Scribd
Upload
74 views40 pages

Vendor HH

The document discusses establishing an effective vendor management program for outsourcing technology services. It outlines that the board is responsible for developing policies and overseeing the program while management evaluates providers, implements risk management, and monitors outsourced relationships. The risk management program involves assessing risks, selecting suitable vendors through due diligence, negotiating comprehensive contracts, and ongoing monitoring of service providers.

Uploaded by

MechWindNani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views40 pages

Vendor HH

The document discusses establishing an effective vendor management program for outsourcing technology services. It outlines that the board is responsible for developing policies and overseeing the program while management evaluates providers, implements risk management, and monitors outsourced relationships. The risk management program involves assessing risks, selecting suitable vendors through due diligence, negotiating comprehensive contracts, and ongoing monitoring of service providers.

Uploaded by

MechWindNani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

Vendor Management

Outsourcing Technology Services


Objectives
Vendor Management – Outsourcing Technology Services

 Board and Senior Management Responsibilities


 Risk Management Program
• Risk Assessment
• Service Provider Selection
• Contracts
• Ongoing Monitoring
 Business Continuity Planning and Testing
 Other Available Resources
FEDERAL DEPOSIT INSURANCE CORPORATION
Board and Senior Management Responsibilities
Vendor Management – Outsourcing Technology Services

The Board can outsource a service, but cannot


outsource the responsibility.
Identify

 Develop and implement risk-


based policies and procedures Report Measure

to govern the outsourcing RISK


process
Monitor Mitigate

FEDERAL DEPOSIT INSURANCE CORPORATION


Board and Senior Management Responsibilities
Vendor Management – Outsourcing Technology Services

Board Responsibilities
 Develop and approve policies that establish an effective
vendor management program framework
 Select a service provider that best meets the needs of the
bank
 Negotiate a contract that protects the interests of the bank
 Oversee management’s implementation of the program
through regular board reporting
FEDERAL DEPOSIT INSURANCE CORPORATION
Board and Senior Management Responsibilities
Vendor Management – Outsourcing Technology Services

Board Reports

 Audits  Financial Statements


 Business Continuity  Higher-risk Service
Plans and Testing Providers
 Service Level  Regulatory IT Examination
Agreements Reports
 Information Security

FEDERAL DEPOSIT INSURANCE CORPORATION


Board and Senior Management Responsibilities
Vendor Management – Outsourcing Technology Services

Management Responsibilities
 Evaluate prospective providers based on the type of services
outsourced and how critical the function is to the bank
 Ensure each outsourced relationship supports business
requirements and strategic plans, and is appropriate for the size
and complexity of the bank
 Confirm the bank has sufficient expertise to oversee and manage
the relationship
 Implement ongoing monitoring programs that prioritize activities
based on the degree of risk and criticality of the services
FEDERAL DEPOSIT INSURANCE CORPORATION
Risk Management Overview
Vendor Management – Outsourcing Technology Services

 Inform senior management and the board of the risks


associated with outsourcing
 Ensure that outsourcing arrangements are prudent and
consistent with business objectives
 Implement effective controls to address identified risks
 Perform ongoing risk monitoring to identify and evaluate
changes in risk from the initial assessment
 Document procedures, roles, responsibilities, and
reporting mechanisms

FEDERAL DEPOSIT INSURANCE CORPORATION


Risk Management Overview
Vendor Management – Outsourcing Technology Services

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Risk Management Overview
Vendor Management – Outsourcing Technology Services

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Risk Management Overview
Vendor Management – Outsourcing Technology Services

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Risk Management Overview
Vendor Management – Outsourcing Technology Services

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Risk Management Overview
Vendor Management – Outsourcing Technology Services

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Risk Management Overview
Vendor Management – Outsourcing Technology Services

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Risk Assessment
Vendor Management – Outsourcing Technology Services

