economic climate, risk management is more important than ever. Companies only beginning to develop risk management programs haven’t yet realized the potential benefits of a structured solution for managing vendors. This includes reducing costs and risks while creating a competitive advantage against organizations who aren’t managing their risk.
vendor risk management,
Return on Investment,
7 Ways Automating Your Vendor Management Can Deliver ROI
Without a structured vendor management solution, your company is probably losing money every year from overspending on contracts with third parties. A solution to this is optimizing your vendor spend and reducing the amount of staff time spent on management. More and more companies are doing this by automating their vendor management, with options including web apps and cloud-based solutions that can handle most, or all, of these tasks with tools that offer a unique set of features.
risk management simplified,
Return on Investment,
Why Having a User Group Matters
Have you ever wished that a piece of software could be updated and tailored as your organization’s needs change? Most industries today are constantly evolving as technology is accepted and integrated. This is why choosing a vendor management software tool that has a user group is so important. User groups provide valuable insight into customer needs and improve the software for everyone involved.
vendor risk management,
If You Collect Data on It, You Can Create a Report for It
No two companies are exactly alike – in the way they operate or in the way they manage their vendors. The same is also true of a company’s reporting needs. One leadership team may have a different priority or consider a different metric to be mission critical. Regulatory teams or auditors may ask for data based on their current priorities.
vendor risk management,
Market Risk Alerts: Why Vendor News Monitoring is Valuable to Your Company
Scouring hundreds of news sites in search of any mention of your vendor companies or setting up electronic alerts to notify you when a crucial supplier makes headlines – this can sometimes seem like a waste of time. In fact, when done right, vendor news monitoring delivers significant value to your organization.
vendor risk management,
It’s that time of year – prepping budgets for the upcoming calendar year. As you think about your resource allocation, consider outsourcing as an alternative to increasing staff to complete your due diligence review.
vendor management outsourced
Organizations often have very few employees working in vendor management, leading to heavy workloads. Manually tracking, monitoring, and reviewing vendors assumes vast amounts of time and resources. About half of financial organizations do not utilize an automated vendor management platform for tracking and assessing vendors. Adopting an automated vendor management system not only allows organizations to become proactive while easily staying on top of due diligence, but also delivers insight into the effectiveness of your compliance strategy.
outsourced vendor management
By now, many organizations have begun to receive control audit reports covering 2017 (SOC1/SSAE18 and SOC2). One element of note is the emergence of subservice organizations, or fourth parties, in reports generated after May 1, 2017.
It is interesting to see the reveal of underlying providers (fourth parties) within the updated reporting formats. While these new formats intentionally define what is being performed by contracted fourth parties, the disclosure of who is performing these efforts is often not as revealing as we expected or hoped. At times, there is a fog placed on the identities of fourth parties; phrases like "industry-recognized third party" or "subservice organization" are inserted in place of the names of the companies your vendors have outsourced responsibilities to.
control audit report,
New tax plan is enabling many banks to invest in technology that helps them be more competitive. Vendor management is leading the way.
At this year's ABA National Conference for Community Bankers (NCCB), ABA President Rob Nichols
discussed how banks are already spending based on savings they'll see under the new tax plan. According to ABA polling, banks are reinvesting their projected tax savings in their employees, customer growth, philanthropic activities, and technology to help them gain a competitive edge. This is going to put pressure on other banks to invest or get left behind.
American Bankers Association,
New Year, Same Story
The Office of the Comptroller of the Currency’s (OCC) Committee on Bank Supervision (CBS) released its annual operating plan setting forth the agency’s supervision priorities and objectives for the fiscal year (FY) 2018; October 1, 2017 to September 30, 2018. You can find a direct link to the operating plan at the bottom of this post.
New year, new focus right? New priorities. New objectives. Well… not exactly.
If you’re familiar with the OCC’s past FY operating plans, it’s likely that you will experience déjà vu reading through the OCC’s FY 2018 operating plan. But just because this plan echoes prior years doesn’t mean it should be disregarded. The OCC hasn’t much shifted its focus or priorities, and that means we shouldn’t either.
Once again, if risk management is the target, third party relationships are at the bullseye.
The Midsize and Community Bank Supervision (MCBS) Department for FY 2018 is focused on operational risk. This means assessing information security, data protection, and third party risk management including risks associated with third party relationships (as defined in the OCC’s Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance”). Specifically, examiners will be evaluating bank management’s plans to respond to increasing operational risk as a result of third party relationships, including outsourcing providers.
Furthermore, midsize and community banks will be assessed on enterprise data governance, including vendor and third party management, which typically influences systems capacity, testing, security, sharing, monitoring, and retention.
