Know Your Vendor: The Risky Business of Third-Party Relationships

I spent last week discussing the potential demise of the entire vendor ecosystem, so I feel it's only fair to stay in that mindset by highlighting another weakness of the space.

This week we ran a story from our sister publication, Risk.net, which details how operational risk experts go about dealing with third-party risk. The story, entitled "Grappling with Vendor Risk Rules", which was written by my colleague Steve Marlin, was a fascinating look into an issue that every firm in financial services deals with to some degree.

No Easy Task

Vendor risk management is truly a monumental task. Take this excerpt from the story as an example:

For instance, one US bank has 250 full-time equivalent employees devoted to third-party risk management. The team oversees around 2,000 traditional vendors and a further 32,000 non-traditional vendors. The latter category includes about 10,000 auto dealerships through which the bank offers indirect lending services and 8,000 commercial and residential appraisers that support its mortgage business.

The article brings up an interesting point when discussing regulations around third-party risk management. Many have questioned whether regulatory bodies, such as the US Federal Reserve Board and the Office of the Comptroller of the Currency (OCC), have gone too far.

How Far?

Fourth-party risk in particular seems a bit overboard. If my firm hires a vendor who then hires another vendor to help provide the service/product I purchased, there is only so much I can do to protect myself. Sure, I can make sure the vendor I'm communicating with has the necessary governance in place, but that only goes so far.

At the end of the day, how overbearing can a firm be before the vendor pushes back. Granted, a firm is certainly entitled to ask any questions it has about subcontractors a vendor might be using, but where do you draw the line.

In the story, Bob Kellner, a senior vice president responsible for operational risk management and corporate control programs at US Bank, says his firm has an inventory of subcontractors their vendors use. The list isn't necessarily all-encompassing, focusing only on ones the bank deems "strategic."

That's all well and good, but lest we forget Target was breached through its HVAC vendor. Will firms really think to consider these types of subcontractors "strategic"?

The story is a good look at the overall space and definitely worth a read. So do yourself a favor and check it out here.

This week on the Waters Wavelength podcast ─ Episode 10: Markit-IHS Merger, FIA Boca

If you haven't already, subscribe to the podcast on iTunes here. Also, check out our SoundCloud account here.

Food for Thought

• If you're interested in my feature on open source, it should go live next week. To get a preview of what's to come, check out this audit I did of open-source projects firms are currently working on.

• Speaking of analysis pieces, I looked at treasury management and why the space is prime for electronification. Read more about it here.

• We are now under a month away from North American Trading Architecture Summit 2016, which is held in New York. For more info on the event, click here.

• One last note: This Sunday is WRESTLEMANIA! (Yes, I still watch wrestling.) The main event is a Hell in a Cell between the Undertaker (yes, he still wrestles) and Shane McMahon (yes, Vince's son). For those of you unaware of the history of these types of matches, I leave you with a seminal moment in my childhood: Long Island's own Mankind getting thrown off the top of Hell in a Cell by the Undertaker.