Chris Rachlin, Former Global Head of Operational Risk Management Services at HSBC plc shares his professionals experience in vendor and third party risk management.
Chris, can you please tell the Center for Financial Professionals’ readers about yourself and your professional experience?
I am a Chartered Accountant who focused primarily on information security, systems and technology risks in banks and I have been a specialist in Operational Risk for the past 18 years. With the increase in outsourcing and joint ventures among banks, my focus over the last 10 years increasingly has been on third party risks both as a risk manager and as a non-executive for some of the banks’ key suppliers. About two years ago I started to help HSBC enhance their framework for managing third party risks.
We are looking forward to you presenting at our Vendor & Third Party Risk Europe Summit where you will be joining a panel discussion on cyber security. What cyber security risk exposures are financial institutions gradually facing?
I am not sure there is anything gradual about this. The cyber security threat is there today and has been for some time. The key challenge is that, as so much of banks’ activities are now online, no one can afford to be without their systems – there’s no practical alternative. This means they always need to be ahead of the ‘bad guys’. I would say the key threats are theft, fraud and denial of service. The first two have always been present even before the internet, but denial of service didn’t really exist before as there was always a branch up the road if a customer couldn’t access the one it wanted.
What has been changing over time is the sophistication and mode of operation of each of these threats and consequently the level of sophistication needed to counter each.
What would you say the key challenges are for Banks attempting to implementing a threat and cyber culture?
The challenges Banks face include the level of expectation of both their customers and the regulators. You cannot be offline for hours let alone days while you try to fix an issue. Your customers will walk and your regulators will fine you. You need to have sophisticated controls up front and a rehearsed, well managed crisis capability for when things do go wrong.
Another challenge is financing the investment needed. Sophisticated controls cost money and there is a huge range of competing projects for investment in any bank. It is important that the board prioritise Cyber control improvements. Also most banks have a huge amount of legacy technology that is either is too risky or expensive to replace. As a result they need to wrap the new controls around this old technology which can be expensive. Finally the ‘bad guys’ have a huge pool of funding from criminal gangs to create evermore complex ways of defrauding the banks. It is likely that their investment fund will be greater than the money available in many individual banks to make control improvements. As a result banks may need to work together more to pool investment.
You will also be discussing the alignment of third party and vendor risk management with the operational risk agenda. What current Basel framework proposals should banks consider?
One of my key points is that there needs to be alignment across the risks types. Many organisations have gone off and implemented different risk methodologies for vendor or third party risk compared to operational risk. This makes it difficult for senior management and the board to get a holistic or comparative risk picture. The use of third parties by banks can be very beneficial for them and their customers, but it is very difficult to make good risk based decisions if the organisation is continuously over or under estimating the level of risk in their third parties when trying to compare it to, say, their overall cyber risk.
How do you see the role of a Vendor Risk Professional changing over the next 6-12 months?
I see there being an increasing use of risk data sharing. Organisations are spending far too much time reassessing risks another organisation has already assessed. That is not efficient for the customers or industry.
![VRMUK[1]](http://www.cefpro.com/wp-content/uploads/2015/11/VRMUK1.jpg)
