The first three enforcement actions of the Consumer Financial Protection Bureau resulted in a combined $101.5 million in fines plus $435 million in restitution for the involved financial institutions. But what caught our attention was that all three actions cited flaws in how those banks monitored vendors.
In the action against American Express, for example, federal regulators attributed all but one of the violations "to deficient management oversight of the bank’s service providers."
A new regulatory environment is only one of the pressures increasing on the once-insular world of financial operations. Ever-more-complex supply chains must become productive as competitors threaten. Meanwhile, operations must retain high effectiveness as more informed consumers make more sophisticated demands.
In response to these pressures, many financial institutions have increasingly relied on third parties. Most large institutions have over 1,000 vendors; many have tens of thousands. Although vendors can perform work efficiently, many banks lack intelligence about how their vendors manage risks.
In regular reviews of vendor risk management in the financial institutions domain, we find that banks are increasingly concerned about vendor risk: the large number of suppliers represents a new risk environment, they say, with less control than they’d like. But they don't have consistent methods for rigorously vetting those risks—and the task strikes many as potentially onerous.
Vendor risk management is indeed the most pressing challenge in financial operations risk management today. But we also believe it can be more effective and less expensive than some banks fear. In our view, banks should make three key shifts in perspective to effectively address these issues.
First, banks should broaden their approach to the types of risks they assess. Too often, vendor risk management has been limited to one or two critical dimensions such as information security or physical security. Regulators are now interested in many different types of risk. Our assessments have found that cross-portfolio risks regarding concentration and geography are among the types most commonly overlooked.
Given the broader set of risks that we recommend examining, treating every vendor exactly the same would make the work of risk assessment unduly onerous. However, we suggest applying a custom lens to the vendor portfolio by grouping vendors into logical categories that need to be assessed only for a subset of applicable risks.
For example, if a vendor has contact with customers, it needs scrutiny to avoid fraud, mis-selling, etc. But if not, these risks will not need to be evaluated. This approach avoids a common pitfall wherein banks review each vendor in their portfolio using a one-size-fits-all lens. The custom approach can significantly reduce workload.
This leads to our third shift: Automation and effective organizational structures can improve both efficiency and consistency. A central team should set policies and guidelines to ensure consistency in implementation and reporting, while business units and functions govern and manage risks for vendors assigned to their respective groups.
Each of our recommendations involves a high-level perspective on vendor risks. This is valuable for several reasons. First, as discussed, it improves efficiency. Second, regulators will be assessing a bank's overall preparedness to react to risk events—its holistic view of enterprise risk. The more a bank understands the big picture of vendor risks, the better it can fit them into enterprise risks.
But finally, risk management is not merely a number-crunching exercise. It's a prelude to changing a bank's collaborative relationships with its vendors in mutually beneficial ways. And a broad understanding of risk can also become part of a more company-wide conscious perspective on how to respond to potential risks. Some companies need to know that they can recover from risky situations. Some want to be even more resilient, and some—perhaps tomorrow's leaders—look at risk and ask how they can take advantage of the opportunity to set up the right framework to deal with risk. Yet any of these perspectives starts with understanding the risks posed by vendors.
Arjun Sethi is a partner with A.T. Kearney, a global management consulting firm, where he leads the Strategic IT Practice for the Americas. He can be reached at Arjun.Sethi@atkearney.com. Uday Singh is a partner in the financial institutions practice of A.T. Kearney. He can be reached at Uday.Singh@atkearney.com.