Building a full end-to-end risk assessment framework from procurement to termination for on-going monitoring

Building a full end-to-end risk assessment framework from procurement to termination for on-going monitoring

James, can you tell the Risk Insights’ readers about yourself and your professional experiences?

The majority of my career has been spent leading global procurement teams in financial services with a particular focus on broad vendor management in the UK, US and Asia. After my first role working for a renowned management consultancy leading strategic sourcing projects I moved into the financial services industry in the early 2000’s. Since 2008 there has been a significant increase in focus on regulation for vendor management and outsourcing which has been a core part of my role.

We look forward to your presentation at the Vendor & Third Party Risk EMEA Summit where you will be delivering a presentation on an end-to-end risk assessment framework. Why do you feel this is a key talking point at the Summit?

Risk assessments are a foundation for any end-to-end framework. Regulatory focus on outsourcing has continued to increase in recent years with vendors representing a huge part of financial services firms’ resource base. Ensuring operational continuity in today’s geo-political climate is essential to effective business and a key part of this is the resilience of our networks.

What are the benefits of incorporating risk appetite into this strategy?

Given the scale and scope of vendor relationships, it is vital that firms consider their risk appetite to apply appropriate resources to their due diligence and performance monitoring activity. Without this assessment, it is likely that vendor risk management programs will fail to identify those relationships which might truly pose the greatest risk whilst diverting a huge amount of time and resources across a large number of low-risk relationships.

How can institutions determine the level of assessment to take across the supply chains and how deep should they be looking to go?

Most firms have established a framework that assesses inherent risk which is run alongside a scoping assessment to determine the type and depth of additional control assessments. Equally, many have a major focus on information and technology risk together with wider operational risk domains as part of the assessment process.

My view is that this process is not static and should be iterative over time with the first base to review the entire vendor base and determine inherent risk; control assessments should then be applied to the highest risk services working with subject matter experts either from within the firm’s control functions or using a third party. Once a base level of control assessment and remediation activity is in place, then subsequent efforts should focus on improving the depth and scope of these assessments – including testing of vendor and firm controls.

How do you see the role of the Vendor risk professional changing over the next 6-12 months?

Within Financial Services firms, vendor risk is playing an increasingly prominent role. There is a clear opportunity for this function to take a leadership position by bringing together disparate central functions including procurement, technology, risk and business continuity to provide a resource which helps to inform business strategy. To achieve this, vendor risk professionals must bring a broad functional knowledge to help facilitate the vendor management lifecycle to support the business in executing effective outsourcing decisions while minimising the complexity of the internal processes.