Reviewing the ability to identify critical vendors and services

Reviewing the ability to identify critical vendors and services

By Jim Arsenault, SVP Recovery & Resolution Planning, Citizens Bank.

Jim, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

After taking an early retirement from my first career as an Army Engineer officer in the late ‘90s, I began working for Citizens Bank managing what was then referred to as Disaster Recovery, now Business Resilience. I built out a team to manage the risk of business interruptions from technology failures, work space non-availability and other operational disruptions. I later switched focus to Incident Management – providing a core team of professionals to the bank responsible for coordinating the response to a wide variety of situations potentially impacting the bank’s customers, colleagues, operations, or reputation. We used a disciplined methodology and framework to assist the impacted business areas, operational teams, technology and corporate support functions in managing actions and resources to address the issue at hand and return the bank to a business as usual footing as rapidly and smoothly as possible. I moved over to Resolution Planning in 2012 as it became a business and regulatory focus following the financial crisis and have been involved in the preparation of each Resolution Plan, and now the Recovery Plan, for the bank since then.

Can you explain the current areas of concern within critical services and any advice you may have for your peers?

As businesses and the regulatory environment continue to evolve, it’s key to have a holistic understanding of what’s needed to keep the bank running and provide the expected services to our customer base. Core to this is maintaining a current view of the critical services, what resources are needed to provide those services and to consider all the risks that could potentially disrupt access to those resources in a variety of conditions.

At the Recovery & Resolution USA Congress, you will be speaking on your insight regarding ‘Reviewing ability to identify critical vendors and services in order to develop sustainable resolvability contracts’ Why is this a key concern right now? And what are the essential things to remember?

Certainly the regulatory focus is one of the main drivers of the push to being able to demonstrate an understanding of how vendor services support critical operations, but it’s also good business practice.  Someone needs to be looking at these on a regular basis, understanding if there are any changes are in terms of what services are critical to the institution, what’s parts of the service delivery are outsourced – to whom, under what terms and from which legal entity within the bank – and considering if the risks have changed over time. If evolution of the business results in the risk profile elevating and approaching the bank’s stated risk appetite, this must be recognized and actions taken to keep within the threshold set by executive management and the board.

What in your opinion, is the best way for financial institutions to manage fourth party outsourcing?

Transparency is key to understanding the risk a bank takes on when it outsources any services; with more factors added into the risk equation as a fourth party gets involved in delivery of those services. Ideally, this will be addressed in negotiating the terms of an outsourced arrangement, with the bank having the right to perform a vendor assessment on both the third party and any material fourth parties involved in delivering the agreed services.

Can you please give a brief overview of the impact of un-mediated contracts?

While this would be highly dependent on the circumstances of the bank’s failure, possible impacts could include a demand by third-parties for prepayment for services, or more severely, terminating the agreement with no further services to be provided.

How do you see the recovery and resolution industry evolving over the next 6-12 months?

Outlook depends on what happens legislatively with the proposed modifications to the systemically important threshold in the Dodd-Frank Act. The potential for regulatory relief from filing a 165(d) plan would be a significant boon to the mid-tier banks. I wouldn’t be surprised if the FDIC went to an alternate-year schedule for IDI plan filings.

With feedback to the large banks indicating their plans have moved in the right direction, and a sense of general regulatory easing, while I expect the requirement for ongoing filings to continue, I would expect their upcoming submissions to be a refresh of existing content and approach and to remain on an alternate-year schedule.