Managing Regulatory Changes – Thankless Job or Hidden Gem
Organizations have seen a steady increase in the use of third-party service providers. Not knowing if the risks associated with third-parties are being managed properly intensifies risk management challenges and keeps board members awake at night. These risks demand steadfast supervisory focus as well as effective programs to manage each organization’s Third-Party Risk. The OCC’s recent Semiannual Risk Perspective publication highlights the urgency to address these risks.
Topics: Risk Management
Let’s set the table. If you’re a vendor who regularly responds to Requests for Proposals or information (RFPs / RFIs) as part of your prospecting or sales process, we don’t have to tell you they’re a proverbial pain in the tush – pages and pages of company data is required upfront just to be in the running. The work is time (as in weekend) consuming and tedious. In fact, if you want to clear a room quickly, just casually remark “We’re responding to an RFP….” and watch sales people, relationship managers, and IT staff scatter. You won’t even hear crickets chirping in the background… they ran too. The truth is it can be soul-crushing work to assemble solid responses for every last question, insight, use case, heading and subheading. Yet, for many businesses, RFPs represent some of the most enduring and lucrative business partnership opportunities. The potential value of every response is significant, so the struggle continues.
Weighing in at $18.5 million, Target has agreed to pay the largest-ever fine for a third-party data breach. When you consider the scope of the compromise – nearly 70 million customers and/or accounts affected and an estimated total loss of $202 million by Target, the fine almost pales by comparison. How did the thieves access Target’s data? Through an unlikely third-party vendor, specifically an HVAC contractor. More important lessons to learn from Target’s unfortunate risk debacle are in the details, specifically the breakdowns and negligence of their own risk management processes. While you might not see immediate parallels between a retail behemoth like Target and your credit union, the fact is that all third-party vendors put every organization at some degree of risk, making a functional and up to date vendor risk management program an important part of a mature approach to overall enterprise risk management.
Topics: Credit Unions
There is a data war being waged in many healthcare organizations – spreadsheets vs. overall data security and integrity. In fact, in our experience, the number one risk to data protection and management is the common spreadsheet. Excel has been around since 1985, and, while a long-proven data workhorse, carries with it a multitude of security risks. In fact, according to the Identity Theft Resource Center, 2016 data breaches overall increased 40%, and the Healthcare sector accounted for about 35% of those breaches which were largely driven by hacking or similar practices (over 50% and climbing sharply).
What you don’t know can hurt you. With the constant pressure of streamlining and creating cost-effective operations, outsourcing of core processing and data management to domestic third-parties by the banking and insurance industries has been common practice for many years. Although this practice is common and in most cases quite necessary, it is still important for an organization to ask the question of where their customer’s data will be stored when leveraging a third party.
You’ve been diligent about developing the needed policies and procedures to ensure HIPAA compliance within your organization. It’s been challenging, but your internal audits have been positive, and you are confident your internal processes are up to standard. Are you as confident about your vendors and their HIPAA compliance? If your vendors aren’t compliant, who pays the price? You do. As the outsourcing organization, you are responsible for the HIPAA practices of all vendors who have access to, work with, or store your sensitive PHI. Beyond the vendors who physically touch your data, such as IT providers, data centers, and document shredders, HIPAA compliance requirements could extend to other vendors who may have access to your contacts database, or even the data center where your IT provider backs up their own data (see: How Many Degrees of Separation Are There Between You and Your Data?)
If your bank or credit union outsources any of your functions to a third party, you are not only responsible for effective vendor risk management but for reporting the results of third party risk assessment to your leadership and board of directors. The Office of the Comptroller of the Currency (OCC) makes it clear – a credit union or bank with vendors “should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships.” Easy for them to say. If you’re that risk or compliance officer tasked with vendor risk management oversight and reporting, “commensurate” is a loaded term. How do you rate risk? How do you clearly lay out your program in a clear, understandable format? How can you be sure all your risk bases are covered? No one wants to stand in front of senior management or their board of directors mumbling through a disjointed array of reporting or information. Whether you are flush with risk management data or aren’t sure where to start, your third-party risk management framework and reporting could spell the difference between a clear, supported program, and one that looks like an urgent SOS for intervention. We have some tips to make sure your reporting of third-party risk management to leadership is clear, effective, and on point.
Being the master of all you survey is not enough in today’s business climate. Do you know the true risks which lie well below the apparent surface of your operations? Consider third parties – if you’re like most companies, you are increasingly dependent on third party entities to manage any number of a variety of critical functions, including IT, line of business applications, etc. You understand third parties create a much more complicated operational and risk picture, but what about fourth and even fifth parties?
Topics: Risk Management
An Insider’s Guide to Boston – where to stay, what to do, and how to prepare for the customer summit.
Summer may be in full swing, but we’re looking forward to a beautiful New England fall and the upcoming 2017 ProcessUnity Customer Summit in Boston October 24 and 25th. Now is the time, before the whirlwind of travel and a busy summit schedule, to plan to take some time to enjoy historical and lively Boston. We believe life should be a healthy balance between work and leisure and in that spirit, we offer you some insider Boston intel along with some of our time-tested strategies guaranteed to maximize your valuable time and energy.
Topics: Events & Conferences