One piece of the operating plan that is particularly interesting is the section about service providers… particularly their pending evaluation of interconnectivity and third party risk management. This means that while your bank is being assessed on third party vendor risk management, your third party vendors will be assessed on their third party vendor relationships (aka, your fourth party vendor relationships). This is likely in response to the SSAE 18 standard for fourth party vendor relationships that went into effect May 1, 2017.
This much is certain: the OCC has and continues to express concern for interconnectivity and interdependency of third party vendor relationships. Banks will need to demonstrate a resilient and well-defined program for identifying, assessing, and managing third and fourth party risk. They will need to be aware and proactively working to prevent any gaps in the planning, due diligence, oversight, and control of their vendor relationships.
FY 2018’s operating plan priorities and focus might not be too different from past years, but that means that if your bank’s vendor management program has slid under the OCC’s radar in past years, 2018 is the year to tighten up your vendor management program before they (inevitably) do come knocking. The best way to ensure you’re in compliance with the latest regulatory guidance? A professional, automated vendor management solution.
VendorInsight® helps banks by providing a centralized, easy to use platform for all of your vendor management needs. We give you the tools to help automate your vendor management process and strengthen your program. VendorInsight® due diligence services provide annual updates to your SSAE18/SOC reviews, financial reviews, OFAC verifications and more.
To talk with a VendorInsight® team member about how we can help strengthen your vendor management program in preparation for the OCC’s 2018 examination priorities, follow the link below:
"Financial institutions are upping their investments in change programs, and experts say credit unions that ignore this trend could be left in the competitive dust."
Our very own Jay Fitzhugh, VRM Pro Director and Chief Regulatory Advisor for VendorInsight, was interviewed by Credit Union Times Magazine for an article titled "Pouring Money Into Change Programs." Jay was sought for his insight stemming from over 20 years working in the financial world.
To see the full article to read what he has to say about change programs for credit unions, follow the link below:
Single Sign-On (SSO) is a service that allows users to need only a single set of login credentials (username and password) to access multiple applications during their session. The goal of SSO is to minimize the number of times a user has to log in at various websites or applications by having the user manually log in at one site or application (called the identity provider or IdP), and then being automatically logged in, without having to provide credentials, at one or more other sites or applications (called service providers or SPs).
In addition to streamlining the user’s working experience, SSO is also helpful on the back end with monitoring user accounts and providing a log of user activities.
There are two single sign-on flows supported by the Security Assertion Markup Language (SAML) v2.0: IdP-initiated SSO and SP-initiated SSO. In IdP-initiated SSO, the user starts at the IdP site, logs in, and clicks a link to the SP site which then initiates SSO.
In the SP-initiated SSO, the user starts at the service provider site and, rather than logging in at the SP site, SSO is initiated with the IdP (as long as the user is already authenticated at the IdP--if they are not, then the user will have to enter their credentials).
At the end of a user’s session, there are two types of single logout flows that can occur: IdP-initiated and SP-initiated. Again, with IdP-initiated single logout (SLO), the user will start at the IdP site and click a link to log out, effectively logging the user out of every SP site to which there is an SSO session as well.
In SP-initiated SLO, the user will again begin at the service provider site. The user will click a link to log out of the IdP site, and effectively also be logged out of every SP site to which there is an SSO session.
While single sign-on is a highly sought service by users due to the great convenience it provides, organizations should also pay attention to the risk it can create to enterprise security. If an attacker gains control of a user’s SSO credentials, they’ll have access to all of the SP sites and applications that user has permission to, increasing the amount of damage they can inflict. It is imperative that a relationship of trust exists between the identity provider and the service providers. Service providers must trust that the identity provider has authenticated the user.
VendorInsight supports single sign-on via the SAML v2.0 Assertions, Protocol, Binding and Profiles as defined by the OASIS standard. For more detailed information please refer to the SAML v2.0 specification documents at www.oasisopen.org
To learn more about this feature and how it works within the VendorInsight risk management software, please contact a team member using the link below and we will follow up with you as soon as possible.
vendor risk management,
Remember the FFIEC’s 2015 Appendix J addition to the Examination Handbook? The addition covered business continuity planning for your technology service providers (TSPs). Appendix J presented a new standard for TSP contractual requirements—its purpose to strengthen the resilience of outsourced technology services—which regulators expected financial institutions to adopt and implement moving forward.
Moving ahead to 2017, two years after the introduction of Appendix J, regulators performed an evaluation of TSP contracts as they pertain to the third party vendor management responsibilities for insured and supervised financial institutions. The evaluation, which sought to determine the effectiveness of the prior guidance in altering TSP contract terms, focused on cybersecurity readiness and responsibility, and the use of subcontractors (aka your fourth parties).
