Risk Management and Suppliers: How Banks can Comply with the OCC’s Guidelines on Third-Party Relationships

Today’s guest post is from Rebecca Lorden, Business Development and Marketing Manager of Source One Management Services, LLC.

In October of 2013, the Office of the Comptroller of the Currency released specific guidelines to banks and federal savings associations that outline how their companies should assess and manage risks associated with third-party relationships. The OCC’s reason behind these guidelines was mainly due to the fact that “the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships“. (OCC Bulletin 2013-29, October 2013).

It is true that third-parties pose a threat if their own security protocols are not up to par with that of a major financial institution. In fact, in March of 2013, Bank of America became quite aware of this when they announced that a hack into TEKsystems, a third-party security firm they contracted, was the reason their internal emails were released to the public. These emails were no ordinary messages, but documented proof that Bank of America was monitoring hacktivist groups. Furthermore, the hacking group, known as Anonymous, later revealed that data was not retrieved from a traditional, time intensive and difficult hack, but “stored on a misconfigured server and basically open for grabs“. (“Bank Of America Says Data Breach Occurred At Third Party”, Computer World, February 2013). The scandal was not only damaging to Bank of America’s reputation, but also an obvious indication that banks needed to manage supplier risk more effectively.

The OCC’s guidelines outline eight key phases that should be considered when developing risk management processes. These phases include planning, third-party selection, contract negotiations, monitoring, termination, accountability, reporting and reviews. As clear as that might be, banks are still struggling on how to properly implement controls around these factors. That is where supplier relationship management can play a significant role.

Supplier relationship management, otherwise known as SRM, is the actual practice of strategic planning and managing all interactions with third-parties to maximize their value. Many think of SRM as a way to reduce spend. SRM processes can reduce quality issues and delays with suppliers that, in turn, can translate into cost savings. More importantly, however, SRM can function as a main component in reducing a bank’s risk with suppliers. Supply chain experts feel as though SRM offers a “solid framework” that can provide companies with a “formal risk and control process to follow“. (Building The Case For Supplier Relationship Management, May 2014).

For those that already have an SRM program in place, or believe SRM is just a sales tactic for supply chain consultants, now may be the time to reevaluate. First, suppliers can be neglected over the course of their contract. Even if the relationship started off on a good foot, the value from a supplier can diminish pretty quickly, especially if the supplier or the bank is faced with turnover or a redirection in initiatives. SRM dictates a process that continually communicates and supports the relationship, helping build supplier engagement no matter what changes are on the horizon. Secondly, for those non-believers, consider this: if managing suppliers is now a major priority set by the OCC, what better way to adhere to these guidelines than to build a solid foundation on which to base all third-party relationships on?

It certainly seems that these OCC guidelines are a daunting task for banks to tackle. Managing supplier risks and enforcing compliance is not something that can be done overnight. Banks, however, have a secure solution in supplier relationship management. SRM can be the catalyst to successful third-party relationship management, ensuring that the risks are minimized to the best of a bank’s ability.

Thanks, Rebecca.

Project Assurance Specialist: What Do You Look For?

In our series on Project Assurance: A Methodology for Keeping Your Supply Management Project that we just wrapped, we discussed Project Assurance — a specialized discipline and practice involving independent and objective oversight, specialized experience, and audit skill to assess risk, finance, accounting, compliance, safety, and performance for any major capital expenditure. It is designed to minimize the risk of projet overruns and failure.

In today’s post we will discuss what makes a good Project Assurance Specialist. Not just anyone can perform such a task. What are the skills that such an individual must posses to be successful? What must define the core of her, or his, EQ?

We’ll start by referencing the intervention process pyramid defined by Prinzo in No Wishing Required. According to Prinzo, collaborative intervention requires you to:


Implement the Solution
Communicate the Findings
Negotiate the Solutions

 


Navigate the Organization
Identify the Decision Making Process
Conduct Mini-Briefings

 


Build the Foundation
Behaviours
Trust & Credibility

 

Each step of the process requires a base set of skills, some of which Prinzo did a great job explaining in his book. In this post, we will discuss those core skills along with the secondary skills that are needed for assurance success.

