By Alex Golbin, Head of Assessment for KY3P, IHS Markit
Increasing focus on vendor due diligence has put significant pressure on financial institutions and vendors alike. The challenge comes into focus when we think about the macro implications. There are an estimated 20,000 financial services institutions trying to qualify some 20,000 vendors using questionnaires that can have hundreds of questions.
Despite good intentions, vendors are hard pressed to cope with the volume and granularity of due diligence requests they receive. As a result, financial firms and their service providers are in a Catch-22. Clients need to assess and manage third party risk, but today’s methodology limits the effectiveness of the due diligence process. As a result, there are known and unknown gaps in the risk posture of the financial industry as a whole.
How did we get here?
Part of the complexity started with growth of business process outsourcing and technology outsourcing strategies aimed at optimizing service delivery while maximizing focus on strategic capabilities retained in-house. In the name of managing business outcomes rather than all of the tech and process that go into them, financial institutions built complex webs of dependencies on multiple vendors and other service providers.
Then, in response to the increasing focus on cyber risk, driven by a steady stream of data breaches and the resulting regulatory scrutiny, Financial Services began to move aggressively to improve governance of their third-party relationships. Spurred by compliance teams, the goal is to identify, assess and mitigate cyber and other risks inherent in complex, modern, technology-dependent service delivery.
“Why don’t we ask vendors questions to make sure they are doing the right thing?” Subject matter experts from across the enterprise -- Privacy Officers, CISOs, Resiliency Officers, CIOs, Head of Compliance – all got involved.
And that’s where the fun began.
Due diligence: the snowballing challenge
Vendors are now getting bombarded with extensive questions from all of their other customers, each with its own permutations. Some vendors have hired teams of people just to reply to these due diligence inquiries.
The lack of standardized approach is manifest in many areas. For example, some due diligence questions probe in places that vendors consider confidential. This creates frustration on both sides of the equation: vendors struggle to respond in a detailed manner and clients can be unsatisfied with partial or vague answers.
Clients can ask whatever they like, but chances are that they are still not getting that detailed network diagram from the vendor. If they are lucky, the Risk Assessment team will get a glimpse of the information during an onsite visit.
Despite earnest attempts to create a rigorous process, we’ve all learned that the outcomes are not as good as they could be. There is little doubt that through the volume of questionnaires and the diversity of questions posed to vendors the very practice of risk assessment is at risk of creating risk.
Changing the paradigm for due diligence
How do we escape the due diligence Catch-22 without lowering the bar for due diligence? There is a way to improve risk assessment but streamline the process. Part of the answer lies in improving the quality of the information analyzed while reducing the quantity of information collected. They key to change is getting clients and vendors to shift their focus to control objectives while deemphasizing granular diligence questions.
Control objectives frequently:
- Are aligned with common industry frameworks, regulations, and most importantly with overall risk controls framework for each financial services institution.
- Span information security, technology, governance and business practice oversight
- Can be augmented with other available risk data such as cyber ratings, financial health, negative news, etc.
When the focus is control objectives, the vendor can provide fit for purpose and independently verified evidence that demonstrates they meet the goals of the diligence process and demonstrate control over the process/issue in question.
For example, instead of asking for a detailed network diagram (which vendors typically cannot expose) to see how a vendor ensures network resiliency, it’s more appropriate to collect evidence that network is designed with best practices and industry frameworks in mind.
Due diligence transformed
Redesigning due diligence with control objectives makes the process more logical and the outcomes more applicable to assessing and managing third party risk.
Notably, the process is more efficient for financial institutions and vendors alike, time to market is faster for firms making risk-based decisions and firms can have much more confidence in that their assessment and monitoring procedures produce actionable insight.
All of these combine to improve the overall risk posture of the industry.
It will be a journey, but the faster we start, the better off we will be.