DNB is Norway’s largest financial services group and one of the largest in Scandinavia by market capitalisation, offering loans, savings, advisory services, insurance and pension products for retail and corporate customers. The company is also among the world’s leading banks for the shipping industry and has strong positions in the energy and the fisheries and seafood industries.
In financial services, reputation is everything, and DNB understands that its partnerships with an extensive network of vendors are a critical fundament of that reputation. In the wake of GDPR, the company also recognised that its vendor management and third-party relationships didn’t meet its high standards.
As DNB grew and partnered with other organisations to outsource certain operations, it became increasingly difficult to apply rigorous risk-management processes. Like other large financial services organisations, DNB faces intense regulatory scrutiny; its third-party partnerships—including agents, distributors, vendors, partners and consultants—number in the thousands. DNB’s challenge was to control partner-related risk without incurring astronomical costs. The company needed a streamlined process built around a flexible tool that supported easy integration and automation.
The tool DNB chose was ServiceNow Vendor Risk Management.
Understanding the potential impact of third-party risk
The company’s vendor-related risks mirror those of most large companies that have an extensive partner network. Third parties, which provide critical services and have extensive knowledge of its customers’ business, usually store or have access to confidential corporate data through data processing or hosting arrangements. They can also have physical access to company premises. Third-party organisations also tend to be tightly affiliated with their partner companies, contractually and by market reputation.
DNB knew that, though it could easily outsource a key service or function, it couldn’t delegate its most critical responsibilities to its customers or rely solely on regulators. Any mistake or shortcoming in its value chain would fall squarely on DNB itself.
A comprehensive strategy
Thus, for DNB, a holistic approach to third-party risk management made much better sense than monitoring specific risk triggers. Among the areas it wanted that holistic approach to cover were:
Corporate social responsibility: A third-party partner with lax ethics (tolerating, for instance, child labour) can pose a threat to a company’s market reputation and customer loyalty.
Supply-chain integrity: Any breach along the supply chain can have dire security consequences for an entire partner network.
Financial stability: Partner companies that are struggling financially can be inclined to take risks and shortcuts that have negative consequences for their affiliates.
Continuity: Poor backup routines and a lack of redundancy in key systems are a potential threat to a partner’s operations.
Compliance: Strict adherence to tax law, competition law, privacy standards and regulations, international sanctions and other legal mandates should be a non-negotiable standard for all third parties.
To create a vendor registration portal that connects with ServiceNow Vendor Risk Management and Contract Management, DNB worked with Sopra Steria.
The portal allows DNB to assess the vendor’s operational criticality and identify the specific risk areas. For example, with a vendor that produces shirts with the DNB logo, the vendor’s security processes many not be a major concern but its social-responsibility measures and stated policy on using child labour surely would.
For an IT company, security is an ever present consideration. DNB closely researches the relevant risk categories, and they perform an external assessment that may include questionnaires to the vendor as well as searches in relevant public databases such as Dun and Bradstreet.
The first regulation implemented was GDPR, which took less than a quarter before go-live. Since then, DNB has expanded its implementation.
With ServiceNow, DNB can run the entire process in a single tool that enforces a multidisciplinary common risk model covering everything from security to corporate social responsibility. However, the goal of DNB’s vendor onboarding process isn’t to weed out higher-risk partners but to understand the risk related to each, so the company can make smart decisions without overburdening the operations that are vendor-dependent.
To get started DNB recommends the following steps:
Employ a risk-based approach
Ask basic risk analysis questions: “Where are we exposed? How can third-party issues impact our business?”
Based on the above, assess which third parties are most critical to manage.
4. Implement ServiceNow® Vendor Risk out of the box and start with analysing and managing the 10 most critical third parties.
Ultimately, DNB understands that an ill-advanced action by any partner anywhere in the world can increase the company’s risk exposure. With ServiceNow, DNB has the visibility and control it needs to minimise that risk and continue to build the partnerships essential to ongoing growth.
Watch the ServiceNow Knowledge 2020 session “When they fail, you fail” to hear about DNB’s vendor programme.
Learn more about Vendor Risk Management at www.servicenow.com/vrm
Other company names, product names and logos may be trademarks of the respective companies with which they are associated.
© 2021 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names and logos may be trademarks of the respective companies with which they are associated