The core skills required to build the foundation, as defined by Prinzo, are:

  • receptivity
    the assurance specialist needs to listen carefully to understand the situation
  • comprehension
    the assurance specialist needs to take the time to properly understand the situation
  • compromise
    the assurance specialist needs to find the middle ground that all parties will (reluctantly) accept
  • humility
    sometimes the assurance specialist needs to make the solution appear to be the idea of one or more stakeholders even if all of the credit is due to the specialist — sometimes harmony is key
  • objectivity
    the assurance specialist cannot take sides and cannot be blind to the truth
  • diplomacy
    even when some stakeholders should be slapped upside the head or strangled for pig-headed viewpoints that could put the entire project in jeopardy, the assurance specialist needs to be diplomatic
  • strategy
    not only does the assurance specialist need to navigate the explosive stakeholder minefield, but come up with solutions that will be acceptable and successful
  • analysis
    the assurance specialist needs to dig deep and sometimes read between the lines to determine where the issues are and what the solutions need to look like

But that’s just the foundation. In addition to these skills, the assurance specialist will also need the following skills to navigate the organization:

  • organizational knowledge
    without a good knowledge of the workings of the organization, it will be very hard for the assurance specialist to navigate it
  • team building
    even though it is the job of the assurance specialist to find the issues all others miss, it will often take a cross-functional team to implement their mitigations
  • communication
    the mini-briefings will have to be very effective in order for the resolution sessions to go well

Finally, the assurance specialist will also need the following skills to implement the solution:

  • negotiation
    diplomacy and compromise are a good start, but sometimes the assurance specialist will require the use of persuasion to get all parties in sync
  • leadership
    while it will often require a cross functional team to implement the mitigation, that team will still need the guidance of a leader and that role falls to the assurance specialist

In other words, it takes someone with a skill set that goes beyond basic project management skills to be a project assurance specialist.

Project Assurance: A Methodology for Keeping Your Supply Management Project on Track Part V

In Part IV, we continued our discussion of Project Assurance, asked how a Project Assurance Specialist insures true project success, and asked why only an outside Project Assurance Specialist (PAS) can insure this success. We noted that the PAS uses collaborative intervention to insure success, overviewed the three phases of a collaborative intervention, and stated that it could only be done by an outside PAS.

Today we will discuss why the Project Assurance Specialist has to be an outside expert, and we will do so by reviewing ten primary reasons, as found in many articles and books on project failure, on why projects fail and why it takes an outside PAS to prevent this failure.

Consider these ten common reasons projects fail.

  • Lack of top management commitment
    Stakeholders inside the organization often don’t understand the level of commitment required and often have a skewed perception of how committed an individual in the organization really is to the project. An outside expert comes in with a clean slate and an uninfluenced view.
  • Unrealistic expectations
    An outside expert has a clearer picture of what is and is not reasonable as that expert has a broader view of the market, solution providers, and off-the-shelf solutions.
  • Poor requirements definition
    Since it will be the first acquisition of a Supply Management solution for many organizations, many organizations have no idea what constitutes a good requirements definition. An outside expert, on the other hand, will not only know what does, but what absolutely has to be addressed for project success.
  • Improper Package Selection
    The selection needs to address the real needs of the organization, and not the perceived needs, and the provider needs to be one that can grow with the organization.
  • Gaps between Software and Business Requirements
    If you don’t really understand what software is needed to effectively satisfy a business requirement, it is almost impossible to avoid gaps — especially when you don’t really speak the language of Supply Management solution providers. An outside expert, who does speak the language, can help insure that there are no gaps.
  • Inadequate Resources
    Since most organizations have never implemented the system that they need, they have no real understanding of what resources are really needed. An outside expert will have this understanding.
  • Underestimating Time and Cost
    It’s a good rule of thumb that software-based solution projects always take longer and cost more than you expect, even with a best effort. But how much longer and how much more? Only an outside expert with experience in the type of project you are going for can guarantee that your estimate will be in the ballpark.
  • Poor Project Management / Lack of Methodology
    The truth is that you can’t manage what you don’t understand, and whatever you miss in strategy, planning, and design will come back to bite you in the @ss before the project is over — unless, of course, you have a methodology that insures nothing crucial is overlooked and all issues are identified and mitigated away (or at least managed) as they arise. Only a Project Assurance Specialist can identify all these key points that your internal team will miss.
  • Underestimating Impact of Change
    It’s hard to assess the impact of something you’ve never done — and with solution providers constantly whispering calming assurances into your ears, it’s easy to underestimate the impact (especially if you have a team that is adverse to change). An outside expert can not only peg where you are in terms of process and technology maturity, but where you are in your ability to manage change.
  • Lack of Training / Education
    How many times have you heard “it’s so easy to use, it teaches itself” or something similar from a solution provider. While this may be typically true for the technically inclined, it will not be true for those who are not technical by nature. Nor will it be true for the advanced functionality or tasks that are not performed daily. Training and education will be required, and an expert will be needed to advise you on how much you will truly need.

