A clear and bold heading

Expanded Focus on Concentration Risk: Why Does it Matter?

Posted by CMPG Risk Solutions on Feb 14, 2017 2:06:00 AM

 

In our last blog post we shared the OCC’s Bulletin 2017-7, which outlines supplemental examination procedures for future regulatory exams—most notably the expanded focus on concentration risk. Today, we’ll take a quick look at why the OCC cares about dialing in the risk associated with geographical concentration of vendors (and perhaps more importantly, vendors’ vendors).

It’s no surprise that understanding the risks associated with your vendors is a much more complex process than it was 20 or even 10 years ago. Organizations not only have to evaluate their vendors, but also their vendors’ vendors (aka fourth-parties or subcontractors). This gets particularly tricky when it comes to concentration risk. For example: Let’s say your organization outsources critical business services to vendors A, B, and C, and those three vendors all outsource to a common vendor, D. If vendor D’s services become unavailable due to a data breach or other event, vendors A, B, and C may not be able to service your organization without disruption. In this scenario, your organization must bear the risk of vendor failure, breach, and regulatory penalties.

Historically, the approach to mitigating concentration risk was to simply ask vendors via a vendor risk assessment questionnaire to provide additional information on the vendors and third-party providers they work with. Unfortunately, as vendor management grows in size and complexity, this approach contains several flaws.

First, questionnaires can be extremely limited in their effectiveness. While commonplace, they rely too heavily on human assessment and calculation. They are also not the most verifiable, nor do they provide hard data; often, organizations must simply trust their vendors’ responses and hope they are accurate and true. The second issue with this approach is that often times, your vendors may not even know all of their vendors, or at least not to the extent you need to evaluate all potential risk.

Knowing all of this, it makes sense that the OCC would expand their examination focus on the validation of geographical concentration risk. We see this as an important next step for the evolution of industry best practices for vendor risk management, and we are already equipped and prepared for this increased focus with data management, analytics flexibility, and fourth-party tracking within our solutions and service offerings.

Loose documentation and voluntarily submitted information from vendors are inadequate methods of tracking, assessing and monitoring risk, and preparing for your next exam—especially when automated solutions exist that use data analytics to help you make educated decisions about vendor risk, and show examiners that every step along the way can be accounted for.

Read More

Topics: compliance management, concentration risk

The OCC Details Concentration Risk Examination Procedures

Posted by CMPG Risk Solutions on Jan 27, 2017 2:29:00 AM

On January 24, 2017 the OCC published a bulletin with the subject, "Third-Party Relationships" followed by the description, "Supplemental Examination Procedures." Within the bulletin is a link to the actual supplemental examination procedures for future examinations (links to the OCC Bulletin 2017-7 and the supplemental exam procedures can be found at the bottom of this post).



The supplemental procedures document states,

“These procedures are designed to help examiners tailor the examinations of national banks and federal savings associations (collectively, banks) and determine the scope of the third-party risk management examination.”

The specificity as to an expanded focus on concentration risk is found under the heading "Quantity of Risk" on page four of the document, beneath “Objective: To determine the quantity of operational risk associated with the use of third parties."

Concentration Risk examination validation is detailed in the following passage and associated footnote:

“1. Determine whether there are any concentrations among third-party relationships.
• Review the bank’s methodology for identifying concentrations among third-party relationships

• Determine whether there are concentrations due to the bank’s reliance on a single Third party for multiple activities, particularly when several of the activities are critical to one or more lines of business

• Determine whether there are geographic concentrations where the bank’s own operations, the operations of its third parties, or the operations of third parties’ subcontractors are located in the same region or are dependent on the same critical power and telecommunications infrastructures.”

“(Footnote 7) Concentrations may arise when a bank relies on a single third party for multiple activities, particularly when several of the activities are critical to bank operations. Additionally, geographic concentrations can arise when a bank’s own operations, and that of its third parties and subcontractors, are located in the same region or are dependent on the same critical power and telecommunications infrastructures.”

The implication is clear: vendor management organizations have been given a new challenge. It should be no surprise that there is a required understanding of service concentration for a single vendor--the new piece being introduced here is how to validate geographical concentration. At VendorInsight®, we have developed our software with the capability to maintain data management and with analytics flexibility. We are currently working with our existing clients to detail and manage these new examination expectations. If you are not our client (yet), how are your providers addressing this just-announced expectation--and when? It is a fair question you should be asking.

As most know, what the OCC defines, many of the remaining regulators will follow or formally adopt.

Read More

Topics: concentration risk, OCC

VendorInsider Blog

Insight into Vendor Management Best Practices, Challenges, Solutions and Trends from Industry Insiders

As one of the longest running and most advanced vendor management software solutions, the helpful people of VendorInsight® have a unique perspective on third-party risk, compliance and management.  In the VendorInsider Blog, we share our insights on timely and relevant issues facing vendor managers.  You can subscribe using the button below, or contact us with questions.

Subscribe to Our Blog

Recent Posts

Posts by Topic

see all