Answer:
Conducting business in a world wired for instant connection is constantly changing. It’s complex - teeming with technology and overflowing with sensitive information. Expectations are that regulatory enforcement for assessing risk of outsourced suppliers will increase, not decrease. The bank’s responsibility for developing a cost effective due-diligence process for finding and resolving high risk issues is abundantly clear.
Does that mean that you need to develop a program that provides due diligence for every outsourced supplier or vendor of the bank? Absolutely not. The expense and low probability of success is much too high. However, by breaking the process into layers (triage), the bank can continually winnow down the list of suppliers to those who constitute high risk to the enterprise. Those suppliers who are ‘ticking time-bombs’ are the ones that require immediate attention.
For example, the first layer of process is to leverage information already captured by your vendor procurement group which identifies the vendor’s geography, corporate information, business process, financial reporting, existing compliance practices, and contracts. This will identify many vendors which do not provide an IT or data security risk. Many, if not most third party relationships, do not rely on access to your confidential data and networked connections.
The second layer would tap into information available through public sources. This data creates a risk profile based on indicators for business, financial, and geographical factors of the third party. Again, such analysis identifies those third parties’s that do not require the third, final and more expensive step requiring a focused due diligence process. Probable success in tracking down the high risk supplier from this reduced number of suppliers and vendors then becomes substantially higher.
First published on BankersOnline.com 5/18/09
print
share