Enhancing and Sustaining Business Agility through Effective Vendor ResiliencyExtracting continuous value from third-party vendors means methodically assessing their ability to remain best-of-breed amid ongoing technological change and ever-elevating customer expectations. Following our three guiding principles – and proven framework – can help.

Executive SummaryThe ever-growing competitiveness across mature industries — from financial services to consumer products — is causing rapidly diminishing margins of error. Customers expect, even demand, “always-on” products and services. To deliver on these expectations, organizations are increasing-ly including products and services from a growing list of vendor partners to extend the robustness and reliability of their end-to-end business capa-bilities.

For their part, third-party vendors are growing in maturity and sophistication, and rapidly becoming an integral and substantial part of the overall business and IT landscape for many companies. We recently partnered with a global financial services firm to strengthen its vendor risk management capabilities. This client partners with strategic vendors that offer industry-leading solutions to support business-critical functions, such as credit and risk management.

Like other companies in these increasingly common situations, our client shared an ever-growing portion of its business and operational risk with its vendor partners, as any outage or

disruption in the vendor products could result in a significant financial, operational and reputa-tional impact. For example, our client experiences a potential financial loss of several million dollars for every hour the credit-rating vendor product is down because such a disruption causes several business functions and operations to come to a standstill. We characterize such vulnerabilities as vendor resiliency risk.

Our experience shows that companies are slowly but surely improving select parts of the vendor risk equation in areas such as sourced IT appli-cation development and support. However, we see big gaps in companies managing risk across vendor partners that provide critical value-added products and services, such as real-time business-to-business (B2B) data or specialized services. Consequently, we are seeing strong interest among companies seeking a formal vendor resiliency program to rigorously assess and mitigate financial, operational and reputa-tional risk. We partner with these clients, focusing on two key areas:

• Internal process maturity to understand and measure key resiliency risk. This includes objective tools and frameworks, as well as a set

• Cognizant 20-20 Insights

cognizant 20-20 insights | april 2014

2

of service level agreements (SLAs) that cover vendor adherence, emphasizing strong vendor performance-tracking capabilities.

• The ability to assess critical process and technology vulnerabilities within vendor products and address shortcomings with focused performance improvement plans.

We have defined three guiding principles for companies to strengthen vendor resiliency:

1. Assume full accountability for end-to-end resiliency within products and services, including capabilities enabled through vendor products. Customers and regulators are increasingly holding companies account-able for the full range of their products and services (including support of vendor products). Companies need to build strong capabilities to assess and mitigate risk across all vendor products. Prioritizing vendor products can help companies manage risk more effectively by optimizing available resources and increasing focus on critical products.

2. Ensure a well-coordinated and comprehen-sive approach to manage vendor product resiliency. Various groups across business, technology, operations, procurement and vendor management functions need to coordinate their efforts to effectively mitigate resiliency risks. Additionally, companies need to adopt a comprehensive approach, going beyond the standard availability and business continuity planning (BCP) attributes of vendor products. Companies need to look internally, as well as focus on additional aspects of their vendors’ capabilities, such as technology and process capabilities (i.e., change and incident management). They then should adjust SLAs, contracts and performance monitoring, accord-ingly.

3. Ensure a sustainable focus on vendor resil-iency, adjusting to a continuously evolving vendor landscape. To remain agile in times of change, companies should utilize objective and flexible frameworks and tools that are manage-able and able to handle a wide array of vendor products.

Additionally, we recommend a set of core and actionable success factors for vendor resiliency initiatives. These include ensuring leadership commitment to vendor resiliency, concentrating on objectivity, adjusting SLAs and implementing quick-win opportunities, such as strong commu-

nication models with vendors and coordinated execution of BCP testing.

In the case of the aforementioned financial services firm, we helped the company establish strong internal processes to manage vendor performance, along with a scorecard-based resiliency improvement program for critical vendor products. These resiliency measures will result in a swift drop in outages that should reduce the financial impact of downtime by 40% to 50% (see sidebar, page 7).

In the sections that follow, we describe vendor resiliency and the three guiding principles in greater detail. We also outline a robust framework that can help drive any organization’s resiliency program, both internally and with vendor partners. From there, we propose a set of key rec-ommendations that companies across industries can start to act upon.

Defining Vendor ResiliencyWe define vendor resiliency as a set of core process and technology capabilities related to vendor products and services that ensure seamless integration, optimal and sustainable performance, and highly available “always-on” operations. Highly resilient vendor products/services demonstrate:

• Optimal integration with the organization’s value chain.

• Maximum change coordination with organiza-tions.

• Robust technology and architecture composi-tion.

• Strong incident management capabilities, with the ability to swiftly address challenges.

• A robust backup or disaster recovery infra-structure with seamless switch-over capa-bilities, along with sound business continuity plans and testing.

Vendor Resiliency Programs

Organizations with a heavy reliance on third-party partners are increasingly establishing dedicated vendor resiliency programs. Such programs are intended to ensure minimal business disruption resulting from outages due to vendor product failure, both in terms of frequency and impact. Effective vendor resiliency programs are structured, well-defined and focused on sus-tainability. Well-designed programs include the following:

cognizant 20-20 insights

cognizant 20-20 insights 3

• A proactive, ongoing and disciplined review of technology/architecture capabilities, opera-tional readiness, BCP and readiness testing, and alternative sourcing where necessary and feasible.

• A focus on a disciplined assessment of process maturity in key areas such as performance monitoring, change coordination, incident management and contract management.

• An objective methodology, heavily reliant on measurable and well-defined metrics and corresponding SLAs that align well with the company’s business goals.

Key Drivers

Several trends are converging to elevate vendor resiliency to a level that is on par with the most strategic focus areas within many organizations. These include:

• Growing reliance on vendors as part of the core value chain. Vendors are becoming extremely sophisticated, serving multiple leading organizations across industries. These vendors are then able to leverage their experience across these organizations to continually enhance their products and services. Vendors are rapidly transitioning from supporting organizations in noncore areas to playing critical roles within their core value chain. (For more on this topic, read “The Fluid Core: How Technology is Creating a New Hierarchy of Need and How Smart Companies Are Responding.”)

• Customer demand for high availability and reliability. Several factors, including 24x7 business cycles across industries, increased globalization and growing reliability across all products and services, are transforming customer expectations for “always-on” applica-tions with close to 100% availability.

• Regulatory requirements for organizations to take full ownership of their solutions, including enabling solutions from vendors. Regulators such as the Consumer Financial Protection Bureau (CFPB) and Office of the Comptroller of the Currency (OCC) within the financial services industry are increasing mandates for organizations to take full accountability for their end-to-end services, including vendor oversight.1

• Increased risk from new types of threats, coupled with growing impact and frequency. Companies across industries face greater and more sophisticated threats, ranging from infor-mation security and data breaches, to cards and payments threats, to threats targeting vul-nerabilities in parts of global supply chains.

• Relentless focus on cost-effectiveness, faster time to market, customer satisfac-tion and overall agility. These focus areas are driving companies to evaluate vendor solutions as accelerators and regard vendor resiliency as a strategic focus area.

Guiding Principles for Enhancing Vendor Resiliency As these trends demonstrate, organizations need to establish vendor resiliency as a strategic and sustained focus area to meet customer and regulator demands. Increased vendor resiliency will enable organizations to accelerate their reliance on vendor partners, while addressing sophisticated and pervasive threats, all with a laser focus on cost. In our work with clients that have varying degrees of maturity in this area, we have outlined a set of three guiding principles that organizations can follow as they launch or strengthen their vendor resiliency programs.

Guiding Principle #1: Assume full accountability for end-to-end resiliency within products and services, including capabilities enabled through vendor products.

With customers and regulators holding companies accountable for their products and services as a whole, organizations need to build strong capabil-ities to adequately manage end-to-end resiliency. Because vendors are so diverse in terms of the scale and size of customers they serve, their internal process and technology maturity, their financial strength and their people, organizations need to adopt resiliency measures that are firm yet flexible (see Figure 1, next page). Consider any medium- to large-size organization: These companies typically engage 40 to 100 unique vendors with different levels of complexity and maturity, ranging from globally sophisticated vendors to small niche players.

Full accountability implies that organizations have extensible capabilities that enable them to effectively cover all types of vendors. To attain

cognizant 20-20 insights 4

this comprehensive level, vendor resiliency needs to be a core and strategic program that is well supported by organizational leadership.

Additionally, companies need a structured meth-odology to evaluate the criticality of vendor products. Companies cannot afford the same level (frequency and depth) of resiliency assessment and follow-through across all vendors. They need to focus more closely on business-critical vendors.

From our experience, the criticality among vendor products in a typical medium to large company follows the Pareto principle closely; that is, 20% of these products are critical and pose 80% of the major resiliency risks. As such, the focus needs to be on this 20%.

Guiding Principle #2: Ensure a well-coordinated and comprehensive approach for managing vendor product resiliency.

In our experience, we see widely distributed vendor management responsibilities across different business, technology, operations, pro-curement and dedicated vendor management functions. This variance is the result of years of business evolution and changing priorities, and often is a vestige of the past, when vendors focused more on noncore products and services.

But as vendors become strategic partners and play at the heart of the core value chain, their distributed focus is increasingly becoming a major hindrance and is exceedingly counter-productive in managing overall vendor resiliency. Companies need to leverage different groups and their capabilities in streamlining cross-functional management of resiliency risks.

Another factor is the breadth of objectives that companies need to include. Tradition-ally, companies have thought of resiliency as focused on system availability and BCP readiness. However, our experience shows that availability is more a reflection of resiliency, and BCP is just one aspect of a structured toolset that addresses resiliency risk.

In today’s complex environment, resiliency risks across vendor products can be attributed to a range of drivers, each capable of posing financial, operational and reputational risks. These risk drivers include suboptimal vendor management processes, such as change coordination with vendors, incident and post-incident management, ongoing technology and architecture evaluation of vendor products, etc.

Similarly, a whole set of technology and archi-tecture risk drivers contribute to resiliency risks. Some of these include the health of the overall technology stack, the disaster recovery infra-structure, switch-over capabilities, etc. Addition-ally, companies often do not optimally manage their internal vendor management capabilities. Along with a well-coordinated effort, companies need to focus on developing robust and objective frameworks that can serve a wide range of vendor products. Our framework (outlined later in this paper) provides a dual approach, focusing equally on internal capabilities.

Guiding Principle #3: Ensure sustainable focus on vendor resiliency, adjusting to a continuously evolving vendor landscape.

All major industries are experiencing the trans-formative forces of disruptive change wrought by new business processes and accelerated adoption

Figure 1

1. Determine vendor product criticality: Business impact of potential outage within vendor product. Regulatory considerations. Data/information security criticality, based on data being transacted. Type of service (synchronous, asynchronous, batch).

2. Adjust depth and frequency of ongoing resiliency assessment/deep-dives:

Objective scorecard-based evaluation. Coordinated business continuity planning/ performance testing. Ongoing technology/architecture assessment.

Adjust Resiliency Assessment Based on Product Criticality

of social, mobile, analytics and cloud technolo-gies, or the SMAC Stack.™ Companies and their vendors are responding by rapidly evolving to address customer demands to more quickly transform. As such, a vendor resiliency program must become a strategic focus that is sustained over time. The implications on organizational transformation and sustenance include:

• The vendor resiliency assessment and asso-ciated performance improvement planning need to be objective and fast paced. We work with clients to develop a rich set of objective tools, including a detailed RFI on various process and technology resiliency elements, and an associated resiliency scorecard that highlights key focus areas.

• The vendor resiliency program needs to be ongoing, while prioritizing critical products. The toolset — RFIs and scorecards we build for our clients — facilitates a continuous focus by allowing vendors and companies to prioritize incremental change, as well as each change’s resiliency implication.

Vendor Resiliency Framework and ApproachBased on our work with clients across industries — and from the transformative changes that we have witnessed in vendors’ sophistication and their role within the core value chain of companies — we have developed a comprehensive and extensible vendor resiliency framework. This framework leverages and aligns with the three guiding principles described above.

Overarching Framework

Our vendor resiliency framework takes an objective view, providing a clear set of focus areas (e.g., business resiliency, incident and change management, technology and archi-tecture assessment, ongoing governance) and a supporting set of tools and artifacts. The framework offers a holistic approach to resiliency, but to work well, it requires a high level of coordination and engagement among internal stakeholders and vendor partners.

A key feature of the framework is its dual-pronged approach, which simultaneously focuses on enhancing internal process maturity, while addressing specific risks of targeted vendor products. Addition-ally, the framework is dynamic; it evolves through continuous attention to both proactive and reactive aspects of vendor resiliency (see Figure 2).

Approach and Methodology

We have defined a structured and mature approach for more effectively utilizing our vendor resiliency framework (see Figure 3, next page).

Following this approach and methodology will ensure:

• A high level of engagement from vendors and internal stakeholders.

5cognizant 20-20 insights

Figure 2

Vendor Products: Focused Resiliency Assessment

Internal Process Maturity:Vendor Resiliency and

Performance Management

Vendor Resiliency Focus Areas

Stakeholders and stakeholder engagement model. Key processes, such as incident management,

change control/coordination, contract management.

Technology and architecture assessment and governance.

Ongoing vendor performance evaluation and reporting.

Resiliency assessment dimensions, request for information and discussions.

Technology and architecture composition. Vendor engagement processes

(communication model, change coordination, performance evaluation, etc.).

Ongoing vendor resiliency assessment using scorecards.

Business Resiliency

Incident Management

Change Control &Coordination

Technology/Architecture Composition

Performance/Service Quality Tracking

Ongoing Vendor Management

A

B

C

D

E

F

Enhanced Vendor Resiliency

A key feature of the framework is its dual-pronged approach, which simultaneously focuses on enhancing internal process maturity, while addressing specific risks of targeted vendor products.

cognizant 20-20 insights 6

• Use of industry best practices and guidelines in relevant areas.

• Heavy reliance on the set of key resiliency dimensions on all aspects of analysis, such as RFI, scorecards, assessment focus areas and performance improvement plans.

A strong and successful vendor resiliency program typically pivots around the following goals:

1. Ensure leadership commitment to vendor resiliency; establish a program lead across business, technology, operations, procurement and vendor management functions. Sponsorship from top leadership will help streamline the approach to vendor management and performance tracking across teams. A principal lead accountable for the overall program will help with conflict resolution and consensus-building across teams, institu-tionalization of the enhanced vendor resiliency measures, and continuous improvement.

2. Strengthen your vendor resiliency program with objectivity. A critical success factor is the level of objectivity within the resiliency assessment and monitoring program. We use

flexible and extensible scorecards to help ensure objectivity (see Figure 4, page 8).

3. Increase vendor accountability for resiliency by closely examining and ensuring that vendor performance SLAs align well with business objectives and criticality, and by defining clear implications for SLA non-adherence. We often find that clients have gaps in these areas, such as:

> Lack of adequate SLAs that measure critical metrics.

> SLAs that are very broad and do not reflect business criticality.

> Nonstandard SLAs, which make vendor com-pliance difficult.

> A lack of clear implications for vendors for SLA non-adherence.

We recommend that companies utilize industry standards and institutionalize a core and limited set of SLAs to monitor key aspects of perfor-mance, availability, scalability, BCP, etc., and then use these consistently across all vendor products. Additionally, organizations need to carefully

Figure 3

Recommended prioritization based on impact and effort

Organizational Inputs

Vendor Resiliency Assessment InputsVendor Inputs

Vendor Resiliency Assessment and Target State Recommendations

Discussions & Workshops

Process Maps

Resiliency RFI

Vendor performance management processes (teams, SLAs, reporting, etc.)

Other relevant processes (incident and change OtOthher relleva tnt processes ((iin icidde tnt a dnd chhangemanagement, contract management, etc.) Discussions &

Workshops

Product Documents

Performance Reporting

Industry Best Practices and Frameworks

1. Performance SLAs and metrics

2. Industry-specific vendor guidelines

3. Industry trends (business and technology)

4. Reference architectures

A B C D E F Business Resiliencyy

Incident Managementg

Change Control & Coordination

Technology/ArchitectureCompositionp

Performance/Service Quality Trackingy g

Ongoing Vendor Managementg

Recommendations to enhance internal process maturity Recommendations to enhance resiliency within specific vendor products

Tools and artifacts to enhance process maturity and enable a strong vendor resiliency program

Implementation and change management plan

Stakeholder Engagement Model (RACI)

Resiliency Scorecards Other artifacts

• Communication model• Process catalog• SLA & metrics model • Governance model• Etc.

Utilizing the Resiliency Framework

Quick Take

We recently partnered on a vendor resiliency program with one of the largest retail mortgage servicers in the U.S., a subsidiary of a large mul-tinational bank. We started by focusing on a small set of vendor products but soon discovered that significant opportunities existed within the client’s internal processes and capabilities.

