Business Risk-Based Risk Assessment SheetBusiness Risk-Based Risk Assessment Sheet ... systems.
Vendor Management - NMI LLC · Section 2.2 Vendor Management ... Vendor assessment should be...
-
Upload
duongduong -
Category
Documents
-
view
220 -
download
1
Transcript of Vendor Management - NMI LLC · Section 2.2 Vendor Management ... Vendor assessment should be...
Agenda
• What is a Vendor Management program • What are the regulators requiring today • Developing a logical process • Assessing the appropriate risks • Rating risks • Ongoing review and due diligence • Sample System
Definition Vendor Management Program
A comprehensive vendor management program should: – Facilitate and ensure good business
practices with vendors – Understand and reduce risk – Guarantee a fair and competitive price – Dictate the appropriate level of due
diligence and subsequent reviews
FDIC Exam Procedures 1. Describe management’s vendor
management process and ongoing due diligence program – Provide a list of the bank’s key IT
vendors and consultants – Are all of these vendors covered by a
current contract?
FDIC Exam Procedures (con’t)
– How has management evaluated the vendors’ procedures for conducting employee background checks?
Examiner’s Handbook • Section 2.2 Vendor Management
– 2.2a. Does the bank have a vendor oversight program that includes analyzing SAS70 reports, financial statements and other reports on its significant vendor (s) and/or servicer (s)?
– 2.2b. Determine whether the Board, or an appropriate committee, approves new or significant changes to the service provider relationships based on a written business plan and risk analysis commensurate with the proposed/planned activity. The analysis should address the following:
Examiner’s Handbook (con’t) • Purpose and goals of the banking product offerings
within the strategic and operating plans Review of projected financial impact of third-party
arrangements Risks (definitions and acceptable levels) associated
with each outsourcing arrangement • Role of audit, compliance, and legal staff Extent of outsourcing and responsibility for managing
the service provider relationship Whether management has implemented procedures
to verify the accuracy and content of any information provided by a third-party
Current FDIC Exam
• Information Technology Examination Officer’s Questionnaire – N: Do you have a vendor management
program (Y/N)? – O: Are all of your service providers located
within the United States (Y/N)?
One Bank’s Logical Approach • Provide management with a process to
conduct due diligence analysis on existing and proposed new vendors
• Process should aide in the assessment of risk and adjust as appropriate
• Should provide for ongoing due diligence for existing vendors
• Simple enough for department managers to use
One Logical Approach (con’t)
• Process should work for all vendors, not just IT vendors
• Process must maintain details of current and past reviews
• Provide for a logical archive of associated vendor documentation
• Review reminder capability would be nice to have
Vendor Risk Assessment Workflow
Start
VendorRelated
Product orService?
Go to RiskAssessmentWorksheet inAppendix B
No
End
DoesVendor Have
Access toData?
Yes
Go to VendorRisk
Assessmentw/o DataQuestions
No
End
Yes
Go toVendor RiskAssessment
with DataQuestions
End
Vendor Assessment w/Data • Is the vendor actually performing accounting
services for us Critical • Does this service require the vendor to deal
directly with our customer Critical • Does the service require the vendor to have
access to confidential information Critical • Is the vendor new to the market with limited
performance record and references Critical • In the event the vendor could not perform
there few or no replacement vendors Critical
Any one or more = Critical
Vendor Assessment w/o Data • Does the vendor have minimal access to
confidential customer information Important • Is the vendor providing services or software
that is not mission critical Incidental • In the event the vendor does not perform
customers would see little or no impact Incidental
• Is the vendor providing “shrink wrapped” software that is critical to bank operations Important
• Can the services or software that the vendor provides be done through other means in the event the vendor can not perform Important
Any one or more = Important
Vendor Assessment w/o Data • In the event the vendor can not perform
are there no available replacements Important
• In the event the vendor can not perform are there available replacements Incidental
• The service provided is readily and easily available from a host of well known vendors Incidental
Vendor Rating Criteria Definition Vendor Assessment Timing and Scope
Critical Vendor assessment should be performed annually by Department Head with responsibility over the area serviced and reported to the Steering Committee
Important Limited vendor assessment should be performed annually, i.e. financials, adherence to contract terms etc. Full vendor assessment should be done every two years and reported to Steering Committee
Incidental No formal vendor assessment required. All that is required is a certificate of insurance, customer references and a contract for products or services if applicable. On going monitoring of vendor performance will dictate the degree if any of a more formal assessment Proceed to Appendix B.
Risk Assessment Procedure
1. Financial Risk H-M-L-N/A What is the level of risk of financial loss to the Bank in the event the vendor does not perform if any? What is the level of this potential loss?
Financial Risk Score Average
Risk Assessment Procedure 2. Legal Risk H-M-L-N/A What is the level of legal risk to the Bank in the event the vendor does not perform if any? What level is the potential for shareholder or customer suit? Is there the potential for regulatory suit or action?
Legal Risk Score Average
Risk Assessment Procedure
3. Compliance Risk H-M-L-N/A What is the level of risk for violation of consumer protection laws?
What is the risk these violations might include civil money penalties?
Compliance Risk Score Average Risk Categories 1-3 Total Score
Risk Assessment Procedure
4. Internal Control Risk H-M-L-N/A Is there loss of control over transactions or financial reporting resulting from the service provided by the vendor? If so, what is the level of that risk? Are there any mitigating or compensating controls that we can implement?
Internal Control Risk Score Average
Risk Assessment Procedure 5. Reputation Risk H-M-L-N/A What is the degree of chance in the event the vendor does not perform that there will be a risk to the Bank’s reputation? If so, what is the level of that risk?
Is it to isolated transactions or would it affect a broad class of customers or services? (isolated=L / broad=H)
Reputation Risk Score Average
Risk Assessment Procedure 6. Performance Risk H-M-L-N/A What is the level of risk that the vendor/service provider will not be able to or will not continue to perform the service in a satisfactory manner? What are the odds we won’t be able to work with them to address our performance concerns? To what level does the vendor/service provider rely on multiple third parties to provide the service?
Risk Assessment Procedure
6. Performance Risk (con’t) H-M-L-N/A What is the effectiveness of due diligence they use to oversee these relationships?
What is the level of criticality of these relationships to the service provided?
Performance Risk Score Average Risk Categories 4-6 Total Score
Vendor/Provider Due Diligence
1. Financial Loss 2. Compliance Risk 3. Legal Risk
If the total risk of these three risk categories is High then the due diligence process below must be done initially and ongoing every 12 months thereafter. If the total score is Medium, then the ongoing will be 24 months. If the total score is Low, then no ongoing is required.
If you are continuing here you have determined there is a medium to high level in any of the following three risk areas:
Vendor/Provider Due Diligence
4. Internal Control 5. Reputation Risk 6. Performance Risk
If the total risk of these three risk categories is High then the due diligence process below must be done initially and ongoing every 12 months thereafter. If the total score is Medium, then the ongoing will be 24 months. If the total score is Low, then no ongoing is required.
Or There is a high level of risk in any of the following three risk areas:
Due Diligence Process Due Diligence Process (example) N 12 24 Request financial information (including R&D budgets)
X X X
Request proof of insurance X X X Request a reference list X Request audit reports, regulatory exams, or SAS 70 (if providing services or processing transactions)
X
Request company biographical information of principles (resumes, designations etc)
X
See handout for full list
Risk Scoring Matrix Reliance on technology to the success of the product / process / function
4 3 2 1 0 Operational
Consequence of Error 4 3 2 1 0 Operational Regulatory Involvement 4 3 2 1 0 Comp/Reg Statutory Implications 4 3 2 1 0 Comp/Reg Impact upon Public Relations if non performance
4 3 2 1 0 Reputation
Degree of Judgment in Operations 4 3 2 1 0 Operational Impact Upon Management Decisions 4 3 2 1 0 Strategic Confidentiality of Data 4 3 2 1 0 Reputation Potential for Financial Loss 4 3 2 1 0 Operational Reliance on Customer Performance 4 3 2 1 0 Credit Risk TOTALS
Score Calculations Total Risk Score: Risk Classification:
High Medium Low Immaterial Definitions: 30+ 20-29 10-19 <10
4. High - The level of risk for this factor is very critical to the
product/process/function 3. Above Average - The level of risk is important to the product /
process / function 2. Average - The level of risk is moderate to the product / process
/ function 1. Below Average - The level of risk is relatively low to the product
/ process / function 0. Insignificant - The level of risk is immaterial
Mitigating Factors and Controls discuss any compensating controls in place to mitigate the identified risk