You Can Outsource, But You Cannot Hide

/in , , /by

Companies may outsource an activity, but cannot outsource accountability.

In today’s economic environment, almost every aspect of a company’s operations can be outsourced efficiently. As a result companies interact with vendors on a daily basis, opening themself up to additional risk. Vendor Risk is a type of Operational Risk associated with the potential risk that may occur from relying upon outside parties to perform services or activities on an organization’s behalf. When a company outsources a need to a vendor, it is still the responsibility of the company to ensure that the vendor operates in compliance with established policies, procedures and regulator expectations.

For financial institutions in particular, this has been a clear message from all banking regulatory agencies to their members. Regulatory agencies have identified instances in which financial service institutions have:

  • Failed to properly assess and understand the risks and the direct and indirect costs involved in vendor relationships.
  • Failed to perform adequate due diligence and ongoing monitoring of vendor relationships.
  • Entered into contracts without assessing the adequacy of a vendor’s risk management practices.
  • Entered into contracts that incentivize a vendor to take risks that are detrimental to the financial institution or its customers, in order to maximize the vendor’s revenues.
  • Engaged in informal vendor relationship without contracts in place.

All companies, and especially financial services institutions, must establish an effective vendor management program to protect their business, clients and employees. Having an effective vendor management program enables institutions to control costs, drive service excellence, mitigate risks, and gain increased value over the life cycle of the vendor relationships. Selection, contract structuring and ongoing monitoring of third party service providers are the consistent theme from the regulatory agencies and other risk experts.

An independent certified public accountant has examined Strunk’s operations and found them to be in compliance with the AICPA’s Trust Service Principles. It was determined that Strunk meets the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria for SOC 2 established by the AICPA.