Vendor management process for financial services

Vendor management process for financial services

Date: Sep 07, 2010

In this video get tips from expert Eric Holmquist on how to create an enterprise vendor management process to optimize security and minimize risk. Topics include risk assessment, due diligence best practices, common mistakes financial firms make in their vendor management programs, and managing cloud service providers.


Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.  

Vendor management process for financial services

Eric Holmquist: Clearly, there is a regulatory component that banks are
required to maintain active vendor management for regulations, but the
reality is there is actually quite a bit of risk here. What we found is that
this is a pretty significant area of risk, and banks really have to manage
this very proactively because it is an area where they have very little
control, but the risk is still there.

Clearly, you got the basic elements which is certainly a due diligence
process which are done better or worse by different companies, but taking
certain steps to really analyze your companies. The main thing here really
is risk assessment and accountability. I think these areas where we see
challenges as a step of really understanding what your risk is with
any given third party, and really making sure you got clear accountability
for performing due diligence, for performing monitoring, because the steps
do not really matter if you do not have, number one, people need to
prioritize these third parties, in terms of the riskier ones, and, two,
people that are clearly tasked with understanding that risk and managing
that risk.

The mechanics of it are pretty straightforward; it is usually a combination
of both internal and external assessments. I think the real trick is really
getting down to risk assessments and really understanding what the risk
profile is, then scaling the due diligence appropriately, depending on the
level of risk. Certainly, those larger concentrations of data or more
critical services are going to be subject to a greater level of scrutiny
The real trick is being able to understand what those risk profiles look
like and developing a scaled response that is proportionate with the risk
level.

I think this is one where a couple things can happen. Number one, again, it
goes back to accountability, you got to have somebody that is specifically
tasked with monitoring. I think this is also an instance where it is very
helpful having a risk committee that can also be responsible for reporting
mechanism, because you need your group of subject matter experts to be in
the conversation when talking about monitoring. It is one thing to have
somebody looking at all the things they are looking at, but are the
appropriate subject matter experts actually analyzing some of this
documentation they are getting?

I think the other piece that is really important is just making sure that
the relationship managers understand this is not a compliance exercise. If
it ever gets to the point where it becomes 'check the box,' you are really
not managing risk any more. You got to understand this is a dynamic
process, sometimes, it is a messy process, but it is a matter of really
looking at what they are hearing from their third parties and understanding
what that means, not just filling out forms.

Absolutely not. Even though this is a new area and it is an area that is
getting a lot of talk, it really is not a new area. At the end of the day,
it falls under the heading of, you outsource a process, but you certainly
cannot outsource a risk, and this is no different than any other third
party. The questions are the same. What kind of information are they going
to have? Who is going to have access to that information? What are the
controls that are in place? Understanding who your provider is. Again, just
understanding what is the risk profile of using this third party? There is
nothing new to cloud computing, it is just taking a different approach to
managing the process, and you just have to understand what those risks are,
and proactively manage those risks.

I have to say the two biggest mistakes that I think I see people doing is,
number one, not properly risk rating. Taking their portfolio third parties
and putting some categorization around them to just say, 'What are the risk
profiles of these?' and coming up with the relative ranking of which third
parties are riskier than others, so I can focus my resources appropriately.
The second thing, is trying to turn it into a compliance exercise. Instead
of taking information that you receive from third parties and really
analyzing it, and more often than not, having conversations with them about
it, not just what is on the form. If banks could just do those two things
of really developing comprehensive methods of risk rating their third
parties so they can prioritize, and really taking the time to analyze this
documentation's due diligence versus just receiving it and
filing it away, I think banks would do an infinitely better job of really
understanding where their risks are, and much more, proactively managing
those risks.

 

More on Risk management frameworks, metrics and strategy

  • Generally Accepted Recordkeeping Principles

    Definition - Generally Accepted Recordkeeping Principles is a framework for managing records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental and operational requirements.
  • international financial reporting standards (IFRS)

    Definition - International financial reporting standards (IFRS) are specific organizational and monetary standards and frameworks for financial reporting that have been adopted in 113 countries including India, Australia and the European Union.
  • Standardization key to Credit Suisse information security governance framework

    News - The CISO of financial giant Credit Suisse says the key to successful global security and risk management is a uniform governance system supported by a common policy framework.

    ( Sep 17, 2010 )

  • Red Flags Rule (RFR)

    Definition - The Red Flags Rule (RFR) is a set of United States federal regulations that require certain businesses and organizations to develop and implement documented plans to protect consumers from identity theft.
  • Vendor risk management: process and documentation

    Tip - As part of the vendor risk management process, regulators expect information security officers will document vendor relationships and have proper vendor documentation.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: