Financial Services

All Reward, No Risk: 3 Keys to Creating a Vendor Risk Management Plan

vendor risk in financial services blog

With near-daily security breaches in the media — including many well-known financial institutions — every business regardless of size should have risk management at the top of its to-do list.

But many don’t recognize the need to look beyond their own systems and processes and scrutinize the risk profiles of their vendors — a task with especially high stakes for financial institutions, which are inviting targets for cyber-attacks due in part to:

  • Hundreds and sometimes thousands of third-party service providers
  • Frequent outsourcing of customer-facing applications that extends the risk beyond simply IT
  • Vendors who often have access to highly sensitive data and systems
  • Complexities of compliance in the heavily regulated financial sector

The solution is a vendor risk management process that allows organizations to prioritize each vendor based on the risk they pose to the business and apply the right mix of controls, policies, and procedures to keep them in check.

68% of financial services CISOs cite data and information security threats as a top-line business issue versus just 28% of other CISOs. – Global CISO Study, ServiceNow and Oxford Economics

Vendor risk management generally falls under an organization’s corporate governance, risk and compliance (GRC) umbrella. While GRC activities typically take place behind the scenes, a compliance issue such as a security breach can become headline news in an instant. And, fair or not, the public generally holds responsible the organization with which they do business rather than a third-party vendor.

Financial institutions are responsible for the risks undertaken on their behalf by vendors. As a result, regulators expect you to proactively identify potential risks, verify compliance and monitor changes. All of this can leave your organization vulnerable to regulatory fines and reputation damage.

Without a vendor risk mitigation strategy in place, you could face substantial risks if you fail to keep customers’ information and funds safe — even as these same customers demand new products and services that add complexity to your security processes.

The situation becomes even more challenging when you factor in daunting regulatory compliance, often across multiple jurisdictions. And all of this is happening in a field where skilled talent is at a premium.

The following is an excerpt from ServiceNow’s Vendor Risk eBook. To download the full report, click here

What’s involved in vendor risk management? Simply stated, it’s instituting a standardized and transparent process to manage the lifecycle for risk assessments, due diligence and risk response with your business partners and vendors.

A deliberate, comprehensive approach to mapping risk exposures is essential for financial institutions looking to allocate resources most effectively. When evaluating potential vendor risk solutions as part of your GRC, keep these three must-haves in mind:

Step One: Automation of third-party risk

In financial services, vendors are no longer just servicing your IT department — data, trading functionality, clearing and so many more functions may be supported by third parties. They’re essentially entrenched across multiple lines of business throughout your organization, which exponentially increases risk exposure and makes manual processes highly ineffective.

Given the pace of business today, process automation must be brought into the mix, replacing unstructured work patterns with intelligent workflows and providing the mechanism for automatic generation and assignment of issues, notifications and other work items.

By automating assessments, vendor risk processes, risk scoring, and notifications, ServiceNow Vendor Risk Management provides improved visibility and transparency in gauging your organizational exposure. Via a single convenient portal, you gain the ability to:

  • Customize levels of criticality for each vendor, which determines the degree of oversight, based on their access to information and other specific risks.
  • Configure real-time business and IT service performance data to enable automated controls testing and define thresholds as indicators for continuous monitoring.
  • Stay on top of critical activities with scheduled assessments and automated notifications and escalations.

Step Two: Faster onboarding of new vendors

Large financial services providers can have 200 to 300 high-risk vendor relationships at any given time, according to McKinsey & Company. While relying on a handful of core third-party suppliers for most needs can provide operational, financial and oversight benefits, many organizations find diversification a more practical solution.

Speed is of the essence when onboarding new vendors, especially those that are customer-facing, so you’re able to maintain consistent levels of customer service without sacrificing due diligence.

ServiceNow’s Vendor Risk automation capabilities streamline the process of onboarding a new vendor, so you gain value more quickly. For pressing issues that impact customers, such as replacing a vendor that houses data, you can also offer those customers a seamless transition. Other benefits of ServiceNow’s Vendor Risk include:With near-daily security breaches in the media — including many well-known financial institutions — every business regardless of size should have risk management at the top of its to-do list.

  • A more efficient process for collecting, parsing and scoring a risk assessment such as the built-in Shared Assessments Standardized Information Gathering (SIG) questionnaire to obtain higher-quality data.
  • Consolidated communication and collaboration with your vendors and their response teams, replacing time-consuming email and phone calls.

Ready for the final step? Download the full eBook to read more about Vendor Risk in financial firms including stats on your peer’s organizations and the final step to preparing your business for success.

Vendor Risk Download eBook