As financial services institutions struggle to balance margin pressures and compliance requirements; outsourcing of business processes has become a standard operating procedure. In today’s environment, regulatory agencies are increasing their oversight of third party vendors as part of their safety and soundness responsibilities. The majority of outsourcing and third party relationships center around IT and Operations processes, contributing to an ever present and growing risk to safety and soundness. The complexity of implementing effective vendor risk management and governance processes rises proportionally with the growth in the outsourcing trend. Allegiance Advisory Group (AAG) believes there are several trends and sources of risk, which are outlined further in this whitepaper.
AAG has believes that there are significant trends emerging in outsourcing that highlight the need for effective vendor risk management. These trends reflect the need for improved and more robust governance processes that address the end customer, multiple vendor contracts, and new trends within the RFP process.
Present and Emerging Vendor Risk Management Trends:
Increased Regulatory Oversight – In addition to traditional safety and soundness exams that cover process and business function outsourcing relationships, regulators are continuing to increase their oversight of mortgage servicing counterparties as well as settlement agents. The Consumer Financial Protection Bureau has adopted a wide definition of the term “service provider”, which now covers settlement agents and law firms involved in residential transactions. These new definitions of service providers can substantially increase compliance focused operational risks, because it extends responsibility for processes that are frequently performed and outside of the organization.
Reputational Risk Rises Again. The toll of process breakdowns and privacy breaches has caused end customers, auditors and regulators to be mindful of the damage associated with reputational risk. The media has developed a keen interest in this topic as well for recent events such as the GM ignition fatalities, aviation disasters as well as privacy breaches at Home Depot, Target and several others. According to a recent CIO magazine study1, This may be the year companies get serious about managing their IT supplier risk. “As end customers become more aware of a company’s supply chain, the brand risk that comes with a supplier failure go up dramatically.” “In 2015, companies will begin to really integrate supplier risk into their daily operations.
MultiSourcing is growing. There’s little doubt that smaller deals among multiple providers is the established model for IT sourcing. But in 2015, outsourcers per customers will multiply even further.” “The number of service providers each company uses will grow dramatically, driven by growing popularity of cloud in general and Software-as-a-Service [SaaS] in particular,” That means governance requirements will also magnify.
Customers will embrace standardization. Cloud, utility computing, and virtualization will converge in 2015, and everything will start to look the same in 2015, “As the industry becomes more and more comfortable working with the cloud, the industry is becoming even more comfortable with the benefits of standardization. The cloud, utility computing, and virtualization are converging to create this new operating model that will become the new paradigm for IT outsourcing. Hence, standardization must not overshadow the specific processing and control needs of an enterprise.
The Business Takes Over. More technology services will be purchased by business leaders rather than IT in 2015. “As consumer products like cars and washing machines and thermostats continue to embed technology, more and more product engineering teams will treat IT and IT services as core purchases and will take over those contracts directly. In the short term, it will also shift power to suppliers who have new buyers to target — minus the burdensome bidding and RFP processes of the past.”
Vendor Management Governance structures are flawed. “CIOs have recognized that their managed services arrangements and their overall governance structures are seriously fragmented, and that this fragmentation results in value erosion. In response they’ve sought to optimize their internal organizational structures and to enhance their ability to manage their providers to meet their contractual obligations.” “If you want an optimized IT service delivery model where you can ‘plug and play’ insourced services, outsourced services, out-tasked functions, and cloud-based point solutions, then a robust, internally retained IT Service Management.”
A Pragmatic Vendor Risk Management Lifecycle
A Vendor Risk Management Lifecycle approach is an effective method to monitoring and controlling the components of the outsourcing lifecycle. The lifecycle approach also allows enterprises to continuously monitor trends in vendor performance and facilitate effective contract management. AAG has assisted several financial services companies in the establishment, improvement and implementation of a vendor risk management lifecycle. AAG has developed the below vendor management lifecycle that aligns and exceeds the established requirements from federal regulatory agencies (FDIC, OCC, Federal Reserve, CFPB) as well as industry association guidance:
Given these highlighted trends regulators such as the OCC have responded with updated guidance on required for Vendor Management risk practices with issuance of OCC Bulletin 2013-29.2 These guidelines the fundamental need and development of a Risk Management Life Cycle that is designed to monitor and address the ongoing risk of Vendor Management. The diagram below illustrates the process:
Industry organizations such as ISACA have published widely adopted methods for structuring and implementing the Vendor Risk Management Life Cycle approach. Below is a diagram of the COBIT 5 Life Cycle Risk Management approach:
These examples highlight the complexities and importance of the effective management of vendor risks. AAG is staffed with experienced IT and Regulatory professionals who can provide the expertise needed for design, implementation and improvement of a risk based Vendor Management program.