Myra Thomas

Hi everyone and thanks for joining us for this Pulse of the Industry event. I’m Myra Thomas, editor at Bank Automation News and I’m proud to present our May Premium Plus webinar. Premium Plus is our newest service that offers exclusive webinars like this, access to conferences, archives of past sessions and startup demos. We really hope you enjoy it. Today I’m joined by the wonderful Dylan Roberts. He’s a partner at Kearney, a global management consulting firm. The financial institution practice works with banks, insurers, insurance companies, payment companies, fintech and other financial services companies. Dylan has worked in the firm’s financial institution practice, and he’s based in New York. He’s a partner at the firm and as I said previously, he has 30 years experience, advising senior bankers on strategy. Dylan, welcome. How are you today? I really appreciate you joining me. The topic of today’s discussion is really the state of third party risk management and Kearney had a wonderful white paper recently looking at that and how financial institutions need to better deal with vendors. Now, you mentioned that the pandemic brought up some glaring problems that banks are still having as far as navigating new vendor services. Why do you think that was?



Dylan Roberts

Well, it’s a pretty interesting field. So, third party risk management has been a focus for banks for a long time, and in particular, since the aftermath of the last financial crisis. Banks have worked hard on improving their third party risk capabilities, and in 2013, the Federal Reserve issued guidance, indicating what steps banks need to take to improve the robustness of their third party risk & assumptions, and banks really worked hard and made fantastic progress between 2013 and the pandemic. But what they did was build processes that were very robust, but candidly somewhat slow moving. So a typical third party risk process at a financial institution, circa 2019, relied heavily on periodic surveys of vendors so banks were sourcing information about vendors, by going out and asking the vendors on a quarterly or annual basis, and then they were analyzing and monitoring that information, also on a quarterly to annual or even less than annual basis. So it was robust but it was pretty slow moving and periodic in nature. And what happened with the pandemic, obviously, was that people realize that when there’s a really profound environmental shock, vendors’ statuses and vendors’ risk profiles can change overnight. And, so, a vendor that was stable yesterday and didn’t represent a source of risk for a bank is not, you’re not necessarily going to have the same situation tomorrow.



Myra Thomas

Sure, absolutely. So I guess, between I think you cited the work at home situations and bringing up security issues never thought up before, and just operational capacity and flexibility to respond to a sudden escalation in demand was really at the heart.



Dylan Roberts

That’s exactly right. In the very early days of the pandemic we started getting a lot of calls from our bank clients asking about how to deal with third party risk in this new environment. And one of the stories that we heard repeatedly was. We’ve worked so hard to create a third party risk, process, and we have very strict rules around data security, for instance, and we know what data security protocols are outsourcing providers have in place as well. But now that there’s a pandemic situation, we know that some of our outsourcing providers who do our call centers for instance, are working from home, and we never anticipated that our call centers overseas would be staffed with people working from home. We’ve now got people working from home with sensitive data and information and candidly, a lot of banks just said, we’re not sure what the information protocols are that are in place in this new and unanticipated situation.



Myra Thomas

Sure. So, if you’re talking about altering the way that you’re monitoring vendors, what’s, what’s your financial institutions actually doing there,



Dylan Roberts

there are a couple of areas where we’ve seen really profound steps forward over the last couple years. One was transitioning from a data collection, standard that really, as I said relied on surveying vendors to tell you what’s going on their situation, to more automated data collection. So, we have worked on, on processes with automated data collection and web based data collection, where you’re scanning, as many as 100,000 data sources databases news feeds and so forth. On effectively a real time basis so that as things change at a vendor, you’re getting hits from those data sources, you know, on a daily basis. So that’s, that’s not very much to do. Right, so that’s one big change is increasing the pace of data collection, and also the scope of data collection 100,000 data sources is obviously a huge number, so that then creates an analytics challenge as well just having to integrate all this information and you’re getting, it’s about changes in your vendors commercial relationships changes in their financial status news stories and so on and so forth so you need to build analytics platforms that are capable of integrating all that different information, and providing you with a sense of the vendors risk profile, that’s one big change. So, I was just gonna mention another two other big changes really, one is that regulators are pushing banks to not only worry about third parties but also fourth parties and fifth parties. So really your vendors are only as safe and as robust as their suppliers as those suppliers suppliers. So there’s a need for over the horizon, kind of capabilities to look into extended commercial networks, which is just increases the complexity of the exercise exponentially so there’s a lot of work on that. laughs Yeah. So, yeah. And then the last point that I would make, which I think is a big shift in the last couple of years is increasing the actionability of this information. And what I mean by that is, You know, third party risk programs circa, 2013, or 2015, you’d have this periodic monitoring and if you detected a deterioration in a vendor’s risk status or decided that it represented an increased risk to the financial institution. You had a certain amount of time to figure out what to do or people assumed that you had a certain amount of time to figure out what to do. And again the pandemic I think heightened people’s sensitivity to the fact that when you’re in a crisis, things tend to move very quickly and you don’t, you don’t actually have that time to figure out what to do. So the other area that we’ve seen a lot of work is in pre defining and pre developing action plans so that when a vendor enters the red zone, the bank already has a view of. Given the circumstances. Here’s the predefined plan and you can then hit the button and execute as opposed to trying to convene a committee, think of options evaluate them set your strategy and so on and so forth. You do that work in advance. A similar thought process to me, to what goes into resolution and recovery planning, where there was a recognition that, again, when you’re in a crisis, you don’t have time to figure out how to get out of the crisis, you have to have analyzed in advance, what are the possible crises we will face, and develop action plans that are ready to go when you need them.



