Due Diligence 2.O: How Vendor Risk Assessment Will Evolve

Due Diligence 2.O: How Vendor Risk Assessment Will Evolve

Alex Golbin

Global Head of Risk Assessments at IHS Markit

Views 380

Due Diligence 2.O: How Vendor Risk Assessment Will Evolve

17.12.2019 05:45 am

Increasing focus on vendor due diligence has put significant pressure on financial institutions and vendors alike.  The challenge comes into focus when we think about the macro implications.  There are an estimated 20,000 financial services institutions trying to qualify some 20,000 vendors using questionnaires that can have hundreds of questions.

Despite good intentions, vendors are hard pressed to cope with the volume and granularity of due diligence requests they receive.  As a result, financial firms and their service providers are in a Catch-22.  Clients need to assess and manage third party risk, but today’s methodology limits the effectiveness of the due diligence process.  As a result, there are known and unknown gaps in the risk posture of the financial industry as a whole.

How did we get here?

Part of the complexity started with growth of business process outsourcing and technology outsourcing strategies aimed at optimizing service delivery while maximizing focus on strategic capabilities retained in-house.  In the name of managing business outcomes rather than all of the tech and process that go into them, financial institutions built complex webs of dependencies on multiple vendors and other service providers. 

Then, in response to the increasing focus on cyber risk, driven by a steady stream of data breaches and the resulting regulatory scrutiny, Financial Services began to move aggressively to improve governance of their third-party relationships.  Spurred by compliance teams, the goal is to identify, assess and mitigate cyber and other risks inherent in complex, modern, technology-dependent service delivery.

“Why don’t we ask vendors questions to make sure they are doing the right thing?” Subject matter experts from across the enterprise -- Privacy Officers, CISOs, Resiliency Officers, CIOs, Head of Compliance – all got involved.  

And that’s where the fun began.

Due diligence: the snowballing challenge

Vendors are now getting bombarded with extensive questions from all of their other customers, each with its own permutations. Some vendors have hired teams of people just to reply to these due diligence inquiries. 

The lack of standardized approach is manifest in many areas.  For example, some due diligence questions probe in places that vendors consider confidential.  This creates frustration on both sides of the equation: vendors struggle to respond in a detailed manner and clients can be unsatisfied with partial or vague answers.   

Clients can ask whatever they like, but chances are that they are still not getting that detailed network diagram from the vendor. If they are lucky, the Risk Assessment team will get a glimpse of the information during an onsite visit.

Despite earnest attempts to create a rigorous process, we’ve all learned that the outcomes are not as good as they could be.  There is little doubt that through the volume of questionnaires and the diversity of questions posed to vendors the very practice of risk assessment is at risk of creating risk.     

Changing the paradigm for due diligence

How do we escape the due diligence Catch-22 without lowering the bar for due diligence?  There is a way to improve risk assessment but streamline the process.  Part of the answer lies in improving the quality of the information analyzed while reducing the quantity of information collected.  They key to change is getting clients and vendors to shift their focus to control objectives while deemphasizing granular diligence questions.

Control objectives frequently:

  • Are aligned with common industry frameworks, regulations, and most importantly with overall risk controls framework for each financial services institution. 
  • Span information security, technology, governance and business practice oversight
  • Can be augmented with other available risk data such as cyber ratings, financial health, negative news, etc.

When the focus is control objectives, the vendor can provide fit for purpose and independently verified evidence that demonstrates they meet the goals of the diligence process and demonstrate control over the process/issue in question.  

For example, instead of asking for a detailed network diagram (which vendors typically cannot expose) to see how a vendor ensures network resiliency, it’s more appropriate to collect evidence that network is designed with best practices and industry frameworks in mind.

Due diligence transformed

Redesigning due diligence with control objectives makes the process more logical and the outcomes more applicable to assessing and managing third party risk.

Notably, the process is more efficient for financial institutions and vendors alike, time to market is faster for firms making risk-based decisions and firms can have much more confidence in that their assessment and monitoring procedures produce actionable insight.  

All of these combine to improve the overall risk posture of the industry.   

It will be a journey, but the faster we start, the better off we will be.

Latest blogs

TYRON JONES n/a

How Technology Has Disrupted the Used Car Buying Experience

We’ve seen many fields change rapidly as a result of the integration of modern technological advancements over the last couple of decades. And it looks like more is coming on the horizon as well, judging by current trends. One of the markets that Read more »

Shuvo G. Roy Mphasis

Reboot 1.0: How financial services technology can enable the supply chain to support a post-lockdown boom

Ground control and Captain Tom When veteran Captain Tom Moore decided to walk one hundred laps of his garden before his 100th birthday to raise funds to support NHS heroes battling Covid-19 from the frontline, he never imagined that he would Read more »

Lisa Gutu Salt Edge

Building a PSD2 compliant channel: challenges and opportunities for financial institutions

PSD2 obliges ASPSPs including banks, e-wallets, prepaid cards and other companies that offer payment accounts to provide at least one channel for secure communication with third party providers (TPP). Even neobanks or e-money institutions, including Read more »

Thomas Pintelon Capilever

Credit origination - A lot of innovation on the horizon

While consumer credits are becoming more automated and user-friendly to request, all other credits are often still very manual and labor intensive to originate. In this (relatively long) blog I will try to give a description of the (potentially Read more »

Kelly Kearsley Hourly.io

Time Card Theft is a Big Problem. Here's How to Stop It.

Trust is at the core of every employer-employee relationship. You trust your people to do their jobs, and they trust you to compensate them for their work. Most of the time, it works. However, there's always the person looking to bend the rules or Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel