Operational risk management was on the minds of many attendees at the 42nd Annual SIFMA Operations Conference and Exhibition, held earlier this month in San Diego. Financial services firms have vastly improved their internal operational risk protocols, but one area set to attract increased scrutiny in the coming year is vendor risk management.
“You can outsource work, but you can’t outsource responsibility,” explained Thomas Ferlazzo, vice president of financial markets infrastructure at the Federal Reserve Bank of New York.
Everyone is familiar with the story of Edward Snowden, which serves as the most famous reminder about the risk third-party vendors and their employees can represent.
Sam Chari, executive vice president and enterprise risk manager for PIMCO, reminded the audience that employees are the first line of defense. Chari urged firms to focus on training employees about what levels of risk management are expected. He explained there is a difference between teaching employees how to spot threats posed by vendors and educating them about when to escalate such threats up the risk management chain-of-command.
James Marischen, senior vice president and chief risk officer for Stifel, Nicolaus & Co., weighed in and shared some of the best practices his firm has deployed to manage vendor risk:
- Establish a Vendor Management Department: Marischen says Stifel set up such a team 12-18 months ago to eliminate any confusion about who is responsible for vendor relationships.
- Take Inventory of All Vendors: Different department utilize different vendors for different reasons, but firms can’t manage vendor risk if they don’t know who all those vendors are.
- Review Contracts: Marischen says adhering to the boilerplate contracts most vendors offer is not good enough. Firms need to ensure those contracts include key risk management components such as the right to audit and the right to conduct site visits.
- Standardize: Allowing different contracts and relationship parameters for different vendors invites trouble. Firms should standardize contracts as much as possible.
- Beware of Fourth-Party Risk: Vendors sometimes turn around and outsource their work to yet another vendor. This represents what is called “fourth-party risk.” Firms need to know if this is happening and be sure to vet their vendors’ vendors.
The use of third-party vendors is not going to end any time soon. Firms should take a holistic view of their vendors and gauge the flexibility and trustworthiness of each relationship. Michael Hopkins, president of the Securities Processing Solutions Fixed Income & Risk business for Broadridge, said vendors that know the market landscape and have the bandwidth to tackle any need that arises can turn third-party risk into third-party advantage.