Risks
Strategic • Planning, implementation, scalability

Compliance • Legal and regulatory requirements

Reputational • Errors, delays, omissions, fraud, breaches

Interest Rate • Errors, inaccurate assumptions

Liquidity • Service disruptions, settlement delays

Cyber • Disruption, malware


FEDERAL DEPOSIT INSURANCE CORPORATION
Risk Assessment
Vendor Management – Outsourcing Technology Services

• Criticality
Outsourced • Data sensitivity
Function
• Transaction volume

• Financial strength
Quantifying Service • Industry experience
Risks Provider
• Location

• Reliability
Technology • Security
• Scalability
FEDERAL DEPOSIT INSURANCE CORPORATION
Vendor Selection
Vendor Management – Outsourcing Technology Services

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Vendor Selection
Vendor Management – Outsourcing Technology Services

Due Diligence: Key Considerations


 Corporate history,  Reliance on and success in
qualifications, references managing subcontractors
 Financial condition  Legal and regulatory
compliance
 Service delivery capability
 Insurance coverage
 Technology and system
architecture  Site visits
 Internal control environment,  Disaster recovery/business
security history, audit coverage continuity
FEDERAL DEPOSIT INSURANCE CORPORATION
Contracts
Vendor Management – Outsourcing Technology Services

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Contracts
Vendor Management – Outsourcing Technology Services

Common Provisions

Scope of Service Security and Confidentiality


• Rights and Responsibilities • Responsibility and Controls
• Description of Activities • Incident Response and
• Timeframes for Implementation Notification Requirements
• Assignment of Responsibilities • Appendix B to Part 364 (GLBA)

FEDERAL DEPOSIT INSURANCE CORPORATION


Contracts
Vendor Management – Outsourcing Technology Services

Common Provisions

Internal Controls Audit


• Records Maintenance • Types of Audits
• System Monitoring • Financial
• Notification Requirements • General Controls
• Cybersecurity • Network Security Assessments
• Electronic Funds Transfer
• Disaster Recovery Tests
• Frequency
• Right to Receive
• Right to Audit
FEDERAL DEPOSIT INSURANCE CORPORATION
Contracts
Vendor Management – Outsourcing Technology Services

Common Provisions

Reports Business Resumption/


Contingency Plans
• Frequency and Types • Backup and Records Protections
• Performance • Equipment
• Financials • Programs and Data Files
• Compliance with regulatory • Maintenance and Testing
guidance • Frequency
• Availability of Test Results
• Bank Participation
FEDERAL DEPOSIT INSURANCE CORPORATION
Contracts
Vendor Management – Outsourcing Technology Services

Common Provisions

Sub-contracting Regulatory Compliance


• Awareness • Adherence to Regulatory Guidance
• Assessment • Risk Management
• Responsibility • Consumer Compliance

Performance Standards
• Measurable
• Minimum Service Level Requirements
• Remedies
• Service Level Agreements (SLAs)

FEDERAL DEPOSIT INSURANCE CORPORATION


Contracts
Vendor Management – Outsourcing Technology Services

Bank Service Company Act Notification

 Banks should notify their primary Federal


regulator of the outsourcing relationship
within:
• 30 days of entering into the contract, or
• performance of the services
……..whichever occurs first

FEDERAL DEPOSIT INSURANCE CORPORATION


Contracts
Vendor Management – Outsourcing Technology Services

SLAs
Confidentiality of Data • GLBA compliance, notifications, responsiveness

Integrity and Availability • Error rates, up time, processing timeliness

System Changes • Programming changes, system updates

Security Standards • Compliance, independent testing

Business Continuity • Backup, retention, protection, restoration, recovery

Help Desk Support • Responsiveness, availability, qualifications

FEDERAL DEPOSIT INSURANCE CORPORATION


Monitoring
Vendor Management – Outsourcing Technology Services

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Monitoring
Vendor Management – Outsourcing Technology Services

