Are you prepared to manage the current challenges, risks, and complexities related to vendor risk management in the financial industry? In summer 2014, in association with MetricStream, RMA conducted the Third-Party Vendor Risk Management Survey. This presentation brings you the highlights of the survey and some sound advice to manage your third- and fourth-party suppliers.
2. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
2
JOIN. ENGAGE. LEAD.
THE THIRD-PARTY/VENDOR RISK
MANAGEMENT SURVEY
The survey was conducted between June and
August 2014 by RMA, in association with
MetricStream. It sought to:
1. Capture the range of
practices in third-
party/vendor risk
management (VRM)
over a cross section of
RMA member
institutions.
2. Gather detailed
information on some of
the key challenges that
banks and other
financial institutions
are facing
3. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
3
JOIN. ENGAGE. LEAD.
SURVEY FOCUS
Vendor
management
framework
Vendor selection
and monitoring
process
Critical vendors
and critical
activities
Fourth-party
suppliers.
Tools and
techniques
Contracts
Reporting
Regulatory and
compliance
4. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
4
JOIN. ENGAGE. LEAD.
WHAT WE FOUND
• For most of the responding organizations,
the vendor management programs are still
in their nascent stage.
1.
• Third party relationships have evolved
beyond the traditional models of goods and
service providers.
2.
5. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
5
JOIN. ENGAGE. LEAD.
VENDOR MANAGEMENT FRAMEWORK
Some of the bigger
organizations surveyed have
thousands of supplier
relationships to manage—
extremely difficult without
mature vendor governance
framework.
6. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
6
JOIN. ENGAGE. LEAD.
VENDOR SELECTION AND
MONITORING PROCESS
Financial institutions should
conduct continuous in-depth
assessments on the third-
party’s capability to perform
the activities commensurate
with the risk and complexity of
the relationship.
7. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
7
JOIN. ENGAGE. LEAD.
VENDOR SELECTION AND MONITORING
PROCESS (CONT.)
Each institution surveyed has multiple areas or SMEs for
vendor selection and due diligence of third parties.
Information security
Information
technology
BCM Legal
Key groups
conducting
secondary supplier
risk assessments
9. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
9
JOIN. ENGAGE. LEAD.
CRITICAL VENDORS (CONT.)
• For most of the
surveyed
organizations, the
number of enterprise
critical suppliers
ranges from 3 to 15.
• Risk and risk and
spend are the
primary factors when
segmenting suppliers
on the basis of
criticality.0% 20% 40% 60% 80% 100%
Conduct site visits,
especially for critical
vendors.
Have defined, or are
in the process of
defining, the critical
activities in their
institution.
73%
97%
10. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
10
JOIN. ENGAGE. LEAD.
FOURTH PARTY SUPPLIERS
0 10 20 30 40 50 60 70
Done when the primary supplier notifies
them of a new material fourth party
Perform due diligence at time of
sourcing/contracting the 3rd party
4th party suppliers identified at RFP
stage
No due diligence on 4th parties
13%
20%
50%
67%
% of Respondents
11. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
11
JOIN. ENGAGE. LEAD.
TOOLS AND TECHNIQUES
Organizations need to
gain a clearer
understanding of their
third party’s business
processes and
technologies that will be
used to support the
outsourced activity.
12. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
12
JOIN. ENGAGE. LEAD.
CONTRACTS
After your bank selects a third party, your bank should negotiate a
contract that clearly defines the rights and responsibilities of the
parties involved. The majority of our survey participants use contracts.
20% use
standard
contracts
37% use
standard
contracts
“with
exceptions”
57% of
surveyed
institutions
use
contracts
14. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
14
JOIN. ENGAGE. LEAD.
REPORTING (CONT.)
Monitor third parties continuously
to ensure that they comply with all
applicable laws and regulations,
and operate in line with the bank’s
policies and expectations.
15. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
15
JOIN. ENGAGE. LEAD.
REGULATORY AND COMPLIANCE
72% of the institutions
surveyed conduct annual
validation of regulatory
compliance and
effectiveness of the
vendor risk management
framework.
0%
10%
20%
30%
40%
50%
60%
70%
80%
72%
16. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
16
JOIN. ENGAGE. LEAD.
REGULATORY AND COMPLIANCE (CONT.)
Based on the most recent regulatory examination.
17. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
17
JOIN. ENGAGE. LEAD.
CONCLUSIONS
The survey offered a good indication of the preparedness of
financial institutions to manage the current challenges, risks,
and complexities related to vendor risk management.
Companies must keep pace with the new sanctions, frequent
regulatory changes, increasing complexity, and a diverse
and multi-tiered vendor network.
18. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
18
JOIN. ENGAGE. LEAD.
CONCLUSIONS (CONT.)
Organizations need to manage newer risks arising from
emerging technologies and trends, such as increasing
mobility and the use of social media.
Some of the leading organizations understand the value of
integrating their vendor information with their overall
business processes, products, and services.
20. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
20
JOIN. ENGAGE. LEAD.
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management.
Visit our blog at http://rmablog.rmahq.org/
RMA is a member-driven professional association whose sole
purpose is to advance sound risk principles in the financial services
industry.
RMA helps its members use sound risk principles to improve
institutional performance and financial stability, and enhance the
risk competency of individuals through information, education, peer
sharing, and networking.
Become a member today.