Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

1

JOIN. ENGAGE. LEAD.

KEY CHALLENGES FACING VENDOR RISK MANAGEMENT PROGRAMS Third-Party/Vendor Risk Management Survey Results

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

2

JOIN. ENGAGE. LEAD.

THE THIRD-PARTY/VENDOR RISK MANAGEMENT SURVEY

The survey was conducted between June and August 2014 by RMA, in association with

MetricStream. It sought to:

1. Capture the range of practices in third-party/vendor risk management (VRM) over a cross section of RMA member institutions.

2. Gather detailed information on some of the key challenges that banks and other financial institutions are facing

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

3

JOIN. ENGAGE. LEAD.

SURVEY FOCUS

Vendor management

framework

Vendor selection and monitoring

process

Critical vendors and critical activities

Fourth-party suppliers.

Tools and techniques Contracts

Reporting Regulatory and compliance

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

4

JOIN. ENGAGE. LEAD.

WHAT WE FOUND

• For most of the responding organizations, the vendor management programs are still in their nascent stage.

1.

• Third party relationships have evolved beyond the traditional models of goods and service providers.

2.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

5

JOIN. ENGAGE. LEAD.

VENDOR MANAGEMENT FRAMEWORK

Some of the bigger organizations surveyed have

thousands of supplier relationships to manage—extremely difficult without

mature vendor governance framework.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

6

JOIN. ENGAGE. LEAD.

VENDOR SELECTION AND MONITORING PROCESS

Financial institutions should conduct continuous in-depth assessments on the third-

party’s capability to perform the activities commensurate

with the risk and complexity of the relationship.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

7

JOIN. ENGAGE. LEAD.

VENDOR SELECTION AND MONITORING PROCESS (CONT.)

Each institution surveyed has multiple areas or SMEs for vendor selection and due diligence of third parties.

Information security Information technology

BCM Legal

Key groups conducting

secondary supplier risk assessments

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

8

JOIN. ENGAGE. LEAD.

CRITICAL VENDORS

• “Critical activities” include: • Significant bank functions. • Shared services, such as:

• internal audit • Information technology

OCC Guidance

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

9

JOIN. ENGAGE. LEAD.

CRITICAL VENDORS (CONT.)

• For most of the surveyed organizations, the number of enterprise critical suppliers ranges from 3 to 15.

• Risk and risk and spend are the primary factors when segmenting suppliers on the basis of criticality.

0% 20% 40% 60% 80% 100%

Conduct site visits, especially for critical

vendors.

Have defined, or are in the process of

defining, the critical activities in their

institution.

73%

97%

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

10

JOIN. ENGAGE. LEAD.

FOURTH PARTY SUPPLIERS

0 10 20 30 40 50 60 70

Done when the primary supplier notifies them of a new material fourth party

Perform due diligence at time of sourcing/contracting the 3rd party

4th party suppliers identified at RFP stage

No due diligence on 4th parties

13%

20%

50%

67%

% of Respondents

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

11

JOIN. ENGAGE. LEAD.

TOOLS AND TECHNIQUES

Organizations need to gain a clearer understanding of their third party’s business processes and technologies that will be used to support the outsourced activity.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

12

JOIN. ENGAGE. LEAD.

CONTRACTS After your bank selects a third party, your bank should negotiate a contract that clearly defines the rights and responsibilities of the parties involved. The majority of our survey participants use contracts.

20% use standard contracts

37% use standard contracts

“with exceptions”

57% of surveyed

institutions use

contracts

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

13

JOIN. ENGAGE. LEAD.

REPORTING

Survey Responses

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

14

JOIN. ENGAGE. LEAD.

REPORTING (CONT.)

Monitor third parties continuously to ensure that they comply with all applicable laws and regulations,

and operate in line with the bank’s policies and expectations.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

15

JOIN. ENGAGE. LEAD.

REGULATORY AND COMPLIANCE

72% of the institutions surveyed conduct annual validation of regulatory compliance and effectiveness of the vendor risk management framework.

0%

10%

20%

30%

40%

50%

60%

70%

80%

72%

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

16

JOIN. ENGAGE. LEAD.

REGULATORY AND COMPLIANCE (CONT.)

Based on the most recent regulatory examination.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

17

JOIN. ENGAGE. LEAD.

CONCLUSIONS

The survey offered a good indication of the preparedness of financial institutions to manage the current challenges, risks, and complexities related to vendor risk management.

Companies must keep pace with the new sanctions, frequent regulatory changes, increasing complexity, and a diverse and multi-tiered vendor network.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

18

JOIN. ENGAGE. LEAD.

CONCLUSIONS (CONT.)

Organizations need to manage newer risks arising from emerging technologies and trends, such as increasing mobility and the use of social media.

Some of the leading organizations understand the value of integrating their vendor information with their overall business processes, products, and services.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

19

JOIN. ENGAGE. LEAD.

Read about RMA’s Third-Party/Vendor Risk Management Survey here: http://www.rmahq.org/tools-publications/surveys-studies/third-party-vendor-risk-management-survey

LEARN MORE

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

20

JOIN. ENGAGE. LEAD.

SHARE THIS PRESENTATION

Visit http://www.rmahq.org for information on risk management.

Visit our blog at http://rmablog.rmahq.org/

RMA is a member-driven professional association whose sole purpose is to advance sound risk principles in the financial services industry.

RMA helps its members use sound risk principles to improve institutional performance and financial stability, and enhance the risk competency of individuals through information, education, peer sharing, and networking.

Become a member today.