Best Practices in Vendor Oversight

Author: NICSA

Attendees of NICSA’s General Membership Meeting examined the intricacies of vendor management programs during a breakout session Thursday, Oct. 5.Attendees of NICSA’s General Membership Meeting examined the intricacies of vendor management programs during a breakout session Thursday, Oct. 5.

The panel was led by Nick D’Angelo, Director at PwC, who defined vendor oversight as “understanding and managing the risks associated with vendors and other third parties who the company does business with and/or shares data.”

Tom McLain, Chief Information Officer, Old Mutual Asset Management, said that while it’s still important to manage traditional service providers (technology vendors, operational asset servicing partners, etc.) other business alliances such as those with PR firms and legal advisers should also be considered. “The scope of business has significantly expanded,” he said.

John Meiers, Senior Procurement Manager, DST Systems, said his biggest fear is the unknown.

“There are some risks that we know and that we manage, and even though we have a pretty robust program, we’re still surprised by what we don’t know,” he said. “We put a heavy emphasis on an annual basis on really getting to the bottom of where those risks are lurking—risks that we aren’t thinking about; risks that maybe weren’t there six or eight months ago.”

For example, Meiers mentioned supplier relationships that may have evolved over the last year. “It’s not anything malicious, it’s just that the business is complex and it’s changing, and our job is to keep track of that.”

Peter Kanowsky, who has managed vendor relationships for 25 years (most recently as Vice President of Risk residing within Fidelity Investment’s Clearing and Custody operation) pointed to three major challenges in today’s environment.

First, he said that determining whether a vendor is prepared is a battle. “As a vendor manager, one of the key challenges is to assess your vendors’ ability to defend themselves and act if they are threatened,” he said. “And this is a topic that doesn’t lend itself well to transparency, collaboration and knowledge sharing.”

Another challenge, he said, is “the internal risk that the vendor will have an incident that leads to data loss or the exposure of data in error, which of course is a major event. That’s a day-to-day challenge that you need to focus on.”

“Lastly, mother nature can be a formidable foe, as we’ve seen in the last few years,” Kanowsky said. “Assessing your vendor’s ability to handle a crisis …—we’re talking disaster recovery, business continuity, resiliency—all of that requires organizational alignment between your own firm and the vendor.”

Kanowsky follows a sequence of processes when managing vendor relationships:

  • First, “any conversation has to start with inventory,” he said. “Your goal is to have a comprehensive inventory of all the vendors being used. You need to be tight with the tollgates on the entry and exit.”
  • He then pointed to the importance of executive alignment, a strong centralized governance, a broad-based communications strategy and, ideally, the requirement for associates to attest to any vendors being used.
  • Next, he said to assess the risk profile of the portfolio by identifying key risk-drivers. “Capturing this data takes a lot of resources,” he said.McLain said that cybersecurity concerns are a game-changer. “Trying to separate what the real risks are verses the perceived risks is important,” he said

NICSA: 8400 Westpark Drive, 2nd Floor McLean, VA 22102 • Tel: 508.485.1500 • Fax: 508.485.1560