 Periodically reevaluate active service providers


 Tailor ongoing monitoring using a risk-based approach
considering:
• Criticality of the services
• Sensitivity of data
• Degree of perceived risk
 Implement more frequent and stringent ongoing
monitoring for higher-risk service providers
 Report results to the board
FEDERAL DEPOSIT INSURANCE CORPORATION
Monitoring
Vendor Management – Outsourcing Technology Services

 Audit reports
• Performed by qualified and independent personnel
• Type, scope, and frequency consistent with:
o Size and complexity
o Products and services
o Level of risk
• Review corrective actions

FEDERAL DEPOSIT INSURANCE CORPORATION


Monitoring
Vendor Management – Outsourcing Technology Services

 Financial Condition
• Continuity of operations
• Support for the contracted services
• Investment in security controls
• Product updates

FEDERAL DEPOSIT INSURANCE CORPORATION


Monitoring
Vendor Management – Outsourcing Technology Services

 Compliance with Service Level Agreements


• Performance standards
• Information security standards (GLBA)
• Incident response programs

 Business Continuity Plans

FEDERAL DEPOSIT INSURANCE CORPORATION


Monitoring
Vendor Management – Outsourcing Technology Services

 Available only to client banks


under contract

 Request from FDIC Regional


Office Case Manager

 National and State-member


banks may request from the
bank’s primary Federal
regulator
FEDERAL DEPOSIT INSURANCE CORPORATION
Business Continuity Planning
Vendor Management – Outsourcing Technology Services

Risk
Monitoring
Assessment
Business
Vendor
Management Continuity
Planning
Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Business Continuity Planning
Vendor Management – Outsourcing Technology Services

 Review service provider plans


• Mission critical service restoration
o Timeframes and recovery time objectives
o Staffing, capacity, telecommunications, hardware, software, and
facilities availability
o Wide-scale disruptions
• Contingency plan testing and testing scenarios
o Connectivity, functionality, volume, and capacity of alternate facilities
o Annual or more frequent
• Interdependencies
o Internal and external dependencies
o Test where feasible
FEDERAL DEPOSIT INSURANCE CORPORATION
Outsourcing to Foreign Service Providers
Vendor Management – Outsourcing Technology Services

 Arrangements should be subject to the same due


diligence and assessment processes as domestic
outsourcing relationships
Identify

 Risks become unique


Report Measure

RISK

Monitor Mitigate

FEDERAL DEPOSIT INSURANCE CORPORATION


Summary: Review

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Summary: Review

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Summary: Review

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Summary: Review

Risk
Monitoring
Assessment
Vendor
Management

Contracts Selection

FEDERAL DEPOSIT INSURANCE CORPORATION


Resources
Vendor Management – Outsourcing Technology Services

 FFIEC IT Examination Handbook (www.FFIEC.gov)

FEDERAL DEPOSIT INSURANCE CORPORATION


Resources
Vendor Management – Outsourcing Technology Services

 FDIC Financial Institution Letters (FILs)


• FIL-13-2014: Informational Tools for Community Bankers
• FIL-44-2008: Guidance for Managing Third-Party Risk
• FIL-52-2006: Guidance on Foreign-Based Third-Party Service Providers
• FIL-121-2004: Computer Software Due Diligence
• FIL-23-2002: Country Risk
• FIL-81-2000: Risk Management of Technology Outsourcing
• FIL-49-99: Bank Service Company Act
Website: www.fdic.gov
FEDERAL DEPOSIT INSURANCE CORPORATION
Resources
Vendor Management – Outsourcing Technology Services

 Directors’ Resource Center


www.fdic.gov/regulations/resources/director/

 Technical Assistance Video Program


• Information Technology (IT)
• Corporate Governance
• Third-Party Risk
• Cybersecurity Awareness
• Cyber Challenge: A Community Bank Cyber Exercise

 Questions
supervision@fdic.gov
FEDERAL DEPOSIT INSURANCE CORPORATION

You might also like