With regulations shifting and oversight requirements becoming more of a priority in recent years, the stakes are higher than ever before when it comes to supplier risk management. Failing to meet regulatory requirements can result in remediation costs, penalties, and reputational damage.
New regulations are driven by trends in the industry including the evolving nature of outsourcing and the Dodd-Frank act causing a greater interest in compliance risk. Even existing regulations are taking on new, more intensive interpretations in attempt to monitor and manage the risks of third party suppliers to financial services companies.
Agencies have honed their focus on regulations, holding institutions to a higher standard, and the Consumer Financial Protection Bureau, created by the Dodd-Frank Wall Street Reform and Consumer Protection Act, is bringing a new authority and perspective to the oversight of financial services companies in attempt to ensure compliance with regulations.
In response to the shifting regulatory environment, the Information Services Group (ISG) has compiled a report of the 15 characteristics of good supplier risk management that will meet the continuously evolving and increasing financial services regulatory requirements.
According to ISG, regulators look for an environment that includes organization and technology, and proves to sufficiently manage the risks of third-party relationships. The environment must incorporate the qualities in the fifteen specified areas.
Click through the following slides to learn more.
1. Strong Risk Management Environment
Regulators will look for evidence of “strong” risk management and audit functions within a company. “Strong” culture includes the assurance that appropriate risk management infrastructure is in place, the reporting structure is independent of LOB and risk-taking activities are controlled for proactive results, keeping the company’s reputation within risk tolerance levels.
In addition, ISG suggests supporting processes including the alignment of the firm’s business strategy and risk profile and the establishment of limits, triggers and sub-limits.
Independent and proactive risk management and audit functions must also be enforced. Timely and accurate production of reports and assessments of trends and observed risks levels are integral in a “strong” risk management environment.
2. Risk Management Infrastructure
According to ISG, regulators will consider the various tools and technologies a company has to perform supplier management processes and assess a company’s level of maturity in these areas.
The ways in which tools are used and the staff’s ability to utilize these tools is imperative. Regulators will look to staff training in the assessment of a company’s risk management infrastructure.
3. Overall Risk Management Documentation
Regulators have high expectations when it comes to documentation of policies, procedures, checklists, templates and forms. Updating program information through documentation that conveys requirements to employees is what regulators expect in adequate forms of documentation.
4. Staffing Resources
A staff must be prepared to handle supplier risk management with appropriate staffing levels of skilled employees in place. According to ISG, adequate workloads, resourcing and employee training on regulation compliance is necessary in a sufficient staff.
Clear organizational ownership of risk functions is also important to regulators, who want to confirm accountability and responsibility for supplier risk management.
5. Supplier Risk Management Recordkeeping
Regulators expect to see records of any supplier risk management activities. In addition, these records must be regularly updated and properly archived. A high-level of organization in this area is something that regulators will look for in auditing a company’s ability to manage the risks of third-party relationships.
6. Reporting to Executive Management
Regulators expect reports of supplier risk results to be routine. Executive management should be aware of the environment and special reporting for changes and must be updated on a regular basis.
Executive management also must be aware any time a supplier’s ability to perform services is impacted adversely.
7. Pre-Supplier Selection Risk Assessment
Skills and processes to assess any risk of outsourcing a process, product or function must be taken into account.
8. Due Diligence Process and Documentation
Proper due diligence is something regulators look for. They want to know that a company has properly examined the supplier before moving forward with selection.
Adequate documentation of findings and selection criteria are important in this area, as well. A supplier must prove itself with the collection of evidence such as a review of the supplier’s capabilities by experts and site visits to a supplier’s office and processing locations.
Regulators will look for three specific factors in contracts—forms, the contracting process and in-force contracts.
The correct form must be used in order to establish the desired relationship. A company’s process for finalizing contracts including review and oversight from legal counsel are also subject to review.
According to ISG, there are 17 aspects of outsourcing contracts that regulators look for. These include a clear definition of ownership rights and rights for termination and transition support from the supplier. Refer to Attachment 2 of the full report for a complete overview of the 17 aspects cited by ISG.
10. Data Security
Regarded as one of the most important aspects subject to regulatory examination, suppliers must adhere to the company’s level of data security protection and must be able to adjust their system in the event of threat or intrusion. Specifically, customer data must be secure.
11. Assessment of Internal Controls
Regulators want to ensure that companies review their own processes and controls. Policies must be adequately followed by operational staff, and processes must not be simply “shelfware.”
A strong risk management function must be thriving and a clear ownership and accountability for compliance must exist throughout the supply chain.
12. Assessment of Critical Suppliers
Assessments of several aspects of supplier risks must be conducted periodically. Changes in financial condition of a supplier, damaging news stories, mergers and acquisitions and other changes should be noted. Companies also need to take a supplier’s adherence to the conditions in the contract into account.
ISG also suggests that companies have a clear understanding of the various options and factors involved in the changing of suppliers if necessary.
13. Secondary Supplier Transparency
Essentially involving the “supplier to your suppliers,” companies should note the level of risk management that can be applied to secondary suppliers. Regulators can assess contractual rights to audit and have transparency to the supplier’s suppliers, so companies must be well-equipped for this situation.
14. Ongoing Governance
Regulators are interested in the ongoing governance, including day-to-day oversight and a validation of good business, of suppliers, especially since most of the time spent with a supplier takes place after a contract has been signed.
Adherence to contract requirements, financial information and a communicative relationship with a supplier are all factors and procedures regulators will assess in determining a company’s effectiveness in the management of a supplier.
15. Offshore Suppliers of Outsourcing Services
Outsourcing providers that deliver to offshore locations are a specific target of regulatory scrutiny.
Regulators want to ensure that companies can enforce the terms of the contract outside of the country, companies have considered the reputation and financial strength of an offshore provider and that companies can abide by the Gramm-Leach-Bliley Act’s privacy and security provisions and other legislation.