Don’t Let Vendor Risk Management Become Overwhelming
Third-party vendor risk management is important and vital for proper governance, but it shouldn’t become an overwhelming chore for your bank. If it is there’s a chance that you’re interpreting the guidance from the Office of the Comptroller of the Currency and the FDIC too literally. The key to everything is risk management, not risk elimination. The OCC’s guidance does not mandate that banks eliminate all risk, just that they appropriately manage their risk. From the OCC: “A community bank should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships.”
So the big question is how do you do that? To start you need a realistic picture of what your risks are. A facilitated risk assessment directed by an independent party is a good place to start. Every bank has a different risk profile and the challenges posed to a community bank in Nebraska will certainly be different than those faced by Bank of America or US Bank. There will even be substantial differences in risks between community banks throughout Nebraska. The important thing is that you establish what your risks are and then move forward with a risk management plan and protocols that make sense for your institution.
Banks certainly need to adhere to OCC and FDIC guidance, but there is no need to overreact. You just need to take appropriate measures to ensure security. It is often enough for banks to receive and review their vendors’ third-party reports as part of their vendor management programs. Banks may refuse to accept those audits, but if that’s the case why is the bank is doing business with a particular vendor in the first place?
If the vendor does not have third-party reviews, the bank will need to conduct the audit or retain an independent party to do one. You definitely don’t need to perform a surprise audit or show up at the data center without notice. Data centers are secure environments; if you are not on the approved list of visitors, you won’t get in.
Every relationship has risks. Banks are in the business of managing risk. Regulators recognize that risk is necessary; they are simply asking banks to understand and validate risk.
If you have any questions about vendor risk management or any other IT security issues give ITPAC a call today.