A survey of more than 100 top financial institutions by MetricStream and the Risk Management Association has revealed that they are not doing enough to keep an eye on the service providers that most financial institutions take on.

'Outsourcers' have long provided the big banks and others with a variety of tax, legal, audit, and information technology operations. Today, more and more small financial firms are able to outsource their operations as well, as a consequence of advances in technology and greater accessibility to extremely skilled professionals. Many institutions are also lending their names and attributes to third parties for use in franchising arrangements - an often-risky enterprise that can expose them to financial loss and reputational and regulatory trouble.

With the need for 'due diligence' to be done on all these outsourcers in mind, the RMA and MetricStream asked more than 100 financial institutions from all over the globe to discuss the ways in which their compliance departments vet their 'vendor relationships.'

Insights from the survey

• Each institution had many experts in information technology, information security, compliance, law, business continuity management/planning, and finance to help them select vendors and be 'duly diligent' towards them.
• The most important groups that conduct "secondary supplier risk assessments" include information security, information technology, business continuity management, and legal departments.
• The number of suppliers that might have a significant effect on each entire organization in the event of a failure ranges from 3 to 15.
• In addition to due-diligence questionnaires and monitoring, 72% of the respondents also conduct site visits, especially for vital vendors. Meanwhile, the risk associated with crucial/high-risk suppliers is reassessed on an annual basis in 25% of the firms. It is interesting to note that there is an annual process, but not necessarily a 'risk-based' assessment process.
• Of all the respondents, 97% have either defined, or are in the process of defining, the 'critical activities' within their institutions.

Fourth-party suppliers

MetricStream believes that it is becoming increasingly important for banks to understand their relationships with firms further down the supply chain. They are already using 'supplier risk' management systems to ensure that important data is kept up-to-date for all suppliers, even those further down the chain than usual. This data includes every vendor’s business continuity plan, information security policy, contracts and insurance certificates. On this subject the survey found the following.

• 50% of the organisations identify fourth-party suppliers at the 'request for proposal' stage, when they are outlining the bidding process and contract terms. Within this group, 22% update their list of suppliers annually.
• Interestingly, 67% of respondents do not perform due diligence on their fourth parties. Some 20% perform due diligence at the time of sourcing or when contracting with the third party, and 13% do so when the primary supplier notifies them of a new and material fourth party.