Myra Thomas

Yeah, you were talking about that sort of trickle through risk that happens when vendors are working with other organizations, buyers by hand. And so, you know, I would imagine there’s a cyber security risk, but what other sorts of risks and fraud what or whatever

Dylan Roberts

other kinds of everything I mean, the two biggest one is obviously cyber as you as you reference and, you know the terrible, one of the terrible things about cyber risk is that it’s everywhere. So, one of the examples that people consistently references the Target data breach which happened via their air conditioner vendor, I guarantee you, no one who isn’t thinking about cyber is going to scan the vendor list for a large financial institution and say, the AC company or the pencil. The pencil vendor, or the people who represent risk to us, But really, anybody that you have an electronic payments relationship with represents a risk point for cyber or an electronic data exchange relationship with. And again, that extends outward to your vendors vendors. So that’s an important one. But I think the, the crisis also illustrated that just operational disruption and supply chain disruption is another kind of source of vendor risk that where fourth and fourth, fifth parties can become a real issue. And so again, your, your vendor who provides you with a critical service or a critical piece of hardware or software is dependent on other suppliers to give them goods and services in a timely fashion. And if their supply chain starts to break down, they may very quickly run into constraints on their ability to meet their obligations to you as well.



Myra Thomas

Yeah it trickles through to not just business risk, but also financial risk and reputation. Translate actual financial risk. So talk to me a little bit about how can automation sort of solve some of these third party risk management issues.



Dylan Roberts

That’s a great question. So the two things I would call out as automation opportunities are, again, that data collection exercise. There is so much information available out in the world, about every one of the banks vendors, you can’t possibly rely on manual processes to gather it all in a timely fashion. You have got to have automated information gathering capabilities in place. Secondly, you need an analytics platform that will allow you to integrate and kind of derive the signal and weed out the noise and that information if you’re looking at 100,000 data sources, there’s gonna be a lot of noise and it’s very hard to come up with an integrated view of what is that really telling you. So that’s important. And then third, you need to have some form of automation in your monitoring, and early warning systems. So, again, a typical bank will have literally 1000s of critical vendors, and you obviously will have procurement and risk professionals whose jobs are to keep an eye on those vendors, but no one, no one can sit down at their desk and say I’m going to track that many vendors at once so it’s a challenge for human resources, and so you have to rely on analytics to prioritize and elevate vendors who kind of deserve a closer look at any given point in time, and it’s the third party risk analytics aren’t messy. So, you are, it’s not like market risk where you can look at a data feed and say, Ah, I see that the valuation of the security has changed the value of risk has changed. And I have quite confidence in that. It’s not like that at all, but you can look at analytics and say, Ah, I see this family of vendors or this particular vendor there something’s happening. We’re seeing evidence of risks their changes in their financial position their changes in their contractual relationships, their news stories about them. That may not be definitive. You wouldn’t necessarily trust an automated risk store score to say they’ve gone from a five to a nine based on what these automated data sources are telling you, but you would rely on that, to provide a red flag or a yellow flag and tell your supply chain risk officers, hey, here’s where you should be spending your attention, your time and attention. You know, if you’ve got a short list of things to worry about this week, put this vendor on it, and reach out to them and figure out what’s going on and start to consider triggering some of your contingency plans. In the event that something bad has happened.



Myra Thomas

Yeah, I mean, obviously, you know, there’s a constant monitoring process that has to go into dealing with vendors and they present. Well, do you think organization financial institutions are paying enough attention to analyzing the vendors before they engage in business with them before they give them access to their processes, whatever else, or is that you know is that a problem.



Dylan Roberts

I think if you talk to any, any vendor who has been through a bank due diligence process and onboarding process would probably tell you Yes, banks are spending a lot of time and effort, diligence in vendor. And I think that’s true, banks have made that a priority. I think they need to do more and they are doing more so it’s an area of investment and continued build. But thanks for doing a lot on vendor evaluation and vendor due diligence, they need to do more. I think up until recently, I would say the initial evaluation, probably got more attention in the kind of ongoing day to day monitoring there was a view we did a good due diligence of this vendor, They passed our screen. We on boarded them. That will will settle into a more kind of periodic monitoring process. So banks are, you know they’re spending more time and more energy and more money on both pre relationship due diligence and post contracting monitoring as well.



Myra Thomas

Makes sense. Makes sense. Well, I will stop you there.