Business success is inextricably defined by relationships. No matter what technology is used or what brilliant application has been launched, the connections between business owners, suppliers and clients reflect the strategy and how the business owner defines the relationships. Large organizations often have a governance framework established for vendor/supplier relationships that is integrated into their department structure. It typically includes procurement, legal and contracting, regulatory, and vendor management. Smaller organizations focus on their core competencies while building vendor relationships that complement what their business does. Interconnections take on both a technical and managerial tone, and the correct interconnections will strengthen the relationship, turning it into a trusted partnership. Whether an organization is large or small, interconnections are time-consuming and can be expensive to maintain. What does a business owner do to pick the right connections and invest in a fruitful relationship?
Small and Stable
There is a wonderful bakery in the neighborhood, always open early every day except Sunday. The bakery has a presence on Facebook, but no website, and its Facebook page notes that it provides both wholesale and retail baked goods before it launches into a series of mouth-watering pictures of cookies, cakes and breads. Family owned and operated, the requirements for ingredients have been consistent over the years, and the reliance on other businesses is minimal.
The bakery is a supplier to both the pizza place two doors down and to the delicatessen (deli) shop one block away. The distribution channel is easy to understand and track: The owner of the deli stops by the bakery one half hour before his deli opens to pick up rolls and bread, and the pizza shop owner does the same thing a few hours later for fresh bread and pizza dough. The personal connections are strong and trust is high, based on years of good quality and consistent supply. Customers can connect via Facebook, but it is word of mouth and passersby that fuel the business. Trust between the bakery and customers is immediate. The pastries are amazing and the price is always right.
Smaller than the major banks, the local credit union offers mortgages to members in a small geography and has a very different model for interconnectedness from the local bakery. The local feel is the key strategy for gaining customers, and loyalty is garnered because there is a sense of family and friendship that translates into easy to work with and easy to trust. Reliance on technology supplements the feeling that customers are getting a loan from a local, friendly place they can trust by providing the convenience of online banking and mortgage payment with a user-friendly customer portal. The credit union, however, is built on technology and regulated as a financial institution. Even though it is managed on a small scale, its interconnections are complex.
Both the bakery and the bank can benefit from an examination of the vendor connections, even if it is to keep business the same as it is, especially to ward off any impact from a major change. In the case of the credit union, a major change did occur when a decision was made to expand its marketing area by merging with another small credit union. Suddenly, interconnections became much more complex in areas it did not expect. This is where the risk assessment IS audit professional can help by bringing the advantages that governance and technology can bring to the business.
Risk, Vendors and Building a Governance Framework With Interconnectedness
Where to connect with vendors? Choosing the best management approach or the right technology for connectedness must rely upon what matters most. Gathering procedures and policies regarding the relationship and understanding the vendor criticality through risk assessment is a must. Vendor criticality can be assessed with the business process owners by examining the traditional risk factors of impact on the business reputation, impact on financials and impact on clients. Depending on the industry and the roles played by vendors, regulatory impact should also be part of the review. These four categories of inherent risk can be mitigated by the vendor contract service-level agreements (SLAs) so that criticality can be determined based on the residual risk with SLAs in mind. Why is it important to consider SLAs first? It allows the business to focus on contract performance for the SLAs separately and examine the remaining critical risk areas without duplicating the work already governed by the contract, but which are still priority areas. Key controls can be established, which can then become interconnection points for ongoing monitoring, whether systems/apps-based or managerial-based.
The risk identification and assessment between business and vendor is a good place to start the research on where and how to interconnect. Flow charting the processes between the vendor and the business can identify activities that are shared responsibilities or interconnection points between the vendor and the business. The degree of criticality can be determined during the walk-through with the process owner. Consider the following fictionalized scenario of a credit union.
Matt was called into the credit union director’s office regarding a special risk assessment project. Apparently, a large number of mortgage customer complaints were coming into management, a new issue since the merger with GetALoanNow Credit Union (GLNCU). The transition and systems go-live had gone just fine over a year or so ago, but now there were concerns about customers falling behind on the required homeowner insurance renewals for their mortgages. Shortly after the alarming trend was noticed, customer complaints spiked regarding “harassment” over insurance requirements. This issue had the potential to impact multiple risk scenarios, including homeowner insurance suspension by insurance carriers, which carried a regulatory impact, and an increasing financial impact as the credit union triggered replacement policies under its own cover to avoid the regulatory risk of uninsured mortgages. Now there was a potential client impact as more and more complaints came in from customers threatening to refinance their mortgages through other institutions. An investigation was needed, and quickly.
CHOOSING THE BEST MANAGEMENT APPROACH OR THE RIGHT TECHNOLOGY FOR CONNECTEDNESS MUST RELY UPON WHAT MATTERS MOST.
Upon hearing the details from the director, Matt decided the best approach was to team with internal audit in case there were regulatory implications. He reviewed the complaints and talked with the mortgage division to determine the processes to be reviewed and audited. He found two separate departments and one vendor were involved in processing mortgage insurance renewal verifications. He further noted that the merger did not consolidate systems, but instead allowed both merging credit unions to retain their own systems and processes for insurance renewal evaluation. He created two flow charts to represent the processes (figures 1 and 2).
Matt went to speak with several process owners to verify his flows and to better understand the data behind the low insurance renewal rate and the customer complaints. He had already noticed the loans on the GLNCU side had a much higher noncompliance rate and a higher volume of customer complaints. A review of historical records showed GLNCU had high noncompliance on initial insurance renewals but satisfactory results on second attempt renewals and a history of low customer complaints.
The Very Careful Credit Union (VCCU) showed data within expectations for compliance on insurance renewal and a low volume of customer complaints based on historical data for five years prior to the merger. Matt spoke with the mortgage departments handling VCCU renewals and then spoke with mortgage departments handling GLNCU renewals. Both groups confirmed their processes and confirmed that business was proceeding as usual. Matt’s diagrams highlighted the difference between the two departments, which was only the use of a vendor by GLNCU. VCCU did not use a vendor, yet both VCCU and GLNCU mortgage departments reported successful clearing of insurance renewal requirements using their individual processes and did not see any issues.
Assessing Risk
Vendors typically are considered a high risk to the business, given that it is more difficult to have full knowledge and control over actions that are undertaken by suppliers that may have different priorities and different operating models. The challenge with vendor risk assessment is determining which activities truly are risky to the business. A well-written vendor contract spells out controls under SLAs—the best starting place for establishing interconnections to monitor vendor performance. Any major change in relationship or in operations requires reassessment, but that may not trigger an update in the SLAs. As Matt discovered, both sets of credit union process owners felt satisfied with their operations, and both felt their processes worked as well now as they did before the merger. Both credit unions had policies and procedures in place and both had connections with customers supported by strong results, although, as Matt’s research identified, the in-process metrics for GLNCU showed issues. GLNCU’s vendor relationship was for secure data warehousing for homeowner policy information. Both pre- and post-merger, its initial renewal rate was low while second attempts at collection were very successful. Pre-merger, customer satisfaction was high. Determination of what had changed using process flows made identification of actions and by whom visible to all. Furthermore, determination of whether a process required improved control points with more insightful metrics also became evident by looking at the process flows.
Identifying Gaps
In this scenario, Matt had created flows (figure 2) and verified them with process owners. He looked at existing interconnections to confirm data access between all responsible parties, whether on the vendor or business side. He found final results to be compliant but uncovered metrics showing poor performance for GLNCU. He also noted a negative change in client satisfaction that only showed up post-merger after the one-year anniversary of the acquisition. It was time to delve into the customer complaints.
(a) Force-placed insurance, also known as creditor-placed or collateral protection insurance, is insurance placed on an account to protect the financial interests of the loan holder when the insurance policy holder does not renew required insurance on a timely basis.
It is common for organizations to shy away from having auditors speak with clients, but review of client satisfaction surveys and documented complaints is an adequate source for determining potential control gaps and missing connections between responsible parties. Process owners often focus on their day-to-day activities and final results as they relate to their own performance. Inefficiencies or issues in the middle of a process may go unnoticed, especially when a vendor is involved and connections are not in place for participants to notice that something is not going well.
It did not take Matt long to find the source of customer dissatisfaction and to uncover why the issue was not picked up earlier. His investigation uncovered some weaknesses:
- The GLNCU mortgage department did not have access to insurance records on demand. Instead, it received only notifications regarding policy acceptance or denial.
- Prior to the merger, the GLNCU mortgage department compensated for the lack of access to policy information by calling customers and verbally reminding them to renew their policies. When the territory expanded as a result of the merger, this undocumented practice fell by the wayside.
- GLNCU’s data warehouse vendor allowed three methods of insurance renewal notification: by post, by email or by upload to its secure portal. The mortgage department was not aware of this and did not consider delivery lag times, instead triggering homeowner’s insurance coverage earlier in the insurance renewal cycle than a customer would typically expect.
- GLNCU’s collections process to initiate replacement coverage and add policy cost to the customer’s escrow did not include a recheck of policy status because there was no shared connection between the mortgage department and the vendor or between the collections department and the vendor.
- The complaints department did not have access to the customer complaint investigations, which were reviewed by the credit union’s Problem Investigation department team. The complaints had been misinterpreted as harassment by the complaints investigator, and the collections department was given customer relations training.
Resolution and Summary
The last question was: Why did this only happen after the merger? That answer was also discovered via the customer complaints, which identified that customers who usually went to VCCU loan officers prior to the merger were now going to loan officers at both credit unions. The high level of complaints were coming from VCCU customers who were coming from outside the GLNCU system, while GLNCU customers were familiar with a call and were not offended by a collections call instead of a mortgage call. VCCU customers had also been used to a more transparent system than GLNCU customers and were used to transparent, on-demand access to their insurance information. When VCCU customers spoke to their new GLNCU contacts, they were directed to the collections department because their account showed as in arrears on policy renewal. When customers insisted they had paid and provided information on their homeowners’ insurance renewal, the collections department was not connected to verify the policy. Even worse, when customers were transferred to the mortgage department to resolve the information conflict, the GLNCU mortgage team could not see the on-demand status of the homeowners’ policy either and instead suggested customers call the main credit union number for help. Resolution involved three steps:
- Mortgage customers were provided secure access to the data warehouse information on their renewal policies.
- All departments involved in the homeowners’ insurance renewal process review, which included the mortgage department that customers typically contacted for help and the collections department, were linked to the data warehouse vendor to access “live” records of policy status. Controls were established and monitoring check points put in place for reporting purposes.
- Processes were changed in both the GLNCU mortgage department, where replacement homeowners’ coverage was triggered for regulatory requirements, and in the GLNCU collections department, which interfaced with clients on past-due insurance. Before action was taken to either trigger a replacement policy or to make a collections call, a step was added to verify the data warehouse policy status.
As a long-term project, Matt suggested the processes be merged into a single operating model, either using a vendor across the full organization, or by bringing the insurance data warehouse into the business.
Conclusion
The biggest challenge for the IS risk/audit professional is overcoming missing information, especially when examining connections. Each party has their view of how business works and often is not aware of the details handled by others. A holistic view allows a more robust discussion between key stakeholders, followed by a structured approach to identifying new control points and key interconnections. Review of the interconnections on a frequency of at least once a year keeps all participants aware of the process and engaged in updating the operating model.
Cindy Baxter, CISA, ITIL Foundation
Is director at What’s the Risk, LLC. Her practice focuses on integrated risk control and process assessments for cybersecurity, privacy and business continuity/disaster recovery. She views risk management and control assessment as a chance to learn the nuts and bolts of a client’s business and help them worry less, because gaps have been uncovered and a stronger operating model can be built. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles at State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not doing risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.