« Vendor Management (the series) Part 1 | Main | Director Cordray sends warning to vendors on TRID rule compliance »
Thursday
Mar022017

FDIC OIG Report says FIs Lack Contracting Skills

The FDIC Office of Inspector General released a report on February 15, highly critical of Financial Institutions (FIs) lack "...of risk assessments or contract due diligence." The report stated in the OIGs review of Technology Service Provider (TSP) contracts with FIs, the contracts did not include critical contract provisions "to manage its own business continuity planning and incident response and reporting operations." Additionally the report cites the contracts did not sufficiently define key terms related to BCP and incident response. As a result most contracts with FIs and TSPs lack assurances the TSP "could recover and resume critical systems" and further lacked obligations of the TSP to "take appropriate steps to contain and control incidents."

The FDIC OIG Report, is a finding on the symptoms to a bigger problem.

From my perspective this is much to blame on the lack of training IT staff are given regarding contracting and risk management. Basic negotiation skills are not why we hired IT staff. Of course, the executive teams place an inordinate amount of pressure on IT staff to get it going "now!" Of course, both IT and executive management punt the contract to Legal. The Legal department, while being experts on the law, are relying on the IT department to be experts in the product/service they are buying; and Legal needs the executive team to approve the spend.

The problem? NO ONE wants to look at the problem for all three perspectives at once (albeit it is difficult to find someone with Technology, Finance and Negotiation skills).  So most FIs, under pressure from the regulators, throw "consultants" at the problem.  The problem with that tactic... the majority of consultants lack any real practical experience in all three areas (book smart vs. street smart).  If you've recently hired a consultant to help here, I imagine you have a lot of new policy and procedures to process. Do you feel like you are any better off? Or is the account a few $100k lighter.  

Over the last 20 years of my career I have fought this battle internally and externally. It's not easy. Building a good program to manage Vendor Risk and establish a full Vendor Management Program (Sourcing, Risk, Contract and Relationship) should be built into your corporate strategy (regardless of industry). Simply, as you increase your reliance on third party services, you need to increase your capabilities to properly manage those third party services.

Again, the FDIC OIG Report, is a finding on the symptoms to a bigger problem.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>