By Jean Bobin
Vendor risk management has become an increasingly critical—and complex—endeavor. Lenders are now accountable to regulators, stakeholders, customers, and equity markets for the actions of their third-party service providers. An increased dependence on vendors/service providers with access to consumer non-public information has led to greater risk exposure. And, the FDIC, CFPB, OCC, and FRB have all indicated that financial institutions should adopt effective, ongoing vendor risk controls. In today’s business environment, having a strong vendor risk assessment process is not an option—it’s an absolute necessity.
Yet employing a thorough vendor assessment process presents numerous challenges. Vendor risk monitoring often involves compiling volumes of documentation, getting answers to a multitude of questions, conducting on-site visits at the vendor’s location, risk scoring, and much more. Needless to say, many lenders dedicate a significant amount of time, money, and human resources to conduct these assessments. This is especially true for lenders that rely on multiple vendors for critical business and operational functions.
While lenders face a complicated and resource-intensive assessment process, vendors must also cope with tremendous challenges. The comprehensive level of detail requested from lenders requires vendors to also dedicate significant time and resources to the process. For vendors working with multiple lender clients, the process can be overwhelming. A large tier-one vendor, for example, can receive more than 1,000 inquiries per year. These requests often require gathering hundreds of documents, fielding a multitude of questions, and preparing for numerous on-site visits throughout the year.
The lack of an industry-standard approach to vendor risk assessments further complicates the process. At a high level, lenders tend to analyze similar areas of an operation to assess a vendor’s risk profile. However, each lender determines the data, processes, systems, and controls it evaluates, as well as assessment frequency. This disparity can create an operational log-jam for vendors as they work to respond to multiple requests in mandated time frames—and this log-jam can impede their turnaround times.
But what if there were a way to make the process more efficient? What if vendor turn times could be improved and lender-required resources reduced? And, what if these benefits could be achieved while still having a strong, effective vendor risk management program in place?
ACTIONABLE STRATEGIES TO STREAMLINE ASSESSMENTS
Actionable best practices can go a long way toward streamlining and improving the vendor risk assessment process. The following are some of the steps can help enhance the overall process and improve vendor turn-around time.
SINGLE POINT OF CONTACT
A good place for lenders and service providers to begin is to each designate a single point of contact (SPOC)—either an individual or a specific team. By employing a more centralized approach, organizations can experience considerable efficiencies.
For lenders, having a SPOC may be a cultural shift, since multiple groups are typically responsible for assessing vendors; however, the improved efficiencies that result are well worth the change. For example, the SPOC can serve as a centralization point to coordinate assessor needs, reducing redundancies among stakeholders within the lender’s organization.
For service providers, a SPOC can serve to coordinate intake, as well as filter and direct questions to the appropriate business units. This SPOC should be able to engage all internal stakeholders for each client inquiry and assign appropriate response owners and timelines. Moreover, a SPOC can facilitate faster responses to client inquiries and coordinate activities for on-site assessments
Additionally, a SPOC can help:
Establish clear relationship definitions and scope. When a lender clearly communicates assessment scope and requirements in advance, service providers can more accurately and quickly respond. A SPOC can help refine assessment scope and make sure clear relationships are defined. Service providers with questions know who to contact, rather than spending time tracking down answers from various divisions.
Similarly, a service provider’s SPOC can answer follow-up questions and gather documentation, helping reduce the time lenders spend trying to obtain information from their provider. The SPOC can also help more clearly define an assessment’s scope and engage the appropriate staff within its organization to keep the process moving.
Perform cross-discipline analysis of assessment requirements. Performing a cross-discipline analysis of assessment questionnaires and required documentation of internal groups, such as IT, business units, and the vendor management office, can save considerable time in the long run by reducing redundancies. The lender’s SPOC can serve as an information aggregator and distributor of information. If the same report is needed by multiple internal stakeholders, for example, the SPOC can request the report and distribute it to the appropriate staff.
Centralize data collection.Another effective practice is for lenders to set up a centralized data repository that is accessible to all internal stakeholders. By storing third-party documentation in one location, assessors can more readily review the information, and return to it as needed for further analysis.
Service providers can also set up a centralized information repository, which can potentially shave weeks off the assessment process. Providers can identify the information their clients most frequently request, and create a standard assessment package to support client documentation needs.
TRANSPARANCY AND GUIDANCE
Transparency and guidance are also key elements for enhancing the assessment process.
Share assessment requirements and engage lines of business. Providing assessment requirements to service providers in advance facilitates a smoother overall process with faster turnaround times. In addition, we have found that when a lender’s on-site assessment team engages internal lines of business prior to on-site visits and obtains guidance and context for what they need to review, the on-site process can be completed more quickly, accurately and efficiently.
Review data prior to the on-site visit. Another way to improve the overall process is to review all applicable reports and other service-provider information prior to conducting on-site visits. For example, controls that have already been tested and included in SOC reports should be reviewed by the lender in advance. This helps lenders clear items ahead of time so their assessors can focus the visit for on-site review items only, and shave considerable time off the process.
Managing third-party risk will no doubt remain a critical area of focus for financial institutions. Fortunately, there are ways to increase both the efficiency and the efficacy of the time-consuming, yet vital, vendor assessment process. By deploying a SPOC, centralizing information, standardizing documentation, providing stakeholder access to information, and increasing transparency—lenders and their service providers can make impressive gains in timeliness, accuracy, and efficiency.
Jean Bobin is vice president, Client Response Management Team at Black Knight Financial Services. She can be reached at Exec.Author@BKFS.com.