The summer of 2016 has been one of media challenges, and breaking records for heat waves across many states. Slow moving boats, relaxing fishing in normal idyllic mid-summer breaks have been swept aside by a flurry of activity within the sea of third party risk. This past week in Boston, the Shared Assessments Program Steering Committee met to review and plan out the remaining 2016 activities for release of tools, white papers, and working group activities. Boston ship yards were in full view from our planning meeting room as the team focused on the continued advancement of maturity for third party risk management across multiple industries.
The spotlight on third party risk management has expanded considerably since the release of the OCC framework with a heightened focus on corporate governance and regulatory compliance. Resource challenges have been seen in implementing oversight for third parties, by casting the net too wide and treating all third parties in the pool of vendors alike. Just like in fishing, size does matter, and effective resource allocation focuses on the areas of focus – bigger risks = more oversight.
At the Shared Assessments Program meeting, Ernst & Young shared insights from their recently released Third Party Risk Management Survey from June 2016 that highlighted key trends from the prior report:
- 71% of financial services respondents conduct Regulatory Compliance reviews, pre-contract – up from 47% in 2014
- 43% of the financial services companies surveyed report the status of critical third parties to their Board of Directors, up from 26%
- 39% reported that third parties face some type of risk assessment, up from 19% in 2014
- 85% stated that less than 25% of their vendor population posed consumer protection risk
The resulting shift in pre-contract compliance reviews has triggered the need for enhanced compliance documentation, typically not just regarding traditional IT controls, but a greater review of feature functionality in terms of triggering specific regulatory compliance obligations. Similarly, assessing the governance model of an overall third party service providers “approach” to managing regulatory compliance risk is just as critical a methodology than reading the statutes themselves. The increase in the depth and breadth of the types of controls being assessed requires an approach to risk management that can scale.
LEVERAGING INDUSTRY COLLABORATION
The Shared Assessments Program was based on the foundation that efficiencies can be found with robust tools that not only provide a comprehensive set of standardized questions for vendors, but an objective set of test procedures to test key controls in an on-site assessment. The scope of questions is based on mapping activities back to the source regulatory drivers, providing a tool set that can be adapted based on the type of services being provided to a regulated entity.
Acceptance of industry tools has grown, as 28% of EY respondents adopted Shared Assessments tool up from 24% in 2014. In fact as the scope of external audit engagements has shifted with the SOC 1, SOC 2, and SOC 3 standards, the expanded control set and testing is a benefit for both the financial institution receiving a report and the service provider distributing a report. 71% of the survey participants stated that a SOC 2 is useful in reducing or removing third party reviews, up from 52% in 2014.
The Shared Assessments Program also manages an on-site assessment test procedure, called the Shared Assessments Agreed Upon Procedures (AUP) that creates independent testing of the key controls from ISO standard domains.
One of the hotter topics in the Wicked Tuna rocky landscape for third party risk is fourth party management. 90% of organizations surveyed said they identify or maintain an inventory of fourth parties and place reliance on controls of the third party to oversee their own vendors/service providers which increased 36% to 75%. The downstream usage of technology outsourcing and business process outsourcing requires a different data mapping technique to prioritize risk assessment efforts to the Big Fish.
ADAPTING OUR OWN CLIENT DUE DILIGENCE PROGRAM
As our Deluxe product suite has expanded beyond traditional check printing services and into Marketing And Other Services (MOS), our approach to responding to client due diligence requests has matured. Deluxe has created a comprehensive compliance packet based on the compliance artifact recommendations provided by Shared Assessments, FFIEC expectations, and regulatory guidance. In fact our client acceptance rate of our comprehensive compliance “packet” is at 89% vs. completing ad-hoc requests.
To assist our clients with ongoing monitoring and streamlining the process, my team has enabled automation so that requests can be fulfilled using a secure online portal for compliance documentation. Customer feedback has been positive due to the elimination of zipped files, emails, and managing the size of attachments. External audit reports have been enhanced this year to deliver both a SOC 2 report and a Shared Assessments AUP report. Both show independent testing of specific controls – the combined scope helps clients place reliance on this audits, and the demand for a custom audit engagements has been reduced – freeing up resources to focus on other risk management functions.
Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs