By Michael Casey, Head of Outsourcing and Supplier Risk, Americas, UBS.
Michael, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I am a former auditor with KPMG. I spent 13 years in consulting. Prior to UBS I lead a business intelligence practice at Wipro Consulting. I have been at UBS for 6 years where I started negotiating consulting contracts. Now I am the Americas Head of Outsourcing and Supplier Risk. Most recently I have been focused on helping my firm focus on Fourth Party Risk.
What is the process of implementing a VRM program in a company?
Identify the risks, implement controls, and assess residual risk against risk appetite. Vendor risks need to be assessed to your company standards. Weaknesses in controls, or control gaps require remediation. Where standards can not be met companies need to implement mitigating controls, accept the risk, or terminate vendor relationships.
At the Vendor and Third Party Risk conference, you will be speaking on your insight regarding ‘Reviewing the ability to effectively manage fourth parties including outsourcing, supply chain and oversight’. Why is this a key concern right now? And what are the essential things to remember?
You only have a contract with the third party. You need to require the vendor to ring fence the data, and disclose all third parties which have access to your data, along with all vendor which are a critical fourth party to your third party service. You need to ensure your third parties have a risk assessment program in place for their vendors, and that they appropriately risk assess their vendors.
What are the costs and benefits of outsourcing instead of taking a supply chain management approach?
Outsourcing requires a supply chain management approach. The benefits to outsourcing is that a vendor at times has more specialized experience and can provide it at lower cost. However, outsourcing has higher risk and requires oversight and monitoring to manage the relationship.
In your opinion, why could it be difficult to review third party companies, particularly when 4th parties are also involved?
Almost all companies who have third parties conduct risk assessments on them. Where fourth parties come into play the third party must disclose:
1) which fourth parties have data;
2) ensure that the third party conducts risk assessments of all fourth parties with data for information security controls;
3) disclose which fourth parties are critical vendors to critical third party services;
4) ensures fourth party vendors which support critical services have appropriate BCM plans in place;
5) ensures assessments are to UBS standards;
6) ensures appropriate contract standards are in place in the 3rd party contract the entity;
7) ensures that the third party puts similar contract terms in place with the fourth party; and
8) ensure that fourth party concentration risk is evaluated.