Business ChallengeOur client acts as a principal gateway orga-nization, responsible for integrating 80 B2B vendors that provide real-time information-cen-tric products (such as credit rating and fraud monitoring) to the parent company’s core retail mortgage servicing platform. The client is expe-riencing a significant increase in business and transaction volume and, hence, has been relying more heavily on its vendor partners. Consequent-ly, the client wanted a structured approach and capabilities to assess and mitigate resiliency risks within these vendor products.

An immediate goal was to address/reduce recent spikes in outages within critical vendor services, which were impacting business functions on the order of several million dollars for every hour of downtime.

SolutionAs discussed within our proposed framework, we approached this resiliency project in two parts:

• Part 1: We partnered with different client teams and stakeholders on a comprehensive internal maturity assessment of key vendor perfor-mance management processes and capabili-ties. We engaged stakeholders across different business, technology, operations, procurement and vendor management areas to develop a “current-state” understanding. Additionally, we analyzed key processes such as incident and change management, performance track-ing, SLA and contract management, along with their ongoing governance. We also analyzed existing vendor performance metrics, SLAs and reporting and utilized an objective scorecard to baseline and highlight gaps and opportunities associated with our client’s vendor manage-ment processes. Finally, we developed a priori-tized set of recommendations to address the identified gaps.

• Part 2: We engaged the target vendors in a structured and objective resiliency assessment of their specific products uti-lizing RFIs and informal dis-cussions to assess their pro-cesses and capabilities across key dimensions. We also assessed key technology and architecture dimen-sions, such as technology stack and infrastruc-ture health, performance tracking, BCP readi-ness, etc. Additionally, we looked at issues and outages associated with the target products and utilized an objective resiliency scorecard to summarize our findings on key resiliency risks and opportunities. Finally, we devel-oped a prioritized set of recommendations to address resiliency gaps across these target products. We highlighted quick-wins such as launching a strong communication model and more frequent execution of coordinated BCP and performance testing. Longer term rec-ommendations included enhancement of per-formance monitoring, addressing technology and architecture gaps, and strengthening BCP capabilities.

BenefitsImplementing the recommended resiliency measures will result in a swift reduction in outages associated with these products. In the first 12 to 15 months, we estimate that the client will see a reduced financial impact of 40% to 50% associated with outages within the target products. Given that an outage within just one of the target products has an impact of several million dollars per hour, a reduction in outages across several products will result in substantial financial savings over time.

Additionally, the streamlined vendor resiliency processes and capabilities across a dozen teams will result in a reduction of 30% to 40% in aggregated effort through more effective cross-functional collaboration. With the set of objective tools and measures to run an effective and sus-tainable vendor resiliency program, the client can now continue expanding strategic partnerships with industry-leading vendors.

Vendor Resiliency Program Pays Off for a National Mortgage Servicer

7cognizant 20-20 insights

cognizant 20-20 insights 8

define objective and adequate implications for SLA non-adherence, usually in terms of financial implications formalized clearly within contracts.

4. Identify and implement quick-win oppor-tunities to expeditiously and significantly enhance vendor resiliency. Some quick-win opportunities include:

> A strong communication model between the company and the vendors. An up-to-date communication model across the com-pany and its vendors can drive optimal coor-dination across scenarios, such as incident management, change coordination, BCP testing and performance testing.

> Regular and coordinated BCP testing. Many of our clients and their vendors have established strong BCP testing plans but fail to execute in a coordinated fashion on a reg-ular schedule. This leads to a lack of readi-ness and a significant increase in resolution timelines during an outage. Regular coordi-nated testing can significantly enhance di-saster recovery switch-over readiness and minimize the impact of potential outages.

Looking Ahead Vendor resiliency is becoming a top agenda item for organizations that increasingly rely on a greater number of vendor partners to play a substantial role across their core value chains. As a result, third-party vendors are becoming more mature and are increasingly providing industry-leading products and services that companies

across industries rely on for core business functions. Despite their increased reliance on third parties, most companies take a fairly fragmented approach to vendor management, tasking several groups across business, technology, operations, procurement and vendor management functions to play different oversight roles.

We strongly believe that vendor resiliency needs to be driven centrally with a formal program and a program lead accountable for optimizing the organization’s cross-functional effort for effectively assessing and mitigating resiliency risks. Quick-win opportunities can significantly boost vendor resiliency, such as maintaining an up-to-date communications model, more effectively governing existing BCP test plans, adjusting SLAs to reflect business criticality, and providing hands-on coordination of effort across existing teams. An effective change management initiative can significantly catalyze any organi-zational transformation associated with vendor resiliency.

Finally, vendor resiliency programs need to be sustained as a strategic capability in order to continuously assess and mitigate risks resulting from the ever-evolving nature of business — both internally and across vendors. We believe it’s imperative for companies to pause, assess and launch or strengthen their vendor resiliency programs in order to leverage compelling products and services offered by increasingly sophisticated vendors and sustain their competi-tive advantage.

Figure 4

Scorecard for Assessing Vendor Product Resiliency

VVereryy HiHighgh

HiHighgh

Moderate

Low

Vendor Resiliency Focus Areas

Business Resiliency Vendor financial strengththh Functional scalabilityy Business criticality

Ongoing Governance DimensionsOnggoooing GGoovvern iliency governanceVenndddor reessiliie ance testingPerfoorrmman A management and adherenceSSLA ma

Incident Managementmeenentt Issue notificationion Problem analysis and resolutions and reessoolluutti Post issue resolutttiioon

Change Control and CoCoorrddiinnatioonn Change impact assessmesmmeenntt Change coordination

Technology Capability/ArchitectureTeecchhnnolo pability/architectureTecchh ccaaappaa ervice qualityPPPllaattform serv uationOngoingg eevvaallua

Performance/Service Quality Trackingormannccee//SServ Performance measurement and trackingPerformance measurree Technology/architecture performanceechnologyy/aarrcchhiittec Service quality monitoring qqualityvvicee quality m

Vendor Inputs

VVendorr ReResilienncyy

SScoringg

About CognizantCognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 171,400 employees as of December 31, 2013, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.

World Headquarters500 Frank W. Burr Blvd.Teaneck, NJ 07666 USAPhone: +1 201 801 0233Fax: +1 201 801 0243Toll Free: +1 888 937 3277Email: inquiry@cognizant.com

European Headquarters1 Kingdom StreetPaddington CentralLondon W2 6BDPhone: +44 (0) 20 7297 7600Fax: +44 (0) 20 7121 0102Email: infouk@cognizant.com

India Operations Headquarters#5/535, Old Mahabalipuram RoadOkkiyam Pettai, ThoraipakkamChennai, 600 096 IndiaPhone: +91 (0) 44 4209 6000Fax: +91 (0) 44 4209 6060Email: inquiryindia@cognizant.com

© Copyright 2014, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

About the AuthorsPhilippe Dintrans is the Vice President and Global Practice leader within Cognizant Business Consulting’s Banking and Financial Services Group. Philippe has led numerous consulting engagements on business transformation, IT transformation and change management for marquee clients at Cognizant. He holds a master’s of science degree in engineering from the Massachusetts Institute of Technology (MIT) and an M.B.A. from INSEAD. He can be reached at Philippe.Dintrans@cognizant.com.

Amit Anand is a Director with Cognizant Business Consulting’s Strategic Services Group. He has 12-plus years of experience in successfully leading and managing large IT transformation and operating model initiatives for various clients. Amit holds a bachelor’s degree from the IIT Delhi and an M.B.A. from the Indian School of Business, Hyderabad. He can be reached at Amit.Anand@cognizant.com.

Abhishek Roy is a Senior Consulting Manager with Cognizant Business Consulting’s Strategic Services Group. He has 15-plus years of experience in leading business-aligned IT strategy, IT performance improvement, business process re-engineering, cost optimization and related large-scale transforma-tion initiatives. Abhi holds an M.B.A. from Ross School of Business at the University of Michigan, Ann Arbor, and a bachelor’s degree in engineering from the National Institute of Technology at Jamshedpur, India. He can be reached at Abhishek.Roy3@cognizant.com.

Footnotes1 Directives from OCC and CFPB to banks and other financial services organizations to take more account-

ability for managing risks associated with their vendors.

References

• “Risk Management Guidance,” Office of the Comptroller of the Currency, http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.

• CFPB Bulletin, Consumer Financial Protection Bureau, April 13, 2012, http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf.