Vendor Management Best Practices: Is Your Program Up to Par?

2. 2  Principal & Founder – 3W Partners LLC  25 Years – Fortune 500 Companies • Telecom • Financial Services  Leadership Roles in • Global Vendor Management • Ops / Strategy / Re-engineering • Outsourcing / Training  TL9001 (“ISO for telecom”) • Certified Lead Auditor Regulators Gov’t Entities Ratings Agencies Others OCC, OTS, CFPB Fannie, Freddie, GAO Moody’s, Fitch, S&P ISO, Accounting firms Audited by…

3. 3 Brief History  Why the intense focus on vendors?  What led us here? Changing Landscape  Financial Crisis ~2008  Vendor management Prior to… and Now  Heightened regulator focus areas What Regulators Expect  12 Key Dimensions  Good resources to self-educate Technology & Tools  Increase you chances of success Third-Party Oversight & Governance (TPOG)

4. 4 Financial Crisis 2008 Vendor focus very limited: • Business continuity • Financial strength • Credit risk Prior to the Crisis Activities were outsourced • Unfortunately, so was vendor responsibility and accountability Vendors seen as a major contributing factor to the crisis Post-mortem Inadequate oversight from financial institutions Hidden risks when relationships are not managed closely Resulted in massive fraud and consumer distress

5. 5 Regulators have a renewed focus on third-party oversight Regulatory Response to the Financial Crisis OCC CFPB Federal Reserve Board FDIC NCUA Considerable Attention  Institutions must bear responsibility for supplier misdeeds • Numerous “casualties” already  Major focus on consumer interaction with vendors  Enterprise-wide engagement, especially executives  Push for independent reviews Will focus on 12 Key Dimensions today

6. 6 What I often see within the industry Programs are not overly mature  Financials  Continuity of business  Data and site security Hard to budget for vendor risk management Led by single group  Versus cross-section of the enterprise Not part of larger enterprise-wide Risk Program Minimal investment In Smaller Organizations  Lack of manpower  Inadequate skills  Problems often tied to 2nd tier vendors Have we learned anything from the financial crisis?

7. 7 Recent examples… and consequences Collectively, they paid a total of more than $530 million to settle complaints of deceptive selling and predatory behavior by their third-party suppliers. Source: http://www.mckinsey.com/insights/risk_management/managing_when_vendor_and_supplier_risk_becomes_your_own July 2013 Net Message: No one ever remembers the vendor name

8. 8 OCC CFPB Federal Reserve Board NCUA FDIC On Third-Party Oversight & Governance OCC Bulletin 2013-29 Supervisory Letter No.: 07-01 Letter: Guidance For Managing Third-Party Risk Bulletin 2012-03 Service Providers SR 13-19 Guidance on Managing Outsourcing Risk Fortunately, expectations resemble one another • OCC Bulletin 2001-47 • OCC Bulletin 2002-16: Foreign-Based Third-Party Service Providers • FDIC Compliance Manual, December 2012 • FIL-44-2008: Guidance for Managing Third-Party Risk • FIL-50-2001: Bank Technology Bulletin: Technology Outsourcing Information Documents • SR 00-4 (SUP): Outsourcing of Information Technology and Transaction • Processing

9. 9 Risk Classification Due Diligence On-Boarding Contracts Compliance Audits MIS / Reporting Scorecards Annual Certifications Complaint Handling Escalations Governance These cover most regulatory expectations Execute these well… satisfy your regulator(s)

10. 10 Risk Classification For effective third-party oversight  Risk-based segmentation  Scope and intensity of oversight is defined here  Must consider risks to… • Legal & Regulatory • Reputation • Sensitivity of data • Process complexity • Customer interface/impact • Public or private vendor • Domestic • Offshore • Core Bank Function • Non-Core • Number of similar suppliers • Percent of volume handled Other Considerations • Strategic (High) • Major (Med) • Basic (Low)

11. 11 On-Boarding Due Diligence  Assess the process of how suppliers are… • Sought • Vetted • Selected (and retained)  Consider vendor questionnaire and evaluation matrix  Have a plan to implement the vendor relationship • Technology, telecom, recruit, train (including compliance), etc.  Critical: System Entitlements • Limit vendor access to only what is “required” • Have a revocation process o Consider revoking within 24-hours of leaving

12. 12 Contracts  Regulators have specific expectations regarding vendor contracts  Examples of often-overlooked clauses: • Use of subcontractors • Termination for default • Compliance with laws • Privacy policy (sensitive info) • Electronic Transportable Media • Right to audit • Licensing • Indemnification • Notification of complaints • Handling of media inquiries • Service level monitoring • Limitation of liability • GSA “Excluded Party List” • HUD’s “Limited Denial of Participation” What is required of you … Is also required of ALL members of your “supply chain.” Make it contractual.

