A three part report from Aite Group, Vendor Risk Management: Strength in Warning by Denise Valentine, looks at the topic of vendor risk management among commercial banks and the institutional buy-side asset management community. Vendor risk on areas like technology is a serious operational, financial, and reputational risk to the financial institution. Firms are tapping third parties to accomplish a multitude of business goals, particularly as they focus on core competencies to achieve growth and improved profitability.
It is apparent that vendor risk management teams are lightly staffed relative to the volume of risk assessments needed amongst the financial industry. It varies by firm, but most leverage staff from other functional areas such as IT, business continuity, and compliance to complete due diligence.
The regulatory spotlight is also on Vendor Risk Management. Regulators issue guidance on vendor assessments, but the specific detail of what is acceptable or not is left to the financial institutions to ascertain. Most financial institutions approach regulatory audits with some trepidation as to the regulators' interpretation of their program. Therefore, the best defense is having a risk management program that is re-validated annually and has a process that incorporates executive management, heads of business, vendor relationship managers, and multiple subject-matter experts.