In our last blog post we shared the OCC’s Bulletin 2017-7, which outlines supplemental examination procedures for future regulatory exams—most notably the expanded focus on concentration risk. Today, we’ll take a quick look at why the OCC cares about dialing in the risk associated with geographical concentration of vendors (and perhaps more importantly, vendors’ vendors).

It’s no surprise that understanding the risks associated with your vendors is a much more complex process than it was 20 or even 10 years ago. Organizations not only have to evaluate their vendors, but also their vendors’ vendors (aka fourth-parties or subcontractors). This gets particularly tricky when it comes to concentration risk. For example: Let’s say your organization outsources critical business services to vendors A, B, and C, and those three vendors all outsource to a common vendor, D. If vendor D’s services become unavailable due to a data breach or other event, vendors A, B, and C may not be able to service your organization without disruption. In this scenario, your organization must bear the risk of vendor failure, breach, and regulatory penalties.

Historically, the approach to mitigating concentration risk was to simply ask vendors via a vendor risk assessment questionnaire to provide additional information on the vendors and third-party providers they work with. Unfortunately, as vendor management grows in size and complexity, this approach contains several flaws.

First, questionnaires can be extremely limited in their effectiveness. While commonplace, they rely too heavily on human assessment and calculation. They are also not the most verifiable, nor do they provide hard data; often, organizations must simply trust their vendors’ responses and hope they are accurate and true. The second issue with this approach is that often times, your vendors may not even know all of their vendors, or at least not to the extent you need to evaluate all potential risk.

Knowing all of this, it makes sense that the OCC would expand their examination focus on the validation of geographical concentration risk. We see this as an important next step for the evolution of industry best practices for vendor risk management, and we are already equipped and prepared for this increased focus with data management, analytics flexibility, and fourth-party tracking within our solutions and service offerings.

Loose documentation and voluntarily submitted information from vendors are inadequate methods of tracking, assessing and monitoring risk, and preparing for your next exam—especially when automated solutions exist that use data analytics to help you make educated decisions about vendor risk, and show examiners that every step along the way can be accounted for.

Last week on November 10th, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Management booklet, which is part of the FFIEC Information Technology Examination Handbook. Information Technology governance and risk management were the key elements of the update. Cybersecurity as an element of Information Security was introduced as an expansion upon the definitions of Cybersecurity for third-party vendors published in February, as a part of the Appendix J addition to the IT Examination Handbook. 

Given the expanded focus upon IT Risk Management, and the added requirement of Cybersecurity awareness, VendorInsight® has responded with changes to our standard Vendor Risk Assessment (VRA) and Information Security Questionnaire (ISQ) templates. These changes include validation or denial of cloud-computing within a vendor’s delivery of products or services and validation as to a detailed understanding of the vendor’s Cybersecurity posture.

The revised VRA template will be available for client review in the "About" section of the "Tools" menu on the Client Access Portal on November 20th. The revised sample ISQ template will also be available to clients who have enabled the Vendor Relationship Profile and Policy Compliance (VRP/PCM) modules. Please contact your Program Administrator if you require assistance with updating your VRA master template or if you would like to receive the updated ISQ template.

This article from Credit Union Times is concise and perhaps not as in-depth as we'd like but it does continue a trend of articles we've read over the past year that have described how the role of Risk and Compliance officers has changed dramatically. The article notes there has been a major shift from an emphasis on analysis to an emphasis on implementation. We have certainly witnessed this in the vendor risk management space in 2012 and 2013 and continue to see it as an important evolutionary success factor in 2014 and beyond.

Because vendor risk management systems automate a lot of the data analysis and reporting, this has enabled a shift of focus toward the creation of quality risk content – vendor assessment data and narrative – and the design and implementation of new workflows with accountability for everyone to complete their vendor management process tasks which contribute to this data. Vendor management is a multi-faceted process that crosses many departmental boundaries and requires strong process design, controls and implementation efforts to be successful. Without accurate and timely task completion, analysis and reporting will not be accurate.

We think this is why more and more banks are relying on us to help them complete tasks like vendor due diligence and monitoring in a high quality, timely manner, and also why they rely on us for insight about how to make sure that everything gets done accurately and on time. Good process design and experience with implementation is helpful. This strategic shift in emphasis for the risk and compliance officer and their need to be able to rely on their partnership with an expert third party risk management solution provider validates our strategic direction and makes us feel good about being able to services our customers' true business needs.

On a closing note, we were surprised to see that the average compliance cost for a financial institution rose by more than 65% in the third quarter of 2013 over 2012. That is even higher than our research which showed it at around 50%. Regardless, this is certainly a sign that financial institutions are tackling, rather than debating, the compliance and regulatory hurdles and challenges they face. As they do this, it will open up the door for regulators to continue to advance guidance that raises the bar. Those not elevating their spending are being left behind. Playing catch up can be not only difficult but a potentially dangerous strategy.