Using the EBA guidelines to streamline your supplier risk management program.
Simply stated, financial services faces enormous risk in an age when attack surfaces are expanding exponentially. All too often do these risks, and the regulations introduced to mitigate them, become barriers to innovation.
To help pave the way towards better risk management, the European Banking Authority (EBA) issued revised guidelines on outsourcing arrangements earlier this year. These address the use of cloud computing and other managed services in financial institutions to establish an industry-standard governance framework that enables, rather than prevents, modernisation without adding risk.
The EBA has made clear that the guidelines aren’t rules, but rather a flexible set of principles addressing the use of technology outsourcing in the financial sector. As such, they should be applied in a way that’s appropriate to the unique needs of the enterprise as determined by the size, scope, and complexity of its activities. The guidelines also serve to help achieve stronger compliance with regulators around the EU by providing a predictable and consistent approach.
It is now a practical necessity to extend audit rights to third parties. However, the guidelines also clarify that institutions remain fully responsible for meeting all compliance regulations. The liability of third-party providers is determined by their contractual agreements with their customers, but the institution using the outsourced services remains legally accountable in the case of a compliance failure or security breach.
Supplier risk management solutions should be able to operate at scale to meet these guidelines, and now more than ever, there is a need for a universal platform that provides customisable dashboards specific to each department’s needs.
Establishing a New Supplier Risk Management Process for Financial Services
On average, 181 third parties are granted access to an enterprise’s network in a given week, yet only a third are confident in their ability to track vendor logins. In the finance sector, that’s the sort of situation which can lead to a serious compliance failure, not to mention greatly increased exposure to a data breach. Once you’ve factored in the huge number of subcontractors involved in the typical cloud ecosystem, it quickly becomes clear that the only way to mitigate risk is through a cohesive, consistent, and standardised approach.
That’s why the EBA guidelines address subcontractors, with an emphasis on those providing critical or important functions. It’s imperative that institutions choose and manage outsourced partners with care to ensure every entity down the supply chain is appropriately vetted and fully compliant with the regulations the institution are subject to. Third parties must also be willing to provide complete transparency about any subcontractors which might have access to customer data. In summary, governance must include the entire vendor supply chain.
The EBA guidelines also address the need to determine whether concentration risk is a factor when outsourcing to particular service providers. Some institutions are at risk of developing a single point of failure by, for example, relying on a very small vendor portfolio. Concentration risk also applies to sectors, in which multiple covered entities depend on a small number of outsourced partners.
To mitigate the risks presented by intra-firm concentration, institutions may need to consider limiting the scope of outsourced functions. They should also formulate documented exit strategies to increase business resilience and keep disruption to a minimum whenever their vendor portfolio changes.
Managing risk pertaining to sector concentration is harder because covered entities don’t have access to the outsourcing arrangements of their peers. In this case, institutions need to be wary of this risk when entering into new vendor relationships or doing business with monopolist providers.
Streamline Your Supplier Risk Management
More often than not, departments within financial services are siloed and decentralised, setting themselves for failure to meet the EBA guidelines. However, a universal solution that can have dashboards specific to a department’s needs and responsibilities can help to align and streamline the supplier risk management process and manage this complex challenge.
DVV Solutions and ProcessUnity Vendor Risk Management can evaluate, track and measure supplier risk, assess its impact on all aspects of a business and develop compensating controls to lessen the impact if an incident should occur. Download the Four Keys to Creating a Vendor Risk Management Program That Works to jumpstart a successful supplier risk management program.
Already have a successful program foundation? Contact us today to schedule a demonstration and learn how we can help you align your operations with the EBA’s guidelines.