13. 13 Compliance Audits  Identify all relevant compliance requirements and document how requirements are being met  Regulatory updates and change management process effectiveness • Flow down to vendors (operations, contracts, scorecards, etc.)  Do your vendors... • “Say what they do?” (via Policy & Procedure Manual) • “Do what they say?” (can vendors demonstrate it?)  Have an audit schedule and comprehensive plan  Ensure risks are documented and controls are in place. • Strategic (High) • Major (Med) • Basic (Low) Risk Classification • Twice per year • Once per year • Every other year “Potential” Audit Frequency

14. 14 MIS / Reporting Scorecards  You need timely and effective reporting in all supplier relationships.  Demonstrate you have sufficient visibility and control. Hard to achieve safety and soundness without robust reporting  Identify key performance indicators (KPI)s, track and report on them.  Document vendor improvement plans. • Drive accountability.  Regular reviews. • Evidence of follow-up and actions o Warning notices o Training, certification o Volume adjustments o Expanded or decreased scope of work

15. 15 Annual Certifications  Re-certify vendors annually. No more • Financials • Licensing • Insurance • Data security • Capacity / Staffing • SLA performance • Process reviews • Compliance • Customer impact • Fees & incentives • Use of subcontractors • Training (especially compliance) • Business continuity • Audit results • Complaints • Media attention • Pending litigation • Mergers & Acquisitions • Ownership changes • Compensation practices Very labor intensive dimension  Keeping up with all changes: Yours, vendors, regulators, etc. • Assessing the impacts annually, at minimum. Due Diligence

16. 16 Complaint Handling  Requires an effective method of capturing, responding to and resolving complaints. • Especially where suppliers are involved.  Complaint source and severity: Major, Moderate, Minor.  Linkage of root cause back to the operation.  Report to senior leadership. Escalations  When supplier problems arise, must have effective identification, escalation and management of issues.  Escalate to appropriate levels. Special review committee?  Examples: • Bad press • Multiple system outages • Multiple complaints • SLAs repeatedly not met • Downgraded financials • Fraud event • Audit findings Define your future reactions

17. 17 Governance  Senior executive and/or Board Member engagement • “Fingerprints everywhere” o Drive and approve policy o Monitor vendor platform (via regular readouts) At-will access to vendor results o Sign-off on vendor selection and recertification (and action/exit) o Audit trail of their engagement  Proposed: Two Tier Governance Model Executive Committee Operations Committee Drive Vendor… • Performance / Quality • Control & Compliance • Risk & Change Mgmt. • Audits • Volume Allocations • Contingency plans Sets “TONE at the TOP” • Strategic Alignment • Risk appetite • Policy • Verify adequate oversight • Ask questions • Approve, Suspend & Terminate

18. Extremely useful when managing vendors and risks  Centralized repository; Security  Portal for easy access  Clear, actionable management reports and well-designed workflow systems • Essential for accountability across the institution  Measure your level of dependence on critical suppliers Build vs. Buy  Building a new third-party risk application from scratch is a big undertaking; • So too is enhancing a current risk tool to perform new functions  Consider “off-the-shelf” workflow and risk-management tools 18

19.  Healthy, transparent and compliant  Consistency across vendors • OK to manage according to risk segmentation  Documentation • Policy & procedure; Roles & responsibilities • Audit trail  Performance based criteria  Adequate staffing for oversight • Number of resources • Skill and competency  Executive engagement • “Fingerprints everywhere” 19 Third-party relationships must be good for financial institution, its vendors and consumers Leverage technology where possible

20. 20 Questions? Scott Roller Principal / Founder 3W Partners LLC scott@3Wpartners.net 636.448.3713 cell www.3Wpartners.net Sponsored by…

Vendor Management Best Practices: Is Your Program Up to Par?

EDR

Vendor Management Best Practices: Is Your Program Up to Par?