You’ve been diligent about developing the needed policies and procedures to ensure HIPAA compliance within your organization. It’s been challenging, but your internal audits have been positive, and you are confident your internal processes are up to standard. Are you as confident about your vendors and their HIPAA compliance? If your vendors aren’t compliant, who pays the price? You do. As the outsourcing organization, you are responsible for the HIPAA practices of all vendors who have access to, work with, or store your sensitive PHI. Beyond the vendors who physically touch your data, such as IT providers, data centers, and document shredders, HIPAA compliance requirements could extend to other vendors who may have access to your contacts database, or even the data center where your IT provider backs up their own data (see: How Many Degrees of Separation Are There Between You and Your Data?)
If your bank or credit union outsources any of your functions to a third party, you are not only responsible for effective vendor risk management but for reporting the results of third party risk assessment to your leadership and board of directors. The Office of the Comptroller of the Currency (OCC) makes it clear – a credit union or bank with vendors “should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships.” Easy for them to say. If you’re that risk or compliance officer tasked with vendor risk management oversight and reporting, “commensurate” is a loaded term. How do you rate risk? How do you clearly lay out your program in a clear, understandable format? How can you be sure all your risk bases are covered? No one wants to stand in front of senior management or their board of directors mumbling through a disjointed array of reporting or information. Whether you are flush with risk management data or aren’t sure where to start, your third-party risk management framework and reporting could spell the difference between a clear, supported program, and one that looks like an urgent SOS for intervention. We have some tips to make sure your reporting of third-party risk management to leadership is clear, effective, and on point.
Being the master of all you survey is not enough in today’s business climate. Do you know the true risks which lie well below the apparent surface of your operations? Consider third parties – if you’re like most companies, you are increasingly dependent on third party entities to manage any number of a variety of critical functions, including IT, line of business applications, etc. You understand third parties create a much more complicated operational and risk picture, but what about fourth and even fifth parties?
Topics: Risk Management
An Insider’s Guide to Boston – where to stay, what to do, and how to prepare for the customer summit.
Summer may be in full swing, but we’re looking forward to a beautiful New England fall and the upcoming 2017 ProcessUnity Customer Summit in Boston October 24 and 25th. Now is the time, before the whirlwind of travel and a busy summit schedule, to plan to take some time to enjoy historical and lively Boston. We believe life should be a healthy balance between work and leisure and in that spirit, we offer you some insider Boston intel along with some of our time-tested strategies guaranteed to maximize your valuable time and energy.
Topics: Events & Conferences
If you are a credit union, we don’t have to tell you about the burden of governance, risk and regulatory compliance (GRC). The recent Regulatory Burden Financial Impact Study from Credit Union National Association (CUNA) and Cornerstone Advisors confirms it. In 2014, GRC for credit unions cost a whopping $7.2 billion, including $6.1 billion in actual costs and $1.1 billion in lost revenue. As member-centered institutions, everyone loses through increased costs and reduced benefits. In fact, CUNA reports that since 2008 credit unions have endured more than 190 separate regulatory changes from nearly three dozen government agencies. Is it any wonder compliance costs currently make up almost 20% of total operating expenses and a full 40% of staff expenses? The result, according to the CUNA article, is a shrinking credit union pool with numbers down 40% in the past 10 years due to factors such as mergers and reduced applications.
Topics: Credit Unions
RSA Archer® ends support for all 5.X version in just over seven months. If you are a bank or credit union upgrading from RSA Archer® 5.X to RSA Archer® 6, there are a few key considerations you may not even be aware of that can spell the difference between a successful migration and seamless operation or a risk management program that goes off the rails. In today’s ever-increasing regulatory and risk management pressures for financial institutions, any downtime, loss of data, or gaps in your risk management program unnecessarily expose your institution to inefficiency and liability.
Topics: RSA Archer
We’ve come back energized from spending time with our New England credit union community. Something unique to this area is the strong heritage of industry and entrepreneurship that is still very evident today. We were impressed with the dozens of senior bank officers we spoke to, the opportunity to learn their specific risk management challenges and gaps and share our insights and expertise. This is why we love what we do.
Topics: Events & Conferences
We're looking forward to sponsoring and attending the 2017 Great New England Credit Union Show on April 27th. The event is just a week away, and most attendees have made their travel plans, stocked up on business cards, chosen the breakout sessions they'd like to attend, and made plans to meet up with colleagues. Simultaneously, exhibitors and sponsors are working on last-minute updates to their marketing materials and planning out a strategy for connecting with prospective clients during and after the event. Regardless of which of these groups you belong to, you may be wondering whether this event is worth the time you'll be spending out of the office. After all, that to-do list will still be there when you return.
In order to help you maximize your time at GNECUS, we've updated the strategies that will ensure you get the most out of your experience and investment.
Topics: Events & Conferences
In Risk Management, sometimes you need to step back and evaluate the organizational landscape. You do this to understand what changes have taken place that either improved capability and capacity or diminished overall effectiveness. Engaging in this exercise will provide fresh perspective and the opportunity to understand where gaps exist, allowing you to prioritize activities going forward that remediate some of the observed shortfalls. So, why don’t more risk professionals do this? Well, we could make a long list of reasons, all of which are legitimate, but probably really cynical and unhelpful.