Publications & Resources

July/August 2009
Focus: Risk Management

Steps to Managing Third Party Risk and Compliance

By Lisa King

Tight integration with suppliers, service providers, franchisees and other third parties is essential to success in today’s interconnected world of banking. However, third parties introduce security and compliance risks to banks that must be managed in order to protect sensitive information and satisfy regulatory requirements. So, what are some of the best practices for managing third party risk and improving your risk management programs? They can be summed up in four components: analyzing affiliate risk, applying standards, assessing affiliate compliance and overseeing affiliate relationships.

Analyze Affiliate Risk

When analyzing affiliate risk, it is important to understand the relationships with each affiliate that you have. The terms ‘affiliates’ and ‘vendors’ are used interchangeably, but they both refer to those companies you do business with whether it’s a supplier, software vendor, consultant, managed security services provider, call center, payment processor, etc. Each affiliate may present some sort of risk to your bank and your customer data, so it is essential to understand what business processes are involved in the course of working with them, what data is involved, how your affiliates are accessing that data, the length of time you have had a relationship and the importance of a particular affiliate to your operation. The more you know about who your affiliates are, the easier it is to understand what risks are involved. Once you have an understanding of the relationships, you can get an idea of the risk profile and what you need to do to manage the risks accordingly. Categorizing those risks are helpful; determining whether a high or low risk exists.

Apply Standards

Once you have analyzed the risk posed to you from your affiliates, you can then apply a set of standards that you can use as a guide to measuring risk. As a barometer, the easiest way to establish a set of standards is to use standards based on your own policies and procedures for risk management. To determine if a vendor meets your standards, there should be some methods of validation. The most common method that information security services provider SecureWorks has seen is self-assessment questionnaires. Give your vendors security questionnaires that they have to return to you. If you are going to incorporate questionnaires, you have to spend time creating them. Since different vendors pose different levels of risk, you may want to use an in-depth questionnaire for those vendors that pose a higher information security and compliance risk and a scaled down version for those that pose a lower risk. The Shared Assessments Program, originally created by BITS in collaboration with the Big 4 accounting firms and six major financial institutions, is a good resource to help build your self-assessment questionnaire (www.sharedassessments.org). The Shared Assessments Program maintains two useful documents for vendor management: Agreed Upon Procedures (AUP) and Standardized Information Gathering Questionnaires (SIG). These documents are consistent with regulatory requirements, and are very extensive (although paired down versions are available for customization).

Another method of validation to determine if a vendor meets your standards is to use their SAS 70 (Statement on Auditing Standards No. 70, Service Organizations). This is a widely recognized auditing standard and represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.

Assess Affiliate Compliance

After you have evaluated the risk of your affiliates and applied standards to measure that risk, you should then assess their compliance based on the documentation they have provided to you. Review the deliverables that those entities have given back to you, and check them against your standards. It is very important to have a standardized process for review in place. Another important task is to have a policy in place for compensating controls because not everyone is going to meet your standards. A compensating control is when an affiliate may not meet a specific control standard but have alternatives in place that compensate or mitigate the risk. In your assessment, you should identify areas of non-compliance. Once you have done that, communicate any gaps to your affiliates. Give them a remediation period to take corrective action. If the non-compliant affiliate is critical to your business and you have found gaps, you might want to take some additional steps to mitigate the risk on your end by implementing stronger technology controls like multi-factor authentication, activity monitoring, or modifying the process of how they get access to your data. Other options include making changes to contractual agreements when contracts are up for review – making non-compliant affiliates pay penalties or carry additional insurance.

Oversee Affiliate Relationships

Lastly, you should exercise ongoing oversight to make sure your assessments are based on accurate and current analysis. It is critical to track the relationships you have with your vendors so that you are aware of any changes that might warrant a reassessment of their risk profile. You should be doing a periodic review of your vendors, with high risk vendors being reviewed more frequently. If you require periodic deliverables like scanning results and audit reports, make sure that the documents are provided on an ongoing basis as required to make sure they are consistent with your standards. Naturally, some documents can expire and become irrelevant. For example, a SAS 70 report from 2007 may be outdated in 2009. So, you will want to check with your affiliates and get their latest SAS 70 report to ensure that it is appropriately reflecting their risk profile.

Lisa King is public relations manager for SecureWorks. She can be reached at 404-486-4463. SecureWorks is a WIB-endorsed Value & Income Program (VIP) Partner.