- This topic has 3 replies, 2 voices, and was last updated 7 years, 5 months ago by Anonymous.
September 16, 2016 at 9:00 pm #292174SIG AdministratorKeymaster
With regulator expectations of handling intra-group engagements the same as for any other outsourcing engagement, how is your company dealing with this in terms of risk management, contracting and monitoring and oversight? An intra-group arrangement is when one entity of the financial institution is performing services for another entity within the financial institution (i.e. IT, HR, etc.).September 20, 2016 at 1:57 pm #293361AnonymousGuest
Based on my experience at a bank, what is expected is to have an inter-entity agreement in place that outlines SLAs, roles and responsibilities, right to audit etc…similar to any other outsourcing arrangement that a company would have. Regular business reviews are also expected (as if it were a third party vendor providing the services). The risk management piece is a bit tricky as you are risk assessing an entity of the company that you are both part of (kind of like doing a background check on a family member – it can feel a bit awkward as you both may be relying on similar infrastructure etc, but is what the regulators are expecting). Suggestions are to review any internal/external audits performed relevant to the services being provided or SSAE 16. And ask the entity providing services what plans are in place to address any ineffective controls.September 20, 2016 at 1:58 pm #293362AnonymousGuest
The short answer is, Yes. Regulators expect the same level of due diligence when managing intra-group engagements the same as outsourcing engagements. Intra-groups still have the same responsibility for risk management and documenting what they do as part of the risk management process. For instance, If a finance tam internal to that company is in charge of financial risk for all vendors and suppliers (and sometimes locations) then they would have to document how they manage the day to day and month to month risk assessments and share how they do it with the regulators. If a Vendor Management group is audited, they are required to show how, who and when the risk assessments were done and how often. This is also similar to how risk management firms address external suppliers for ongoing risk mitigation. There are methodologies and frameworks that exist to help with oversight. Security platforms (BitSight, Prevalent, Security Scorecard) and for general risk management for ongoing monitoring for items like financials, governance, infrastructure, people risk, etc use firms like Neo Group’s Supply Wisdom.
William Sellers,[email protected]September 20, 2016 at 1:59 pm #293364AnonymousGuest
We are familiar with Clean Harbors and ACT Environmental. No major execution issues but Clean Harbors can be difficult to come to an agreement with.
- You must be logged in to reply to this topic.