In October of 2013, the Office of the Comptroller of the Currency released specific guidelines to banks and federal savings associations that outline how their companies should assess and manage risks associated with third-party relationships. The OCC’s reason behind these guidelines was mainly due to the fact that “the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships“. (OCC Bulletin 2013-29, October 2013).
It is true that third-parties pose a threat if their own security protocols are not up to par with that of a major financial institution. In fact, in March of 2013, Bank of America became quite aware of this when they announced that a hack into TEKsystems, a third-party security firm they contracted, was the reason their internal emails were released to the public. These emails were no ordinary messages, but documented proof that Bank of America was monitoring hacktivist groups. Furthermore, the hacking group, known as Anonymous, later revealed that data was not retrieved from a traditional, time intensive and difficult hack, but “stored on a misconfigured server and basically open for grabs“. (Bank Of America Says Data Breach Occurred At Third Party, February 2013). The scandal was not only damaging to Bank of America’s reputation, but also an obvious indication that banks needed to manage supplier risk more effectively.
The OCC’s guidelines outline eight key phases that should be considered when developing risk management processes. These phases include planning, third-party selection, contract negotiations, monitoring, termination, accountability, reporting and reviews. As clear as that might be, banks are still struggling on how to properly implement controls around these factors. That is where supplier relationship management can play a significant role.
Supplier relationship management, otherwise known as SRM, is the actual practice of strategic planning and managing all interactions with third-parties to maximize their value. Many think of SRM as a way to reduce spend. SRM processes can reduce quality issues and delays with suppliers that, in turn, can translate into cost savings. More importantly, however, SRM can function as a main component in reducing a bank’s risk with suppliers. Supply chain experts feel as though SRM offers a “solid framework” that can provide companies with a “formal risk and control process to follow“. (Building The Case For Supplier Relationship Management, May 2014).
For those that already have an SRM program in place, or believe SRM is just a sales tactic for supply chain consultants, now may be the time to reevaluate. First, suppliers can be neglected over the course of their contract. Even if the relationship started off on a good foot, the value from a supplier can diminish pretty quickly, especially if the supplier or the bank is faced with turnover or a redirection in initiatives. SRM dictates a process that continually communicates and supports the relationship, helping build supplier engagement no matter what changes are on the horizon. Secondly, for those non-believers, consider this: if managing suppliers is now a major priority set by the OCC, what better way to adhere to these guidelines than to build a solid foundation on which to base all third-party relationships on?
It certainly seems that these OCC guidelines are a daunting task for banks to tackle. Managing supplier risks and enforcing compliance is not something that can be done overnight. Banks, however, have a secure solution in supplier relationship management. SRM can be the catalyst to successful third-party relationship management, ensuring that the risks are minimized to the best of a bank’s ability.