Obtain the data you need to make the most informed decisions by accessing our extensive portfolio of information, analytics, and expertise. Sign in to the product or service center of your choice.
Due Diligence 2.O: How Vendor Risk Assessment Will Evolve
02 December 2019
Increasing focus on vendor due diligence has put significant
pressure on financial institutions and vendors alike. The challenge
comes into focus when we think about the macro implications. There
are an estimated 20,000 financial services institutions trying to
qualify some 20,000 vendors using questionnaires that can have
hundreds of questions.
Despite good intentions, vendors are hard pressed to cope with
the volume and granularity of due diligence requests they receive.
As a result, financial firms and their service providers are in a
Catch-22. Clients need to assess and manage third party risk, but
today's methodology limits the effectiveness of the due diligence
process. As a result, there are known and unknown gaps in the risk
posture of the financial industry as a whole.
How did we get here?
Part of the complexity started with growth of business process
outsourcing and technology outsourcing strategies aimed at
optimizing service delivery while maximizing focus on strategic
capabilities retained in-house. In the name of managing business
outcomes rather than all of the tech and process that go into them,
financial institutions built complex webs of dependencies on
multiple vendors and other service providers.
Then, in response to the increasing focus on cyber risk, driven
by a steady stream of data breaches and the resulting regulatory
scrutiny, Financial Services began to move aggressively to improve
governance of their third-party relationships. Spurred by
compliance teams, the goal is to identify, assess and mitigate
cyber and other risks inherent in complex, modern,
technology-dependent service delivery.
"Why don't we ask vendors questions to make sure they are doing
the right thing?" Subject matter experts from across the enterprise
-- Privacy Officers, CISOs, Resiliency Officers, CIOs, Head of
Compliance - all got involved.
And that's where the fun began.
Due diligence: the snowballing challenge
Vendors are now getting bombarded with extensive questions from
all of their other customers, each with its own permutations. Some
vendors have hired teams of people just to reply to these due
diligence inquiries.
The lack of standardized approach is manifest in many areas. For
example, some due diligence questions probe in places that vendors
consider confidential. This creates frustration on both sides of
the equation: vendors struggle to respond in a detailed manner and
clients can be unsatisfied with partial or vague answers.
Clients can ask whatever they like, but chances are that they
are still not getting that detailed network diagram from the
vendor. If they are lucky, the Risk Assessment team will get a
glimpse of the information during an onsite visit.
Despite earnest attempts to create a rigorous process, we've all
learned that the outcomes are not as good as they could be. There
is little doubt that through the volume of questionnaires and the
diversity of questions posed to vendors the very practice of risk
assessment is at risk of creating risk.
Changing the paradigm for due diligence
How do we escape the due diligence Catch-22 without lowering the
bar for due diligence? There is a way to improve risk assessment
but streamline the process. Part of the answer lies in improving
the quality of the information analyzed while reducing the quantity
of information collected. They key to change is getting clients and
vendors to shift their focus to control objectives while
deemphasizing granular diligence questions.
Control objectives frequently:
Are aligned with common industry frameworks, regulations, and
most importantly with overall risk controls framework for each
financial services institution.
Span information security, technology, governance and business
practice oversight
Can be augmented with other available risk data such as cyber
ratings, financial health, negative news, etc.
When the focus is control objectives, the vendor can provide fit
for purpose and independently verified evidence that demonstrates
they meet the goals of the diligence process and demonstrate
control over the process/issue in question.
For example, instead of asking for a detailed network diagram
(which vendors typically cannot expose) to see how a vendor ensures
network resiliency, it's more appropriate to collect evidence that
network is designed with best practices and industry frameworks in
mind.
Due diligence transformed
Redesigning due diligence with control objectives makes the
process more logical and the outcomes more applicable to assessing
and managing third party risk.
Notably, the process is more efficient for financial
institutions and vendors alike, time to market is faster for firms
making risk-based decisions and firms can have much more confidence
in that their assessment and monitoring procedures produce
actionable insight.
All of these combine to improve the overall risk posture of the
industry.
It will be a journey, but the faster we start, the better off we
will be.
Posted 2 December 2019 by Alex Golbin, head of
Assessment for KY3P at IHS Markit
IHS Markit provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.