In today’s banking environment, most financial institutions rely on third party service providers (or vendors) to conduct business on a day to day basis. In fact, without the help of third party service providers, a bank’s ability to provide products and services to customers would be severely impacted. When banks choose to outsource key bank functions to a service provider, however, it creates a reliance on that third-party and exposes the institution to the risk of not being able to resume operations in a desired timeframe in the event of a disruption.
When creating a business continuity plan, financial institutions have to be able to account for all interdependencies within the institution and evaluate the risks. Interdependencies can be classified into assets, or things you own, and vendors, or things you outsource. The FFIEC recently issued new BCP Guidance in the form of an addendum to the IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers. The guidance requires institutions to have certain controls in place to mitigate these risks and discusses a few key points regarding the management of third party providers:
- “Third-party management addresses a financial institution management’s responsibility to control the business continuity risks associated with its TSPs and their subcontractors.”
- “Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.”
- “Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.”
Why Does VM Come into Play When Talking About BCP?
As banks evaluate vendors, they are assessing several key elements, but mainly, the criticality of the product or service the vendor provides. In doing so, bankers should be asking: How important is this vendor to what we do? If they fail, how many of our services fail? Criticality is expressed in terms of Recovery Time Objectives (RTOs). Each bank must determine their own unique RTOs for their institution, and must also assign the same RTO to the third-party vendor. Banks then assign the criticality rating to the vendor based on the criticality of the service that the provider supports. This helps ensure the vendor is equipped to adequately perform their agreed upon task so the bank can conduct business as usual. If the provider is not up and running, then the bank can’t be up and operating either, at least not without work-arounds in place.
When doing BCP planning, the financial institution must look at all areas of the bank and the services and products provided – teller services, lending services, ATMs, accounting, etc. and identify all of the interdependencies or third parties necessary to make these services happen. BCP also looks at RTOs for the entire process. So, if the bank assigns an RTO of one day to the teller process on the BCP side then everything that process requires, including a third party provider, also now inherits that same RTO on the vendor side. There must be a tight cohesion between the vendor management process and the BCP.
Successfully integrating vendor management and business continuity planning is critical for financial institutions, especially when adhering to the FFIEC regulations and guidance. While this can be a tough assignment for bankers, it is a necessary process that has a direct impact on the health of the institution.