|When you face risk from actions others take in your name (September 2008)|
Risk management has been a banking mantra for some time. But what we mean by the term evolves constantly. There was a time when a bank risk manager handled purchasing risk and hazard insurance. Now, the term “risk manager” means something quite different—and much more complex.
Risk management now means making as certain as possible that things go right—within a realistic framework. Risk management means that the institution should have an active program for assessing, predicting, measuring, and controlling risk in ways that are appropriate for the organization.
An excellent case in point is the old way of managing risk with vendors and other third parties, which was to transfer the risk by contract. A contract included a clause that provided that if the vendor made a mistake, the vendor would be liable, and then the contract went into the file. Those methods will no longer work. Risks presented by third parties cannot be fully contracted away. No matter who made the error and who pays for it, the bank’s reputation is the reputation at stake. For this reason, third party risk has taken new importance.
FDIC’s guidance underscores shift
In June 2008, FDIC issued FIL-44-2008, “Guidance for Managing Third Party Risk.” The guidance provides a roadmap for banks that work with or through third parties for systems or products.
FDIC identified four key areas that should be included in a program to manage third-party risk: risk assessment, due diligence, contract provisions, and oversight. While none of these elements are new to bankers, there are some special expectations for managing third parties.
The guidance advises institutions to actively risk-manage any third party that is new to the organization; that provides or supports a product that is new to the organization; or that performs a critical core function.
FDIC will look at the third-party performance as though it were performed by the institution itself. In short, contracting out doesn’t get it out from under the concerned eyes of regulators.
Perhaps the most important principle for institutions to keep in mind during vendor interactions is that the institution is the customer—and the customer is always right. Don’t let the vendor tell you that what you need cannot be done. And never let the vendor tell you that none of the other system users want it! If the vendor cannot or will not provide the service that you need, take your business elsewhere.
As with most of the recent regulatory guidance, this one stresses management and board involvement, stating that use of third parties “in no way diminishes the responsibility” of either. In fact, using third parties can create an additional responsibility: monitoring the performance of the third party.
Proceeding with a risk focus
In light of FDIC’s letter, your bank may want to rethink the way it goes about engaging and using vendors and other third parties. The first step in a risk management program assessment is to determine whether using a vendor, or offering a product that would require a vendor, is consistent with the bank’s strategic plan and risk profile. Don’t do it because it sounds like a great idea or because other banks are doing that particular thing. Do it because it is part of your business plan. Understand the costs, benefits, and risks.
So, first decide whether to use a third party. The other options are to keep the work in-house or to reject the project completely. If the decision is to go with a third party, the vendor must be selected through a carefully designed and managed process. Management must fully understand the relationship and what the vendor will do for—and not do for—the institution. Carefully consider the costs and services as well as legal and compliance risks. The selection process should enable management to conclude that the third party selected is in fact the best service provider for the institution.
Vendor selection is usually best if done by a team, with each member of the team bringing specific skills. The team should be able to consider who will use the vendor’s service, how it will be used, and whether the product is consistent with existing procedures and systems.
Contracts set the rules
When you outsource a function, you retain responsibility for ensuring the vendor’s performance and that performance should be supported by monitoring and controls within the third party’s own operation.
The entire relationship should be carefully sketched out in the contract. In particular, the bank must include—and the vendor must agree to—provisions that require the vendor to maintain a level of compliance satisfactory to the bank; allow the bank to review documents and conduct audits at the bank’s request; and ensure the security and integrity of all customer information.
FDIC’s guidance identifies several provisions that should be included in contracts to minimize the institution’s risk level and to clarify roles. These include: the time frame for the contract; requirements that the third party will comply with all applicable laws and regulations; and clear authority for the institution to access documents and conduct audits and quality reviews to ensure that the third party is performing according to contract—and not creating liability for the institution.
Even with these precautions, vendors can present additional risks when they use their own vendors. Sub-contracting by vendors can create unforeseen difficulties. The sub-contractor’s agreement with the contractor may not include all of the requirements of the bank, such as the ability to review documents; be subject to audits; and even to comply, at all. It is a good idea for any contracts to specify whether the third party may sub-contract for any functions and if so, whether and how the institution may review the sub-contractors. Particularly with information technology, subcontracting can create ownership and copyright barriers for the institution.
Due diligence and oversight critical
“Due diligence” in selecting vendors, while a familiar concept, becomes more of a state of mind, than an event, in light of the FDIC’s guidance. The document warns institutions that they cannot suspend due diligence once the selection is made. It must continue periodically and should include review of all available information, including information about the third party’s reputation and the scope of its internal operations and controls. The guidance includes a long list of items that should be reviewed, ranging from audit reports, financial statements, reputation with other customers, and contingency plans.
When it comes to third-party contracting, the term “due diligence” takes on several meanings.
First, there is the due diligence that should be conducted before final selection of a vendor and signing of the contract.
There is also due diligence that should be maintained during the life of the contract over the full relationship with the vendor. It is not enough to find a vendor, sign a contract, and then move on to something new. The vendor selected must also be monitored.
The institution should carefully and actively oversee the third party, just as the institution would monitor and audit the activity if conducted within the institution. Think of vendor monitoring as you would an internal audit—only this “department” or “function” is down the street or in the next state.
It is also a good idea to keep the institution’s ear to the ground, listening for any signs of vendor problems. Your vendor may have caused problems in another institution. You need to know that as soon as possible and take steps to prevent that happening at your institution.
You may learn the most about your vendor through user groups. The vendor may tell you “no-one else wants that” or “no other examiners have raised that concern.” But you only know that for certain when you have other clients of the vendor that you can contact. The vendor may conduct user group conferences to keep your banks sold on their product, through meetings designed to generate good feelings. But your representative to the user group should use the opportunity to monitor the vendor. Talk people up in the hallways, over dinner, after sessions, to hear their experiences.
Outsourcing with knowledge
Various forms of outsourcing have become very popular in banking. Both products and job functions, such as compliance or audit, are being outsourced. But there are risks in outsourcing that go to the heart of the third-party risk issue.
The uppermost risk is, does your institution have someone on the payroll capable of spotting the risks posed by vendors?
It is always dangerous to rely on a third party to provide services for which the bank lacks staff with necessary skills. Someone has to be qualified to select the vendor and to manage the vendor’s performance. That cannot be done without knowledge about the product or service offered by the third party. Outsourcing can be an efficiency, but it can never fully replace the need for skilled staff. Ultimately, there is nothing more important than your own people. BJ
Steps for Third Party Selection and Management
The electronic version of this article available at: http://lb.ec2.nxtbook.com/nxtbooks/sb/ababj0908/index.php?startid=54
| TechTopics Plus