In our last blog post we shared the OCC’s Bulletin 2017-7, which outlines supplemental examination procedures for future regulatory exams—most notably the expanded focus on concentration risk. Today, we’ll take a quick look at why the OCC cares about dialing in the risk associated with geographical concentration of vendors (and perhaps more importantly, vendors’ vendors).
It’s no surprise that understanding the risks associated with your vendors is a much more complex process than it was 20 or even 10 years ago. Organizations not only have to evaluate their vendors, but also their vendors’ vendors (aka fourth-parties or subcontractors). This gets particularly tricky when it comes to concentration risk. For example: Let’s say your organization outsources critical business services to vendors A, B, and C, and those three vendors all outsource to a common vendor, D. If vendor D’s services become unavailable due to a data breach or other event, vendors A, B, and C may not be able to service your organization without disruption. In this scenario, your organization must bear the risk of vendor failure, breach, and regulatory penalties.
Historically, the approach to mitigating concentration risk was to simply ask vendors via a vendor risk assessment questionnaire to provide additional information on the vendors and third-party providers they work with. Unfortunately, as vendor management grows in size and complexity, this approach contains several flaws.
First, questionnaires can be extremely limited in their effectiveness. While commonplace, they rely too heavily on human assessment and calculation. They are also not the most verifiable, nor do they provide hard data; often, organizations must simply trust their vendors’ responses and hope they are accurate and true. The second issue with this approach is that often times, your vendors may not even know all of their vendors, or at least not to the extent you need to evaluate all potential risk.
Knowing all of this, it makes sense that the OCC would expand their examination focus on the validation of geographical concentration risk. We see this as an important next step for the evolution of industry best practices for vendor risk management, and we are already equipped and prepared for this increased focus with data management, analytics flexibility, and fourth-party tracking within our solutions and service offerings.
Loose documentation and voluntarily submitted information from vendors are inadequate methods of tracking, assessing and monitoring risk, and preparing for your next exam—especially when automated solutions exist that use data analytics to help you make educated decisions about vendor risk, and show examiners that every step along the way can be accounted for.