In response to the findings of their evaluation, the Office of the Inspector General (IG) of the FDIC issued EVAL-17-004. According to the report, the IG, “did not see evidence, in the form of risk assessments of contract due diligence, that most of the FDIC-supervised FIs we reviewed fully considered and assessed the potential impact and risk that TSPs may have on the FI’s ability to manage its own business continuity planning and incident response and reporting operations.”
The report went on…
“Typically, FI contracts with TSPs did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights. Contracts also did not sufficiently define key terminology related to business continuity and incident response.”
This is not the outcome any of us would have expected.
As a result, the FDIC Inspector General has laid out a few recommendations. First, the Division of Risk Management Supervision (RMS) of the FDIC must communicate to FIs the importance of fully considering and assessing the risks that TSPs present. FIs must ensure that contracts with TSPs include specific and detailed provisions that address FI-identified risks and protect FI interests. And finally, FIs must clearly define key contract terms that would be important in understanding FI and TSP rights and responsibilities.
In the meantime, it may be wise for your organization to revisit and freshen up on the 2015 FFIEC Appendix J addition to the Examination Handbook, and be aware of the possible implications this report may have on future examinations.
vendor risk management,
In the wake of launching Procipient® ERM-GRC, our newest SaaS solution for banks and other financial institutions, we thought it valuable to take a moment and reflect on “why?” Why would CMPG, LLC, creator of VendorInsight® third and fourth party risk management software and BCPInsight business continuity software, decide to add an enterprise risk management and GRC software to their lineup?
CMPG, LLC was founded in 1998 as a performance consultancy firm for banks and other financial institutions. From inception to today, its mission hasn’t changed: the CMPG team exists to help bank executives and boards identify and implement significant improvements in the areas of non-interest expense, revenue, staffing and productivity, banking technology, and process improvements.
As a part of this mission, CMPG launched VendorInsight® in 2008 which was met with widespread adoption and acclaim—still occupying a top position in the industry nearly 10 years later as one of the most sophisticated and fully-featured software solutions available. And now, the CMPG team has heard the cry for an improvement to the way banks run their ERM programs—and their mission statement propels them to answer the call.
We sat down with some of the executive team members to bring you an inside look at the making of Procipient®, and why it matters now:
1. Why is the need for a new automated ERM-GRC solution significant right now, in 2017?
Grant Karnes (CEO): “Our ears are always open to our customers, regulators, and other industry professionals. The feedback we had been hearing boiled down to regulators putting pressure on financial institutions to take a comprehensive approach to managing their enterprise risk, and Chief Risk Officers feeling that all of their options for an ERM program were poorly designed and difficult to use. When Deloitte released their 2017 Extended Enterprise Risk Management Global Survey Report earlier this year, calling out Governance and Risk Management processes as being key areas where organizations are struggling, our team was already putting the finishing touches on our solution to the problem: Procipient® ERM-GRC.”
2. What sets Procipient apart from other SaaS solutions that have tried to accomplish the same goal?
Grant Karnes (CEO): “For one thing, our company is founded on the principle that customer satisfaction is equally important to having great software features. It doesn’t matter how powerful our reporting features are if we’ve made them too complicated for customers to fully utilize, so our team has worked very hard to live in that sweet spot where sophistication and simplicity meet. We conducted a soft launch of Procipient® in May 2017 to current VendorInsight® customers during our annual User Group Meeting, where it held up to the ease-of-use standard our customers have grown used to. Enterprise Risk Management and GRC truly are simplified with Procipient®.”
3. We use the words “simple” and “easy to use” a lot around here. How will Procipient® simplify Enterprise Risk Management?
Grant Karnes (CEO): “We know that many organizations are currently combining several different platforms in order to meet their Enterprise Risk Management needs, which was also indicated by over half of the respondents in Deloitte’s 2017 global survey. Procipient® addresses ERM needs at all angles with fully integrated and turnkey functionality. And because we know that every enterprise is unique, Procipient® can be fully customized and configured as well."
Jay Fitzhugh (Chief Regulatory Advisor): “I would also add that we’ve redefined simple tangibly with the design and features of the software itself. Procipient® makes it easy to see, understand, and maintain data. When you see the Risk Matrix Filtering, which transcends all data and reporting views in Procipient®, you suddenly get it.”
In the end, Procipient® will be put to a multifaceted test. It must help Chief Risk Officers assess and oversee the management of their enterprise risk and compliance, and it has to be friendly enough to help users manage a lot of complex data in the system. Focusing on helping customers overcome the challenges of poor integration, data maintenance, and difficult user interfaces is what has made CMPG successful for nearly 20 years now. Procipient® and its thoughtful design will extend that legacy.