The after-effects of global recession tell us that most organizations react to the risks unprepared. Instead of dealing with risks, minus any homework, it is essential to be geared with a strategy beforehand. A robust risk management strategy is founded on the basic framework to monitor and manage various risk elements. So, the first step is to create the framework.
Framework to Monitor the Vendor Risks
One of the speakers at the Global Services Conference 2011 who is a senior risk and compliance management professional with a global bank shared her insights on how to create a framework to monitor risks. She said, “Strategy is very much at the front center of our framework. Having a good strategy makes one much more agile when it comes to reacting to threats. In addition to having a strategy, having the right resources is important. In my case, 200+ senior managers over VP and above have the authority to make decision on risk. They are responsible for execution. Another thing, is having a governance that consists of co-head of operations risk, head of business continuity, head of information security, head of corporate security. Since these are the people who are in the know, they are well versed with the regulations and what to be concerned about.”
“Other standard, but significant measures are communication and awareness. A website which is very content rich - in terms of what a process needs to be, what are some of their requirements, who are the people they should be talking to, where are they in their risk manage assessment process and where they go next- should be available, as this gives busy executives a direction. Also, training and awareness are a big deal for us. We had to plug in some training programs across the companies so that people were up to speed with their responsibilities,” she added.
The other point to be kept in mind, while crafting risk management framework is touching each and every segment of the business. Legal and procurement are the key ones. Contracts are fundamental to ensuring one has the right perspective and right controls put in place from a service delivery perspective. The procurement department is the area one needs to be in total partnership with. Information such as what are the processes they are employing to get out to the market, what depth of information they need to look for when evaluating the potential risk from vendors and others need to be tracked and made available to the stakeholders.
Getting the Right Framework
Charlie R. Miller, VP - Vendor Risk Management, Bank of Tokyo - Mitsubishi shared the seven criterias they use to get the right framework.
i) Financial Check: Financial Check on vendors to make sure they are financially stable. We do facts check and other regulatory requirements in that nature,
ii) Information Protection: What kind of information/ data are the vendors going to have access to and what is the level of criticality of that particular service from recovery prospects.
iii) Reference Check: A background check to find out what is their specific delivery capability, which country are they from, what does their client base look like, and whether or not there is any issue with the vendor in terms of regulatory service delivery,
iv) Annual Spend: What is their annual spend
v) Sub Contract: If the vendor is using a sub-contractor, that’s a key thing to know of.
vi) Country and City Risk: What is the location and where is the actual service being delivered from, how politically stable is the country, what are the social risks in the country, what are the economic risks posed by the country, what are the geographical and environmental risks, what are the risks associated with supply of talent, etc.
vii) Finances: How much money are we spending, whether or not there would be any financial risk to the bank if this vendor would have some kind of operational issue.
De-scoping some of the services is also helpful. Take the example of correspondent banking. There are very tough regulatory guidances around this service. There are parts of business that did the initial vetting, thus in this case ongoing monitoring resulted in no added value. De-scoping such areas that are well-managed or perhaps are low risk to the organization helps one focus on the areas where you can add value. Having a documentation to support that for posterity is also very important.
Making Your Framework More Robust
In order to make your framework more robust, apart from providing the complete risk portfolio to executives certain tools such as ‘Balanced Scorecard’ can also be employed. Balanced Scorecard helps keep track of the execution of activities by staff within their control and monitoring the consequences arising from these actions. Also, it helps find out whether you have a recurring theme of poor controls in certain places, so that they can be taken care of accordingly.
Tracking Regulatory and Compliance risk
Miller articulated, “ In my organization, regulatory and compliance risk is very high on everyone’s mind. In order to make sure we are in compliance with almost everything, we monitor different regulatory requirements across businesses and vendor risk is obviously one of those. We align with different things that are happening in different industry sectors, eg PCI, healthcare and some of the things that’s happening in US. We also keep a close watch on things that are happening externally especially around privacy and recoverability requirements.”
Supply Risk Model
Speaking about NeoGroup's Supply Risk Model, Sandeep Suresh, Head of Research, NeoGroup said, “We have developed a model that tracks risk based on various parameters. If we look at a country level, we will track macro-economic risks and geopolitical risks. In geopolitical, we study the potential for natural disasters and the political scenario in that country; they have an impact on daily business operations. However, they are not in vendor’s control. Financial risks and industry risks are studied similarly at city level and then provider level. This is how we track risks. This program is customized as there's the ability for clients to pick and choose a particular city or a particular country or a particular provider.”
“We have risk rating on a scale of 1 to 10, one being the least risky and 10 being the most risky. From over 200 parameters in each of risk categories- where we collect data on every quarter- we come up with a final rating. That's the rating score for a particular location, particular service provider. It helps clients compare different locations. If a client subscribes, then they get a score,” Suresh added.
Excerpted by Smriti Sharma from the Global Services Conference 2011 session “Supply Risk Monitoring”
Read this in the Global Services February 2011 Digital issue