By Bob Koszkalda, Director, Third Party Risk Management, SVP, KeyBank
Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I am the Director of Third Party Management (TPM) at KeyBank (Key), a $135 billion dollar financial institution based in Cleveland, Ohio. I am responsible for the development of and adherence to Key’s Third Party Management policy, program and practices in alignment with Key’s enterprise risk management requirements and corporate risk appetite. Before heading-up TPM, I implemented the Technology Risk function at Key and was a senior vice president in IT Audit. Current priorities include TPM being more influential during the planning phase, implementing service categories to streamline onboarding and provide consistency in risk management, and integrating the KY3P third party utility into Key’s internal processes and systems.
What, for you, are the benefits of attending a conference like Vendor & Third Party Risk USA 2019 and what can attendees expect to learn from your session?
Attending a conference that has both formal presentations from practitioners, as well as ample time to discuss best practices with peers, provides a great opportunity to learn from others and dig deep into what works and what does not in the real world. In my session, you will learn the benefits of having Third Party Management, Legal and Category managers all report to the Chief Procurement Officer, adhere to a Board approved policy and program, follow the enterprise risk requirements, and have a unified approach to engaging risk partners such as Compliance, Cyber Security and Business Resiliency. Also, the TPM team has “shifted left” to be more involved as third parties are being considered; shepherding the completion of the documentation necessary for approval by Key’s TPMC and ERMC committees.
What, for you, would be optimal for successful integration of procurement and vendor risk?
For third parties to be on-boarded and managed efficiently and effectively, it is important that all stakeholders understand and embrace the approved policy and program and integrate their risk and control activities accordingly. All parties must agree on what makes a third party high inherent risk, the necessary controls based on the volume and types of data being shared, and the protocols to minimize negative impact to customers and internal stakeholders. The optimal integration would have line-of-business, risk partner, second line-of-defence and Procurement stakeholders have a solid understanding of the activity being sourced, including data sharing and regulatory impact as early in the TPM life cycle as possible so that they can engage appropriately and complete assessments in a timely manner.
What are the key considerations that need to be made when defining roles across the financial institution?
The most important role is the engagement manager who works closely with the third party, often daily, to ensure that service levels are met, performance is acceptable, value is being obtained and the company is getting what it expected in the business case and agreed upon in the contract. If the business reason for using a third party is not met, then it may be time to change third parties. Once a third party is on-boarded, the Procurement category activities and Legal work are largely completed, but the risk and control activities will continue until the relationship is terminated, which might be many years. During this period, the same controls that were reviewed during the on-boarding period will still need to be periodically assessed. For example, if data is being shared, then a review of cyber controls may be required. If the third party has direct customer contact, then the third party should be reviewed from a compliance, sales practices and complaints perspective.
How can institutions structure internally to ensure collaboration across the cycle to manage risks prior to onboarding?
At Key, before on-boarding a third party, the line-of-business must complete a detailed questionnaire that documents the activity being sourced, regulatory impact, data sharing, recovery time objectives and other relevant information. This information is then reviewed by risk partners and the second line of defense to provide them an opportunity to get involved in the on-boarding process and to ensure the questionnaire was completed accurately. Specific due diligence tasks, such as performing a data center site visit or reviewing compliance policies, are automatically generated for risk partner execution. This also allows the Legal team to focus on contract language that is most applicable for the activity.
How do you see the management of vendor and third party risk evolving over the next 6-12 months?
There is strong desire for companies to reduce the time and cost it takes to on-board and manage third party relationships. I see the use of third party utilities as a possible solution for this. Currently, each company performs their own control assessments, but with a properly implemented utility, it might be possible for a centralized utility to assess a third party once and share the results with multiple requestors. This may also reduce the time it takes to on-board a third party since an assessment may be available “off-the-shelf” to use during the due diligence phase.