2013 GRC Value Award: 3rd Party GRC
GRC 20/20 Research awarded Hiperos 3PM its 2013 GRC Value award in the Third-Party GRC category for their implementation at a regional bank holding company. The client specifics are anonymous in this publication, but GRC 20/20 has verified the factual accuracy with the bank. After the implementation of Hiperos 3PM solution at the bank, it was able to triple the number of its third-party investigations without any increase in headcount. The number of days needed to assess the inherent risk of a third party also dropped dramatically — from 7.55 in 2011 to 5.22 in 2012 to 3.95 in 2013. Hiperos continues to deliver efficiencies.
The bank is a large U.S. bank holding company in the S&P 500. They have 11,000+ employees and their Vendor Management Team manages some 20,000 third parties. Following a regulatory examination, the bank was told that while their processes for third-party assessment and third-party risk assessment were sufficient, they needed to apply them to a number greater number of third parties to ensure the business adequately demonstrate knowledge of vendor risk and consistently apply to managed vendors. The bank had a choice: add headcount or look at technology. Hiperos was selected and contracts signed at the end of 2013. Hiperos 3PM was implemented in 87 days.
The bank is highly focused on ensuring that they address their regulatory obligations in the most cost effective and efficient manner possible. As a result of implementing Hiperos, the bank has been able to triple the number of assessments it completes on third parties with same number of people. Following the implementation of Hiperos, the bank reformulated all of its risk models, at the CEO’s request. All of the third-party risk models were redone internally, with no need for IT help or additional consulting from Hiperos.
Going from their largely spreadsheet-based approach, the bank saw similar savings across several different processes, including:
- AML assessment — the average number of days to complete assessment went from 41.52 in 2011 to 6.86 in 2012, which is an 83.47 percent decrease in the number of days. For the same period, the bank reported a 34.55 percent increase in volume.
- Business continuity assessment — the average number of days to complete assessment went from 23.45 in 2011 to 12.65 in 2012, which is a 46.05 percent decrease in the number of days. For the same period, the banks reported a 15.64 percent increase in volume.
- Compliance assessment – the average number of days to complete assessment went from 66.78 in 2011 to 23.3 in 2012, a 65.01 percent decrease in the number of days. For the same period, the bank reported a 58.44 percent increase in volume.
- Information security – the average number of days to complete assessment went from 37.12 in 2011 to 16.93 in 2012, a 54.39 percent decrease in number of days. For the same period, the bank reported a 20.88 percent increase in volume.
The bank also was able to add 5,392 assessments in 2012 compared to 2,879 in 2011, with the same number of staff.
Five-year expectations and beyond
During the next give years, the bank expects to have the ability to adapt quickly to changing business environment (growth in bank/number of third parties) as well as changing regulatory environment (changes in regulation/different expectations from inspectors). The bank recognizes that one of the advantages of Hiperos 3PM is the ability to make changes to programs quickly and easily vs. requiring IT to make changes for them. They also expect to expand the scope and value of currently implemented solution, including initial on-boarding of vendors, ongoing due diligence, and managing the implications of exiting third-party relationships. They plan to expand scope to include nontraditional vendor relationships, and improve their understanding and intelligence around the data created by the program. The bank expects to make use of the analytics capabilities of 3PM, which will allow them to do business modeling and run what-if scenarios and gain a clearer picture of trends.
The bank has seen great agility in its process since implementation in its ability to respond to changes in business environment (when the bank buys another bank or entity), its ability to quickly add new third parties to a relationship, and the ease in changing information about an existing third party. It also has vastly improved its ability to respond to changes from the regulator — to manage the potential customer impact risk or a third party, and to meet the requirements of the CFPB.
The bank, the business environment, regulations and regulators — as well as third parties — are constantly changing. This approach allowed the bank to adapt to changes quickly and efficiently, which ensuring continued optimal and risk-based, appropriate management of third parties.
To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients