BofI Federal Bank Vendor Risk Management Within Archer
In the attached presentation: Vendor Risk Management: Assessing and Onboarding Vendors Efficiently and Effectively in a Highly Regulated Environment, you will see how BofI Federal Bank took a manual process that was essentially a "black box" and prone to errors, delays, and frustration for all involved into an automated, transparent, logical process that has been well received by our business units and subject matter experts alike.
Slide 3 indicates our pain points (bottlenecked process, lack of transparency in the process/status, and no single source of truth of what vendors we currently use and for what purpose). Slide 4 indicates our goals for the new process (efficiencies of automation, transparency (including next steps), and all vendor information located in 1 location).
Slide 5 is our new process. The important thing to note is that this flow all depends on what kind of tier (risk) your vendor/product or service is. We calculate the tier based on triage questions the business units must complete. This flow includes all subject matter experts but low-risk/non-material engagements may only include 1 or 2 subject matter experts (or none!).
Slide 6 is what our home page for business units looks like. Here they can search for existing vendors, products or services (using the Engagements Type app), existing engagements, or existing applications. Our #1 goal is to have the business units not have to go through the Vendor Management process, but instead to utilize what we've already purchased. If after searching they still need to go through the process we require them to submit a user service request (a ticket essentially) to have the Vendor team create a vendor profile (this keeps the data normalized so we don't have multiple records of the same company: RSA Archer, RSA Archer LLC, Archer, etc.). The Vendor "trusts but verifies" that the business has done a search and if the desired vendor or product or service really doesn't exist then they add them to Archer and then informs the business unit accordingly.
Once the vendor is created the business unit creates the Engagement (though they can't edit the record they can create the Engagement from view mode). Once in the Engagement, they must fill out a few required fields (Engagement Name, Description, and then must name those who will be able to Read and Update the Engagement. By Data Driven Events (DDEs) we hide all fields until the required fields are populated and applied. Then we add in the Triage questions (see slides 7 and 8), which are dynamic based on DDE logic that hide/show certain questions depending on the Product or Service. For example, if the Product or Service is Recruiter, the Bank has its own Recruiter contracts and so there is nothing else to do in the process once the contract is uploaded and the triage submitted. However, if the Product or Service is a Managed Security Service Provider the business will have to answer all of the Triage questions and then all SMEs will be required to review the due diligence (whereas there is no due diligence to collect for the Recruiter aside from W-9 and an OFAC check).
Once the triage is submitted we then send out 1 of 2 SIGs directly to the vendor (we used to have the business work with the vendor to collect the information): We have a business SIG for non-tech products/services and SIG7Lite for tech products/services.
Once the vendor submits the SIG, then the SMEs are flagged to go and review the due diligence provided by the vendor (slide 9). In order to get around the requirement of only allowing 1 user to edit a record at a time, we've set-up questionnaires for each SME to be able to complete their narrative and then the fields from the questionnaire are calculated back into the Engagement.
Once the SMEs are complete with their review, Legal makes sure the Bank is protected and works directly with the vendor on the terms and conditions of the contract (slide 10). Once Legal is complete it goes to Vendor Management Review (slide 11) and then Final Approval (slide 12) where we have the vendor owner acknowledge all of the SME narratives, perform their own risk assessment, and then approve the Engagement.
After the contract/master service agreement is executed, VM then adds the executed version into the Contracts/MSA application.
Attachments
Please sign in to leave a comment.
Comments
0 comments