There are other reasons, and some are clearly explained Prinzo’s No Wishing Required, but these should be enough to convince you that assurance is often critical to project success, especially if the project is complex or it is the first time your organization is undertaking such a project. You have to remember that your PMO (Project Management Office) has expertise in project management, not project evaluation, and, being internal to your organization, can’t really bring the true objectivity an external expert can.

That’s why you need an Assurance Specialist to check up on you at key points. Chances are, if your PMO is on its game, the project will be going rather well when the specialist checks in at each stage, but chances also are there will be little things missed here and there which, if not managed, could morph into big ugly monsters down the road.

Project Assurance is like insurance for your project. A small premium that offsets a big loss down the road. You might be one of the organizations that don’t need it, but considering it typically costs so little compared to the overall project (management) cost, can you really afford not to buy what works out to rather cheap insurance? the doctor doesn’t think so, and believes you shouldn’t either.

Project Assurance: A Methodology for Keeping Your Supply Management Project on Track Part IV

In Part II we related Project Assurance — a comprehensive, proactive, and preventative methodology that goes beyond IV&V to address strategic project issues in a proactive manner so that potential issues are identified and mitigated before they become problems — to your Supply Management Solution Acquisition project and stated that you needed an outside Project Assurance specialist in order to achieve true project success.

So how does the Project Assurance Specialist insure true project success and why can it only be done by an outside Project Assurance Specialist? We will address these issues in this post.

How does the Project Assurance Specialist (PAS) do it? As made clear in Rob Prinzo’s No Wishing Required, the PAS uses collaborative intervention when conducting the health assessments at each of the six critical project points.

Collaborative Intervention is a process used by an Assurance Specialist that attempts to avert disaster by identifying the warning signs that problems are on the way and that the project could be in jeopardy if they are not addressed and the problems not mitigated. A collaborative intervention consists of three primary phases:

  • When Are We?

    Where is the project in the project’s lifecycle, what types of issues are likely to arise at this time, and what should the Assurance Specialist keep an especially watchful eye for.

  • What Has (Not) Been Accomplished?

    An objective top-to-bottom evaluation — focussed on what to look for in an effort to insure project expectations are aligned, resources and scope are appropriate, and the probability of success is high — is conducted and attempts to identify:

    • what are the real issues
    • what are timeframes that are realist
    • what can be done to align the work streams
    • what the indicators don’t tell us
    • what expectations are (still) realistic
  • How Can We Address the Issues That Have Been Identified?

    The findings of the assessment are presented to a cross-functional collaborative intervention team and the PAS works with the team to identify the root causes of potential issues, mitigations to deal with the root causes of the potential issues, and the implementation plans to implement those mitigations.

Why can this only be done by an outside Project Assurance Specialist? Return for Part V.