The cost of not managing your Vendor Risk
Why try and manage risk at all – Regulated businesses are expected by their respective authorities to have in place an effective risk management strategy and robust practises that extend to cover all areas of a business including that of the supply chain. Geopolitical risk has increased with the United Kingdom’s planned exit from the European Union and the potential that the United States may renegotiate trade agreements and review alliances that previously have gone unquestioned when combined with the growth of disruptive Tech start-ups and emergency of the everything as a service culture on the rise with the advent and advancement on cloud based providers
Why use BVA for this – In the years since the financial crisis, financial institutions have faced a tsunami of new regulatory requirements indicating that the Business Units themselves or the sometimes quoted first line of defence take greater control to appropriately identify and manage risk. This effective management cannot be achieved piecemeal, in isolation or away from the business activity itself and must be applied consistently at a business process level over an extended period of time requiring the risk identification and management activity to be fully integrated with the management of the day to day delivery. The effort required to collate and report alone in order to prove compliance would be significant without any kind of tooling in place, only those with a large works force could hope to deliver on this and even then it would not be cost effective nor sustainable and unlikely to be able to prove that strong governance is in place.
Why is there the need to act now – In support of regulation released over the last 10 years the EBA recently saw fit to issue guidance in Feb 2019 specifically focused on suppliers and vendor management, it encapsulates many of the aspects from previous guidance that must now be extended to the supply chain in specific ways at a business process level. The guidance takes the opportunity to enhance on previously perceived one time activities that could have been completed pre contract moving towards the need for continuous management at all stages of the contract lifecycle covering performance, reporting, supervision and resilience to name but a few. This guidance came in to effect from Sept 2019 for any new, changed or reviewed contract relating to outsourcing services and expects all contracted deals existing or new to comply by the end of 2021.
What are the Table stakes – (1) the Ponemone Institute found that 59% of companies have already experienced a third party data breach of which only 16% say the believed that they effectively manage 3rd party risks which was pre release of the EBA Guidance. The average cost of a data breach in 2019 has been calculated between Europe and US to be anywhere between $3.88m and $8.19m. (2) In 2019 the FCA which is only one regulatory body racked up over £392m in issued fines for failures against issued guidance covering areas such as supervision, conduct and principles a number of which extended in to the supply chain and where failures that could be directly related to effective risk management