I agree with your assessment, site visits are not required by regulation and we do not require them to be completed as part of our standard risk assessment process.
That being said we treat them as one tool in our tool kit the same as any other risk assessment tool. At contracting we do build in the contractual obligation to allow site visits should we choose to complete one however, we will only complete one if we think there is useful information or insights we can gather from physically being onsite. Some of the primary reasons we might choose to go onsite are: relationship building that we think we can accomplish by an onsite visit, specific issues or problems that we want to ensure have been addressed or a very specific and significant risk that we are taking on that warrants that extra level of due diligence.
Personally speaking I have never found something that surprised me (or shocked me) as part of an onsite visit. Generally speaking you need to arrange the visit in advance so the vendor is going to be putting their best foot forward, if they didn't that would certainly be a red flag but probably not the first. The takeaway from onsite visits I have found is to raise our level of comfort that identified risks are appropriately mitigated with policies and procedures implemented and in use.
I think your proposed policy for site visits makes allot of sense. From a regulatory standpoint you have a consistent repeatable policy for onsite visits that mitigates specific identified risk and I think that is what our regulators are looking for.
Shelly
------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------
Original Message:
Sent: 12-01-2021 04:34 PM
From: Albert Lau
Subject: Are Site Visits Necessary?
I want to solicit feedback from the group. This is a current hot-topic discussion at our institution. Our TPRM program conducts site visits of our critical vendors, and even some of our high-risk vendors; but no one here really knows why. I researched whether there is a regulatory requirement for site visits, and none of the banking regulatory agencies requires site visits. In fact, only the OCC even mentions site visits (i.e., companies "may" consider site visits).
So questions came up: (1) why do we do even do site visits? (2) what have we every found from site visits in the past? (3) do we think we would ever find anything of significance from a critical vendor that is publicly traded, that has a SSAE 16, that is regulated? For the past 10 years, the only thing we'd ever found was that the data center door was propped open as IT was moving out obsolete servers.
I think there may be situations where site visits are warranted....company that is new to the industry, company that can't readily provide requested documents, company that has too many control weaknesses on their SSAE 16 report that we want to decide whether to continue doing business with (i.e., meet with management to do a gut-check to see if they realize the severity of their control weaknesses).
We are thinking of conducting site visits of vendors that may be small, but may have customer impact, may require our SME to do an assessment of their program (e.g., compliance, BSA, etc.). So our site visits will be focused on business purposes vs. regulatory expectations or what everyone considers TPRM best practices. We plan on continue doing our normal monitoring processes (e.g., monthly/quarterly meetings with our vendor representatives, review their public regulatory reports or risk assessment reports, ad hoc calls on any significant SSAE 16 weaknesses, etc.).
Thoughts? All comments welcomed.
Thanks in advance.
Albert Lau
Deputy Chief Risk Officer
East West Bank