In talking to financial institutions across the United States about Operational Risk Management, I am amazed at how many continue to state that they have it covered. When we talk about operational risk we are referring to Third-party Due Diligence, Business Continuity Programs, Incident Reporting, and Alert Notifications. Just tracking some of this information in an excel spreadsheet is no longer going to cut it with the auditors.
In an article titled “FDIC Watchdog Highlights Gaps in Banks’ Vendor Contracts,” that appeared in ABA Daily Newsbytes written by Krista Shonk and Denyette DePierro, it states that “Few banks’ contracts with technology service providers (TSPs) provide sufficient detail about the providers’ business continuity and incident response capabilities and duties, according to a report issued yesterday by the FDIC’s independent inspector general. The report also found shortfalls in banks’ assessments of how providers could affect the banks’ own ability to plan for business continuity and incident response.”
In response, “the FDIC said it would work with other Federal Financial Institution Examination Council agencies to update guidance on business continuity planning and incident response and that it would continue examinations and off-site monitoring of vendor management. Anecdotal reports from banks indicate that examiners are increasingly focusing on technology provider risk management. The report expressed concern that some banks ‘may not be sufficiently knowledgeable about or engaged in contract management.’”
It is becoming increasingly more difficult for financial institutions to keep up with and maintain the proper compliance requirements on their own. If financial institutions want to be better prepared for their next audit they need to partner with companies that specialize in operational risk management.
The right operational risk management solution combines dynamic technology, in-depth expertise and best practices on one common platform to meet and exceed the constantly changing expectations of the regulators. An All-In-One Operational Risk Management Suite allows financial institutions to easily manage all areas of operational risk management under one platform. The all in one suite needs to be easy to use, role dependent and web based. The common platform eliminates double data entry saving valuable time and resources.
Third Party Due Diligence
Upload and store your institution’s information pertaining to locations, departments, people, vendor program, and policies. Upload and store all vendors to the system and track vendor static data. Assign different managers to the specific vendor to upload and track data.
Utilize the qualifying questionnaire to determine whether or not a particular vendor needs to proceed to the risk assessment. The risk assessment is a questionnaire categorized by FFIEC and due diligence questions which prioritizes your vendors into a high, medium, or low risk category determining the level of due diligence to perform on each individual vendor. Upload and store all relevant due diligence criteria. Log and track all conversations exchanged between user and vendor as well as an evaluate vendor performance using the vendor report card.
Business Continuity Programs
Conduct risk assessments for locations and/or vendors. Assign probability and impact ratings to individual threats to automatically generate the threat’s overall rating and define the details of impact with mitigation steps for particular threats. Create your BIA based on departments located within a specific location with details of processes, resources, and people. Includes the ability to set BIA review dates with reminder email notifications. Build your comprehensive plan utilizing data associated in the system with our predefined template. Test a particular section of your business continuity plan by selecting a team and testing their associated tasks.
Review an executive overview of most current incident status and completion progress. Create teams and associate prioritized tasks. Store your incident response and escalation policies and define customized values. Track and record the incident while it occurs defining specific details and assigning teams to handle the incident. Upload and store necessary external documentation. Create follow up reports and memos using our template questionnaire and log lessons learned.
The right operational risk management solution can help find gaps in your operational risk management plan and help mitigate risk moving forward by implementing best practices and advanced technology all on one common platform.
About The Author
Marc Riccio, President of Specialized Data Systems, Inc., has over thirty years of experience providing software solutions to the financial industry. Marc is known for his forward thinking and vision of introducing new and innovative technologies including “rules-based” Loan Origination software, COLD/Document Image Systems, Internet Security Services on Demand, Cloud Computing and now Operational Risk Management software. Prior to founding Specialized Data Systems in 1989, Marc worked for several technology companies as a Systems Analyst, Account Manager and Sales Manager. Among his significant previous positions, Marc served as Senior Marketing Representative for FiServ-Connecticut and worked in the Retail Banking and Systems group for Bank of America.