Fintech Perspective: Balancing Speed to Market With Sound Risk Management

 

 

Christopher Monk, Managing Director
Business Performance Improvement

and

Tyrone Canaday, Managing Director
Technology Consulting

 

As financial institutions develop innovative technology, in-house or by partnering with fintech companies, they need to carefully consider regulatory requirements for both third-party risk management and information security. Protiviti hosted a Fintech Innovation webinar on April 5, which addressed the need for banks and other financial institutions to balance sound third-party risk management with the desire for ensuring speed-to-market for new products and services in a bid to remain competitive in today’s marketplace. The attendees primarily consisted of traditional financial services companies (81 percent) – mainly banking organizations and some insurers. Fintech companies represented seven percent of the audience.

We want to highlight some of the results of the polling questions submitted during the webinar because they give insight into the current state of fintech innovation and the areas banking firms are most concerned about as they work to achieve a balance between innovation and sound risk management.

The collaboration is not without challenges. Of those saying they are facing challenges with their third-party risk management programs (a large majority), one-third consider coordinating activities and workflow between different groups in the organization responsible for managing parts of third-party risk, such as the business (the first line of defense), the vendor management office, procurement and the compliance and information security functions, to be the most difficult. Seventeen percent of respondents highlighted the difficulty in gaining coverage of all of the organization’s third parties across all of the lines of business in the enterprise. Other issues include understanding and keeping up to date with all of the evolving regulations, and managing the workload by enhancing the efficiency and scalability of the third-party risk management process.

Most significantly, almost half (44 percent) of all respondents indicated that their organization does not track the risks associated with fintech companies and other vendors effectively.

Addressing the challenges

For institutions that are just beginning their innovation journey, a good starting point is to ensure they understand what their current capabilities are, including those for actively managing third-party risks as well as data security and privacy risks. From there, firms can then begin to consider pushing forward with developing innovative products using a structured research and development (R&D) lifecycle. By layering the two efforts together, firms can ensure third-party considerations are addressed throughout the process, and the level of risk management rigor and scrutiny is increased as they progress through the R&D gates.

During our webinar, Protiviti experts guided attendees through the many ways in which fintech companies are disrupting the marketplace and offered a new third-party risk management framework that can help manage the risks inherent with partnering with smaller, startup firms and launching new technology products and services. You can access the free recorded version here, and we recommend a full listen.

For even more detail on how traditional financial institutions can balance the need for speed-to-market for new products with the need for information security and risk management compliance as best practices, refer to our newly published white paper: Enabling Speed of Innovation Through Effective Third-Party Risk Management.

Paul Kooney of Protiviti’s Security and Privacy practice contributed to this content.

It’s Not the Time for Banks to Abandon Vendors

Ed Page - Protiviti Chicagoby Ed Page
Managing Director – Leader, Protiviti’s National Financial Services IT Consulting Practice

 

A recent article in American Banker Bank Technology News raises the prospect that stiffer vendor risk management requirements may push banks to bring more IT work in-house. Given the rigor being demanded these days, it’s hard to argue against that position, but banks and regulators alike need to be aware that this could have unintended consequences, particularly at midsize and smaller banks.

Large banks generally have the scale and skills to run IT services in-house, so insourcing to reduce the overhead of vendor management may be a viable approach. However, driving IT services in-house at smaller institutions may create a whole different set of risks. Many midsize and smaller institutions have long depended on outsourced relationships to provide essential IT services, both as a means of acquiring technical competencies and to reduce costs related to IT operations. Consequently, many lack the core competencies, experience and expertise needed to run things in-house.

I liken this a little to the do-it-yourself (DIY) phenomenon in home improvement. Although there are certainly a lot of DIY projects that people can undertake, a project such as upgrading the 1940s era knob and tube electrical wiring currently in your home to current standards is better left to the professionals (unless, of course, you are an electrical wiring expert!).

Insourcing may also pose a secondary risk for the industry as a whole. At a time when banks need to innovate to stay competitive, banks may be discouraged from working with vendors – particularly smaller vendors – who may be creating breakthroughs. This may lead to financial institutions missing opportunities to either drive down costs or introduce new products and services, which in turn creates risk from those institutions and non-bank competitors who are more willing to work with outside providers.

Technology and data are the life blood of banking, so the regulatory intent to ensure accountability and governance over these critical services is undeniably correct, but banks must guard against overreacting in ways that create other equal or even greater risks. The industry needs to retain both insourcing and outsourcing as viable alternatives. Ultimately, organizations should develop an IT strategy based on their business priorities and competencies. That strategy should be supported by a well-defined IT architecture, strong IT and data governance, and – where outsourcing is dictated – sound vendor management.

And for more insights into vendor risk management, I encourage you to read the benchmark report that the Shared Assessments Program and Protiviti recently released on the maturity of vendor risk management in organizations today.

A Look at the Maturity of Vendor Risk Management – A Benchmarking Study from the Shared Assessments Program and Protiviti

I want to share with you a just-released report on the results of a study on vendor risk management practices in which Protiviti partnered with the Shared Assessments Program – a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively. Our report reveals some particularly interesting findings regarding how well organizations are managing their vendor risk. Bottom line: There is significant room for improvement in many organizations.

As the volume of outsourced and offshored products and services has surged in recent years, so, too, have the risks associated with vendors and third-party providers. Data breaches at vendors handling a company’s data and information are costly; they can even carry a higher cost than in-house breaches.

Importantly, the number of incidents is rising – in highly regulated industries such as financial services and healthcare; in media and retail, as seen in recent news; as well as in any organization in any industry that is relying on third-party vendors to manage operations and processes. These at-risk vendors include not just data management, IT and security providers, but also facilities management along with any vendor that may have access to your network, data or facilities.

Thus, vendor risk management is a big deal, raising the bar on the importance of a company knowing who its third parties are, how each of them interacts with the company’s customers, what activities each performs on behalf of the company, and what company data they access and process. Unfortunately, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model by the Shared Assessments Program.

The Shared Assessments Program recently partnered with Protiviti to conduct a third-party risk management benchmarking study based on this maturity model. Our study reveals some interesting trends:

  • Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies and industries.
  • Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the overall financial services set.
  • Notable areas for improvement include program governance, and policies, standards and procedures.

To learn more, please visit www.protiviti.com/vendor-risk. And as always, I invite you to share your comments and feedback here.

Jim

Infographic-2014-Vendor-Risk-Management-Benchmark-Study