Continuous monitoring of vendor and third parties for full portfolio analysis of risks

Continuous monitoring of vendor and third parties for full portfolio analysis of risks

By Ken Wolckenhauer, VP, Vendor Management, Nordea Bank 

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

My original background is sales, marketing, and product management in the international telecommunications industry. After 18 years, I transferred to professional services in AML and Sanctions and finally to Third Party Risk, with the opportunity to build a program from the ground up. My focus is on keeping TPRM in perspective, protecting the institution from risk without stopping the bank from doing business.

What, for you, are the benefits of attending a conference like Vendor & Third Party Risk 2019 and what can attendees expect to learn from your session?

Sharing experiences with colleagues is the biggest benefit. Several of us are doing presentations that are looking forward to what is coming as more and more data is available for due diligence and monitoring. I will help paint a picture of where systems and resources are headed and how we are becoming more like KYC

In your opinion, how can we look to effectively carry out detailed analysis to determine risk and priorities?

We need to distribute the work. Due diligence and risk assessment are partnerships between TPRM and business. SME’s in InfoSec, Compliance, and Procurement must be integrated in the TPRM process. We also need to embrace robotics and AI going forward to automate the routine parts of the job.

What are the key considerations that need to be made when combining internal data with external data to gain a true picture of risk profiles?

“Big Data” analytics are performing these functions in AML and KYC. We will be incorporating analytics into the various processes, especially ongoing monitoring, to eliminate noise, duplicates, and irrelevant data.

What challenges and opportunities could financial institutions face when ensuring vendor compliance of DFS 500?

DFS500 is more prescriptive than other regulations. Because it is a regulation, it forces vendors to have to deal with issues like multifactor authentication, encryption, and incident notification. This gives us a hammer with which to work with vendors.  But it is also challenging because it is more work to verify these mandates and it forces smaller, more competitive suppliers out of the pool of potential providers. It is specifically difficult with employee benefits vendors. These companies are usually required to comply with HIPAA, but are not familiar with such prescriptive banking regulations.

How do you see the impact of vendor and third party risk evolving over the next 6-12 months?

The discipline is growing rapidly because information security is such a prominent risk domain. But with GDPR and states issuing their own privacy laws, third party risk again rises in value to the institution. Finally, I predict the areas of sustainability and corporate social responsibility to become an increasingly important risk domain requiring further due diligence and monitoring.

vendor & third party risk usa series