Uncovering unknowns: Understanding the intersection of vendor management and business continuity planning

Uncovering unknowns: Understanding the intersection of vendor management and business continuity planning

By Michael Berman, Founder & CEO, Ncontracts

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

Everyone has a super power. Mine is connecting the dots. I’m passionate about the power of data, when properly organized and leveraged, to uncover business threats and opportunities.

I founded Ncontracts in 2009 after serving as general counsel in the financial technology industry. Overseeing risk management for financial institutions in the midst of a financial crisis, I saw a process that was plagued by unconnected data, duplicated work, and disorganization. Large financial institutions were using spreadsheets to manage risk. Not only was there an enormous amount of wasted effort, but these efforts were inadequate to identify and manage risk on all levels.

Today my company provides risk management solutions, including vendor management, enterprise risk management, and business continuity planning, to hundreds of financial institutions. My extensive background in regulation, compliance, contract management, and technology has taught me that being organized, proactive, and thoughtful are the key to keeping institutions strong, profitable and capable of navigating confidently in an unpredictable world.

What, for you, are the benefits of attending a conference like Vendor & Third Party Risk USA 2019 and what can attendees expect to learn from your session?

When it comes to vendor and third-party risk, every financial institution needs to be prepared, protected, and positioned to take advantage of opportunities, but there are a lot of reasons why that doesn’t always happen. Vendor management is inherently complicated discipline because it involved so many areas of the financial institution from information technology to finance, to legal, to compliance, and more.

An event like this one provides an opportunity to share best practices to create efficiencies in process, procedures, and design to create a more efficient and effective third-party vendor program.

Why is business continuity planning an important component in the management of vendor and third party risks?

With the increasing reliance on third party vendors and the increase in the use of cloud based vendors, financial institutions need to understand their dependencies to be able to maintain their operations even in the event of a disaster. Too often, vendor management practices and business continuity planning are separated, which leads to duplicative work or worse conflicting views on vendors.

A financial institution may have the best internal BCP in the world, but if its critical vendors don’t also have a solid plan, it leaves the organization exposed to huge risks. 

How can institutions break down silos to effectively manage vendors and align with business continuity planning?

There is overlap between vendor management and business continuity planning in every step of the vendor management life cycle, including risk assessment, due diligence, monitoring and contract structuring. VM and BCP need to work together to jointly address these elements and ensure proper controls are in place.

That means those responsible for institutional BCP need to know what BCP must be addressed by the vendor and inform VM of its needs. VM needs to ensure these controls are included in any written agreements and that due diligence documents are available for review. While different institutions may divide up tasks differently, the key to success is creating a process to ensure tasks are delegated, progress is tracked, and potential issues are flagged and communicated to the proper channels.

It’s important to find a solution that addresses these concerns, ensuring an institution can harness is collective knowledge and resources to create a cohesive plan that integrates regulatory guidance and best practices.

What criteria can be used to identify critical vendors from a business continuity perspective?

Different agencies use different terminology, but it all comes down to the similar concepts. A critical, or significant, or high risk should be defined in your vendor management policy and/or procedures. Each financial institution can have definitions that are in line with federal agency guidance and some are more expansive than the guidance.   However, with regards to BCP, a  vendor that performs or provides functions or services, including payments, lending, deposits, clearing, or IT that would affect the ability of the financial institution to function will be a vendor that needs to be considered from a business continuity perspective. It should also include a vendor that is necessary to function or carry out business like utilities, communication providers, and/or security providers that represent a single point of failure.

How do you see the management of vendor and third party risk evolving over the next 6-12 months?

I see a continuing focus on data privacy. More and more states are moving to pass data privacy laws like those enacted in California. A huge percentage of privacy breaches are the result of third parties. Institutions will have to push to ensure their vendors are complying with privacy laws and data breach notification laws in all the states and countries that the institution operates in to ensure compliance, avoid reputational damage and potential fines.

vendor & third party risk usa series