Due Diligence 2.O: How Vendor Risk Assessment Will Evolve

Due Diligence 2.O: How Vendor Risk Assessment Will Evolve

Alex Golbin

Global Head of Risk Assessments at IHS Markit

Views 264

Due Diligence 2.O: How Vendor Risk Assessment Will Evolve

17.12.2019 05:45 am

Increasing focus on vendor due diligence has put significant pressure on financial institutions and vendors alike.  The challenge comes into focus when we think about the macro implications.  There are an estimated 20,000 financial services institutions trying to qualify some 20,000 vendors using questionnaires that can have hundreds of questions.

Despite good intentions, vendors are hard pressed to cope with the volume and granularity of due diligence requests they receive.  As a result, financial firms and their service providers are in a Catch-22.  Clients need to assess and manage third party risk, but today’s methodology limits the effectiveness of the due diligence process.  As a result, there are known and unknown gaps in the risk posture of the financial industry as a whole.

How did we get here?

Part of the complexity started with growth of business process outsourcing and technology outsourcing strategies aimed at optimizing service delivery while maximizing focus on strategic capabilities retained in-house.  In the name of managing business outcomes rather than all of the tech and process that go into them, financial institutions built complex webs of dependencies on multiple vendors and other service providers. 

Then, in response to the increasing focus on cyber risk, driven by a steady stream of data breaches and the resulting regulatory scrutiny, Financial Services began to move aggressively to improve governance of their third-party relationships.  Spurred by compliance teams, the goal is to identify, assess and mitigate cyber and other risks inherent in complex, modern, technology-dependent service delivery.

“Why don’t we ask vendors questions to make sure they are doing the right thing?” Subject matter experts from across the enterprise -- Privacy Officers, CISOs, Resiliency Officers, CIOs, Head of Compliance – all got involved.  

And that’s where the fun began.

Due diligence: the snowballing challenge

Vendors are now getting bombarded with extensive questions from all of their other customers, each with its own permutations. Some vendors have hired teams of people just to reply to these due diligence inquiries. 

The lack of standardized approach is manifest in many areas.  For example, some due diligence questions probe in places that vendors consider confidential.  This creates frustration on both sides of the equation: vendors struggle to respond in a detailed manner and clients can be unsatisfied with partial or vague answers.   

Clients can ask whatever they like, but chances are that they are still not getting that detailed network diagram from the vendor. If they are lucky, the Risk Assessment team will get a glimpse of the information during an onsite visit.

Despite earnest attempts to create a rigorous process, we’ve all learned that the outcomes are not as good as they could be.  There is little doubt that through the volume of questionnaires and the diversity of questions posed to vendors the very practice of risk assessment is at risk of creating risk.     

Changing the paradigm for due diligence

How do we escape the due diligence Catch-22 without lowering the bar for due diligence?  There is a way to improve risk assessment but streamline the process.  Part of the answer lies in improving the quality of the information analyzed while reducing the quantity of information collected.  They key to change is getting clients and vendors to shift their focus to control objectives while deemphasizing granular diligence questions.

Control objectives frequently:

  • Are aligned with common industry frameworks, regulations, and most importantly with overall risk controls framework for each financial services institution. 
  • Span information security, technology, governance and business practice oversight
  • Can be augmented with other available risk data such as cyber ratings, financial health, negative news, etc.

When the focus is control objectives, the vendor can provide fit for purpose and independently verified evidence that demonstrates they meet the goals of the diligence process and demonstrate control over the process/issue in question.  

For example, instead of asking for a detailed network diagram (which vendors typically cannot expose) to see how a vendor ensures network resiliency, it’s more appropriate to collect evidence that network is designed with best practices and industry frameworks in mind.

Due diligence transformed

Redesigning due diligence with control objectives makes the process more logical and the outcomes more applicable to assessing and managing third party risk.

Notably, the process is more efficient for financial institutions and vendors alike, time to market is faster for firms making risk-based decisions and firms can have much more confidence in that their assessment and monitoring procedures produce actionable insight.  

All of these combine to improve the overall risk posture of the industry.   

It will be a journey, but the faster we start, the better off we will be.

Latest blogs

James Booth PPRO

Brave New World: A Futuristic Vision of Payments

Over the last ten years, the retail e-commerce ecosystem has undergone a wide-ranging transformation. As recently as 2010, the e-commerce and payments value chain were relatively straightforward: Any eCommerce merchant could integrate a payment Read more »

Nish Kotecha Finboot

How blockchain could potentially transform global healthcare in the wake of COVID-19

In the globalised world we live in, entities such as the World Health Organization (WHO) have been established to ensure cooperation between different governments on global health-related issues. In the face of pandemics such as the one we are Read more »

Lina Andolf-Orup Fingerprints

Dispelling biometric myths and misconceptions

Gangsters cutting off enemies’ fingers to access secret locations and spies lifting fingerprints from martini glasses - the imagination of the entertainment world has been running wild ever since biometrics entered the scene. Couple that with the Read more »

Shiran Weitzman Shield

Tackling Apparent Contradictions of Compliance versus Privacy

As technology evolves and becomes more complicated, so too do the moral and ethical dilemmas, along with the associated regulations. However, well-intentioned regulations designed to protect people and businesses alike can sometimes seemingly Read more »

Francis Leclerc Horizon Software

Just about managing: How cloud can help boost trading profits

It’s a tough environment for trading at the moment. Margins are being squeezed across the board to the extent that some major investment banks are completely withdrawing from certain asset classes upon discovering they are not making a profit. Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel