.jpg)
The Third Party Risk Institute Podcast
Go beyond the headlines with The Third Party Risk Institute Podcast, the official podcast of Third Party Risk Institute.
Each episode brings you into the room with top experts in third-party risk, cybersecurity, procurement, governance, and compliance. Hear how risk leaders tackle real-world challenges, share lessons learned, and stay ahead of evolving threats.
We explore the strategies that work, the mistakes that teach, and the insights you won’t hear anywhere else.
Perfect for risk professionals, procurement leaders, auditors, and decision-makers who want to lead with confidence.
🎧 Subscribe now, new episodes drop monthly on Spotify, Apple Podcasts, YouTube Music, and Amazon Music.
The Third Party Risk Institute Podcast
Mastering Third Party Risk in the Age of Intelligence with FIS CRO David Dunn
In this episode of The Third Party Risk Institute Podcast, we sit down with David Dunn, Chief Risk Officer at FIS, to explore what it takes to manage third party risk at a global fintech that serves as a systemically significant service provider to thousands of banks worldwide.
With 30+ years of experience leading risk and audit functions across top financial institutions, including Bank of America, PNC, and Truist, David shares a behind-the-scenes view of how to build resilient risk programs, navigate regulatory expectations like interagency guidance and DORA, and align innovation with a strong risk appetite.
Whether you’re leading a TPRM program in a regulated industry or working with critical vendors, this episode will help you rethink how to scale your program without losing sight of risk ownership, performance, and resilience.
What we cover in this episode:
• The role of fintechs in global financial infrastructure and the regulatory pressure they face
• Why outsourcing services doesn’t mean outsourcing risk
• How FIS manages concentration risk, critical dependencies, and long-tail events
• What it means to be a "systemically significant service provider" under regulatory scrutiny
• Leveraging AI for internal security and innovation in product development
• Risk appetite: balancing innovation with a conservative approach to risk-taking
• The growing importance of managing nth party (4th, 5th+) risks
• How to operationalize interagency guidance and DORA within large-scale risk programs. And a lot more.
You’ll walk away with practical guidance on:
• Applying interagency guidance and DORA to third-party risk
• Designing scalable vendor management frameworks
• Integrating AI into risk management and product design responsibly
• Managing concentration and systemic risk with contingency planning
• Building RCSAs that extend beyond surface-level checks
• Identifying and assessing material fourth parties tied to core operations
• Reinforcing your Three Lines of Defence with accountability and clarity
• Optimizing SOC reports for assurance, not just compliance
• Structuring SLAs that are strategic and useful
• Improving relationship oversight and vendor offboarding processes
• Communicating risk clearly to internal stakeholders and executive leadership
This episode is perfect for:
• Chief Risk Officers (CROs)
• Risk and Audit Leaders
• Procurement and Third-Party Program Managers
• Compliance and Governance Professionals
• CISOs and Information Security Executives
• Business Resilience and Operational Risk Managers
• Anyone working with critical vendors in finance, fintech, or tech
🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com
📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd.
📬 Have a question or topic you'd like us to cover?
Email us at: info@thirdpartyriskinstitute.com
Linda Tuck Chapman: I'm Linda Tuck Chapman, CEO of Third Party Risk Institute, and I can't tell you how delighted I am to invite David Dunn to our CRO series talking specifically about third party risk management. So, thank you so much. Uh David is a chief risk officer at FIS. So, in his role as chief risk officer, David has a very broad span of control as you might imagine, right? Strategy and execution for the global risk functions, uh information security, risk advisory, risk and controls uh business resilience, physical security and of course maintaining the the organization within its risk appetite. So you have over 30 years of experience and uh you have a fascinating career the way that you have built your career. You have such a a a strong foundation around audit and risk. So most recently you were uh executive vice president and senior governance and controls officer and head of enterprise technology risk at uh Truist. and which is a pretty huge organization and a lot of a huge fan of control before that you're at PNC financial services also a very large bank where you're executive vice president and assistant general auditor and I'm really happy to see you bringing audit and risk together sometimes I see these as very separate functions and they don't always they don't always see eye to eye in terms of how things should be so that's interesting and then at bank of America you were senior vice president senior audit director of global technology and operations also another massive organization. I can't even imagine that job because the organization is so huge. Uh Royal Bank of Scotland, you were senior vice president, head of operational risk management for Citizens Financial Group and you've also had a number of uh roles at Capital One, Peopleoft, etc. And you are very well educated as we could well imagine. Uh you're a CPA and a certified uh internal auditor. Uh so and in your spare time uh I understand you're adjunct professor at the Heinz College of Information. systems and public policy at Carnegie Mellon University.
David Dunn: That's right.
Linda Tuck Chapman: So, and I'm not sure how you fit all that in. So, anyhow, so welcome. I know that was a long introduction, but I want people to understand how very fortunate we are to have you sharing your your expertise and your knowledge and all your many experiences.
David Dunn: Thank you very much.
David Dunn: Thank you to be here.
Linda Tuck Chapman: Oh, thanks. Okay, so FISD is an award-winning fintech. So, you know, it's taken from your website. Uh you're an enormous fintech actually and I see that you say that today's global economy relies on technology to keep finances flowing. Honestly, it just keeps everything flowing. Can you imagine the life without tech? Uh so uh you I'm going to go through a little bit more detail uh in a couple of minutes about FIS but I'd like to start actually talking about the US came out with this inter agency guidance on third party risk management and as far as I know that's one of the few times where they brought all the regulators together in the sector to actually create a harmonized uh view of the world in terms of what the guidance is. So one of the things they call out are fintechs and there are special rules for fintechs and can you talk a little bit about that because it's hard for us to understand what exactly are they driving at and why?
David Dunn: Yeah absolutely uh you know I think if you go back uh even as early as um you know the early 2000s the FFIC guidance and the IT handbook you know spoke to uh outsourcing uh and then they they actually had a separate um handbook that was uh you know for um thirdparty service providers uh and and really the fintechs in that in that space. And the idea being that there is such a a reliance on the third parties uh and the and the service providers that uh making sure that banks understood just how much um uh scrutiny was going to be applied and basically holding that third party to the same level of standard as if you were managing those operations within your organization. So that notion that we all say you can't outsource your risk, they put it in writing and said you can't outsource your risk. Uh and specifically these are the things that we're going to be uh focused on. And for for for us at FIS uh we take that very seriously. Uh we've you know We work with thousands of banks globally. Um and so as you can imagine, we we have to hold ourselves to those same high standards. We know that um our clients are going to be uh examined by the regulatory agencies and they're going to have certain expectations that we want to make sure we're able to supply to them and provide for them so that they can stay in compliance with expectations. But uh similarly, we have uh all of the agencies within our four walls and and we're under examination at the same time throughout the year. Uh and the complexity for us is that because we operate in 150 different countries, all of those local and uh regional jurisdictions and uh regulatory expectations for those agencies also apply to us. Uh and so it it it very quickly becomes um you know, a very high bar for us uh not only in how we manage our third-party relationships that support FIS, but how we act as that third party to our clients.
Linda Tuck Chapman: And that's actually a pretty tall order, but I think a lot of people would be if they're not familiar, they'd be surprised that you also are subject subject to examinations in with the same rigor. And one of the things I like to remind people is if they're contracted with you, they actually can get a report from the regulator if they can prove that in fact they're doing business with you and that can provide a a much greater level of assurance because third party risk management can be a little uneven in many cases you you probably find you actually have better controls than some of your clients which is just a fact of life. So I I just want to ask you almost all organizations run on technology. What makes FIS fintech versus a different type of uh third party that might be supporting a bank?
David Dunn: Well I think uh I think it has to do with um just how um deeply we support the clients, right? So um certainly from a banking standpoint, we supply uh not only core banking activities. So everything that you would do from uh supporting your your deposits or your mortgage and and lending platforms and uh customer on boarding and things of that nature. Um but we really go beyond that from a banking standpoint in terms of all all lending credit uh debit payments um uh merchant services etc.. So it's it's really talking about the fact that um you know the the systems that we use to support the bank it's really integral to uh delivering the services from the client. I I don't think uh oftentimes when you look at some of the other um uh technologies that are out there you might use them for a single purpose or maybe you use them for very uh uh narrow sort of support for a particular process or transaction. Uh when you look at what we provide to the banks and to uh investment firms and other corporate uh clients that we have, it's it's really the essential technology that supports the business.
Linda Tuck Chapman: So is that what they call banking as a service?
David Dunn: Uh yes, in some in some in some respects. We we do both uh licensing agreements where you can certainly purchase the software, you can purchase licenses to the software, we will host the software uh and in many cases for um many of our clients, we will also do other operational activities outside of the software itself. So, uh in banking parliament, you might say day one, day two activities, right? Um in in many respects, we do everything a bank would do except take the deposit or make the loan. Um but anything that you would do in order to uh make that transaction, support that transaction, provide um uh statements, remittance processing, um card production, plastics, etc. We do we do all of them,
Linda Tuck Chapman: which is probably why you're examined by the regulators.
David Dunn: Is exactly why we're examined.
Linda Tuck Chapman: So there is a term called systemically important financial institution. Does that apply to your organization as well?
David Dunn: Uh we're we're not considered a systemically uh significant institution, financial institution. We are a systemically significant um service provider. So yes, thank you for the correction. Actually, we are in that higher uh echelon and and therefore the scrutiny is that much greater.
Linda Tuck Chapman: Yes. Yes. So I'm sure you have regulators living in your walls just like I used to experience in banking. So okay, so I'd like to move on a little bit to innovation. So a bit about F I mean you really truly are massive. I see you have 8 trillion assets serviced. Uh you have 58% of uh serve 58% of large and regional US banks above 10 billion in assets, 500 risk clients 17 billion transactions. These numbers are a bit staggering. I would like to hone in on a couple of them. So uh you support 50% of the world's most innovative companies or uh as are clients or partners of yours. and innovation certainly from is on everybody's mind particularly when it comes to AI. So can you just talk very briefly about I don't want to get into a big discussion about AI but how do you use AI or do you use AI to help protect uh help uh FIS protect itself and its clients from uh harm?
David Dunn: Yeah, absolutely. You know certainly you you can't go too far these days without having a conversation about AI uh regardless of what industry you're in but certainly from a technology standpoint it's front and center. Um, you know, when we think about where um where we are in the AI journey, uh, and we and we're really thinking about things at FIS as, um, leaving the age of digital and entering the age of intelligence. And so, um, and we think about that in terms of not not just, um, the pace and the volume of change, But the the the significance in terms of the power of computing um and we're pretty early on in in that journey and um we are looking at how do we utilize AI um not only in terms of how does it help us operate more efficiently and more effectively uh as a company because there certainly are a number of uh uh different applications that we can apply that would would uh help us in in that sense. But how How do we then use it as you mentioned in terms of how we protect ourselves? So we certainly use AI uh in our uh cyber space and in in in a few of our other um sort of external riskmanagement um activities because if we're safer that that safety translates to safety to our clients. Um and then I think we are uh doing quite a bit right now and I expect this to to really accelerate over the next couple of years in terms of how do we embed AI into our products so that it allows for greater u capability for our clients but also that notion of how do we build it in a resilient and safe way uh and AI certainly can be an accelerator for that um and as I said we're early in the journey um but we see that as as a real key differentiator as we go forward.
Linda Tuck Chapman: well I certainly the nuggets along the way that I'm I'm picking up basically you're you're talking about if I just back up a little bit. You're talking about systemically important uh service providers and I think doesn't matter what industry you're in. That's an very important concept. I find that people do blend together the notion of exposure to risk and the operational dependence they would have on a company like yours. I they're not the same thing obviously.
David Dunn: Yeah.
Linda Tuck Chapman: And I I love this notion of leaving the digital age and moving into intelligence. And that gives me kind of a visual picture of how we have kind of built building blocks over time because the digitization is essential. You know, we know that, but layering on top this layer of intelligence gives me a visual image and I want to thank you for that because I that's a a kind of a new way of thinking of it. So, I I like to bring it down a little bit more to the ground level around third party risk management. I mean, basically, I mean, from your lens, what is this all about? Why is it important? I mean, there's lots of years of regulations and it's, you know, there's DORA, which is a very well-ritten regulation. We've got the US. So these regulations exist everywhere, but what exactly is it that that these regulations are trying to encourage uh companies to do?
David Dunn: Yeah, I think it's a great question. You know, as as you said, um the notion of third party risk has been around for a long time. Um but also one of the things that you mentioned earlier is the fact that we all sort of manage it a little bit differently. Uh and so I think the the one thing that the regulations are trying to do, um I think I think there's a couple of of key points one the and and this and this comes up in my conversations with regulators all the time. Um there's this hope this desire that they can get more of a level playing field. Uh meaning they recognize that companies don't necessarily manage their third parties in a consistent way. And so there is sort of this notion of reiterating, hey, this is really important. these are sort of the the minimum expectations um to to try to sort of have that notion of of you know the rising tide raises all boats right so so there's some of that it's just a reinfor to that right there is some truth to that yes right um the the other thing that I think they're trying to do is really be much more responsive uh faster around changes that are occurring in the world in the marketplace in technology. Um because as you know I you know legislation and regulation tends to be pretty slow. Um if you if you look at the FFIC guidance which to me has has always been sort of holy scripture for for those of us who've been in banking for a long time. Um you know those those books don't really change you know what every 10 15 20 years maybe.
Linda Tuck Chapman: Yeah.
David Dunn: Well we're up to 21 now for the original version of FFEC with very few updates. that that's right. I mean that so for for third party I mean I have I have the outsourcing technology services book right here and it's dated June of 2004 so 21 years um so that doesn't tend to change now I will say that many of the you know core principles that are in that guidance those still hold true today but I think the idea that especially something like Dora Dora you know the capabilities that we have around um data, the way that companies use a third party for for many core activities like we talked at the very top of the of of the uh show here. Um and the fact that every third party uses third parties and third parties use third parties and you very quickly get into nth party risk management because that core tenant that says is you can't outsource your risk still is true.
Linda Tuck Chapman: So Dora
David Dunn: yeah really put a lot of effort around let me be clear let us be clear about what the expectations are whether you're the immediate company the immediate third party or whether you're a fourth party fifth party down the line these are the expectations and I think it was in an effort to try try to be more responsive faster and not let the world kind of pass us by and then hopefully in 20 years we'll we'll play some catchup.
Linda Tuck Chapman: Yeah. And for those of you who are less familiar, it's a digital operational resilience act that came out of the EU that we're talking about which is pretty new uh about a year old and it's or is it two years old? I lose track of time. Anyhow, but it's it it's really interesting. Somebody actually said to me, "Well, isn't this just more of the same?" I actually don't think it is. is I I like DORA. It's a it's a higher standard in my opinion.
David Dunn: It is. It is.
Linda Tuck Chapman: So, yeah. So, you know, at the end of the day, I mean, as a head of third party risk, uh I personally think that what we're trying to do is empower the business to make the right decision, right? Make a risk informed decision. And so, yes, I'm sure that you have u many opportunities to to weigh in on those. I I often when I'm working with people, you know, they I I'll put in a step where certain things just should go up for your eyes because they're outside of the norm. And that kind of leads us into this concept of risk appetite. So risk appetite is something people just throw around. They throw around the word risk. And I mean risk is kind of like your your new sexy word, right? It's ridiculous. Same with risk appetite. So in your view, what is the risk appetite for an organization, particularly for your organization?
David Dunn: So it's it's a really interesting question because I I've actually read a number of uh books on the topic um and There's a lot of different thinking around risk appetite. I I think generally most people would agree that you're trying to articulate how much risk you're willing to take as an organization to um perform certain activities or to achieve your strategic goals. Right? I think at the end of the day most people will agree with that. I think there's been a lot of work lately um by some scholars trying to um trying to make it a little bit more operationalized. So, it's not just how much willing how much risk are you willing to take, but is there a way of proactively calculating how much risk you should take? Uh, and really start to make it more of a model in terms of almost like a business case.
Linda Tuck Chapman: Yeah. Interesting. Yeah. Interesting. Yeah. Reminds me of Rayrock. Remember Ray Rock with a a rated basically where you could you could calculate the the cost of capital to more or less risky businesses. Is that where this has gone?
David Dunn: It's a very similar very similar notion, right? And so um I think it starts with the basics which is being able to sort of articulate uh even at a a a qualitative level how much risk are you willing to take around certain aspects. So uh for for for us at FIS we use a a pretty standard um set of domains. Um you know things like strategic risk and financial risk and operational risk. We we break out technology which includes um security because we're a tech company. We want to have that be a standalone domain. Uh and then and then a few others but the idea is we generally for the most part are very conservative. We have you know relatively low to moderate risk appetite for most of our activities. Now as we talk about innovation uh I think the idea that and in some uh form because we are creating software and we're innovating on uh things that haven't historically existed and we're putting something new out there. Um the way that we use AI for example I think you have to have a little bit more of an openness to risk but again we do it in the cont context of our broader risk appetite which is very low because at the end of the day our our clients are looking for stability, safety, uh reliability, etc. And so I think um for me having a risk appetite and a risk appetite framework that allows us to uh be able to throttle up and throttle down in certain areas around risk and how much risk we're willing to take um and still do it in the context of overall low risk I think is really important and it and it and it really chang is the way that we talk about it at the leadership table and with the board. Um so that we can really put a fine point on where are we willing to take risk and where are we not. And to that last point about quantifying it being able to then be proactive to say well if I took a little bit more risk what would be the what would be the value of that and is it worth it?
Linda Tuck Chapman: Um that's a very different conversation. Reminds me when I was first chief procurement officer and my uh my boss said to me, I don't mind paying a premium. I want to know what it's for though, right? It's it's the same concept.
David Dunn: Same concept.
Linda Tuck Chapman: So yeah, now because you're right, banks are always moderate or or low or moderate low, right? That that's that most organizations are going to tell you they are that even though universally I think individually they that might not be true. And it's in interesting how you're you're dealing with that portion of your portfolio of activities or your own thirdparty relationships that are of a higher risk. Right? So I I've often recommended to people that they they just take all that innovation and put it in its own portfolio because it's a good news story for the company and the board and it's also something you want to pay attention to. Is that the kind of approach that you would recommend?
David Dunn: It it is. I I think um whether whether you ring fence it and sort of give it its own uh home uh or not I I think is is really up to you. But I think the ability to be able to identify it and extract it and say, "Hey, when we're talking about innovation or we're talking about this part of the business that is meant to be uh somewhat more of a forwardlooking and not delivering core uh capability, but it's really that hey next generation. I want to be able to identify it so that we can be able to see it, analyze it, talk about it, and not have it get absorbed or lost uh in sort of the you know the white noise that's the rest of the risk appetite. Yeah. Yeah.
Linda Tuck Chapman: So one of the things that often comes up and I I I'm sure you hear this from regulators as well is this notion of concentration risk. In fact I I actually did you know co owner I did even respond to an email yesterday. Somebody sent me an email saying they were dealing with this organization. It it is a monopoly right that they have to deal with in their sector. And so that gives them and then what could they do about managing the risk, right? Because it's it's a monopolistic uh provider that they have to use. They're in the in the insurance business. So, uh what about concentration risk? I mean, if you are the basically the the banking backbone for your clients, does it even make sense to say that we're going to have an alternative? I mean, a an a contingency plan that says we're going to go move to somebody else. I mean, I struggle with this, David. I truly do. What's the What's the best advice we can give people?
David Dunn: That's a it's a it's a hard one. I mean, it's one that we've um been talking to regulators about. Um I know that in my my previous roles with some of the banks before I came to FIS, um
Linda Tuck Chapman: Oh, yes. Of course, you were on the other side worrying about this.
David Dunn: Yeah. And those those were the conversations we were having with the regulators and and they and they were pushing us on well, you know, do you have a secondary? Do you have a tertiary? Uh how what would you could you move from one to another uh from a vendor standpoint? And it's it's just not really feasible. Um you know, when you think about um when when you bring any it doesn't matter whether it's financial software or any other software, when you're bringing in something that's going to be baked into your operations, you now put process and policy and there's a whole bunch of training and you've got people who are bringing that that whole process to life, not just the tech, but you know, all of the operations that that that are around it. Um, the idea that you can kind of like plug and play uh a vendor, it's just it's it's not really feasible. Um, but that was, you know, kind of where the the headsp space was for the for the regulators for a while and and we were all in the banking uh industry sort of saying, "Wow, that's a really would be really hard for us to do. Um, and I think we sort of move them off that notion. So, I do think that when when you have a vendor, and we haven't we haven't really gotten into sort of how you manage that vendor relationship. Um, but you know, you have to bake anything that you utilize as a third party, you have to bake it into your business continuity and and sort of incident management program. Uh all too often I've seen um either in the past or even now where um you know sort of the mindset is well I just assume you guys have that like so I don't I don't worry about you. It's it's you know and again that's part and parcel of you can't outsource your risk. You have to treat us or any other vendor third party as really part of your ecosystem. And so the reason that's important is that in the event that there was something that would happen that would impact one of those third parties, pulling them out and throwing in another one probably isn't the answer, but you need to have thought of and planned for what am I going to do? And that might be, and I've done this in the past where we had an off-ramp from the vendor, we had to stand up some internal capability. Uh it was for a short period of time. We weren't going to run that way forever until such a point that we could then redirect back to the the third party. It was part of our program because you have to be able to plan for it and execute in those circumstances. But all too often I think that that it's it's a little it's a little short shrift and they say, "Ah, the vendor will be okay".
Linda Tuck Chapman: Right. Right. Or or I've got this other one that came through our RP process and they're in the ready, right? That not not happening.
David Dunn: Correct. Correct. So, it sounds to me like you also practice scenario analysis. Is that something?
David Dunn: Huge. Huge. It's so essential. Um and uh and I would say the um the one thing that I've learned over the years in scenario analysis is um there is no scenario that's too crazy. You really do need to push yourself for those, you know, we would call them a longtail event or, you know, really highly unlikely, whatever you want to say. Um, you really need to push yourself to challenge on, you know, all of the things that you you you think, oh, that could never happen. You should run a scenario on it.
Linda Tuck Chapman: Well, it's interesting because I I think I had mentioned to you when we were preparing that I had worked with the bank and that most of their controls uh in their risk register, well, we'll just get the third party risk management program to look after it. Well, yeah, not happening. Anyhow, so so another thing that we talked about during preparation was the uh risk and control self assessments, the RCSAs. So, is this something that you uh that you use or that you recommend?
David Dunn: Absolutely. I I think that um you know, outside of the risk appetite framework, which which I think is is a crucial component of of any risk uh program, Um, I really see the RCSAs as the backbone. Um, and everything sort of hangs off that. That's the spine. And um, I think as it applies to third parties again is this notion that um, you really need to make sure that you're not um, skipping over controls or risks that may reside at that third party. It has to get baked into your uh, RCSA. You really need that to be as comprehensive and representative of your business risk uh as possible. I don't I'm not a big believer in trying to capture everything in an RCSA. I don't think you have to go to the nth degree. I don't think you have you I worked at at one organization where that was kind of the approach that we took. It was very uh it was very comprehensive and somewhat draconian to the point that we had upwards of 17 18,000 controls in the RCSA. Hey, what happens is it it becomes kind of a paper exercise. So So you're you're just trying to get through the process. Um and it's so large that it's difficult to to look at it and consult it when you're when you're proposing a change like oh I want to issue a new product or I want to move into a different um geography or a different market. What would that do to my my risk profile when it's that large? there's so much work to do to be able to get any kind of feedback information that people stop using it.
Linda Tuck Chapman: They well I'm not going to consult that because it's or they do it because they they have to, right? And then they you know they put somebody low level on it and then so because RCS a lot of people criticize them because they are they are a process without a doubt but I I actually do think that they really make a lot of sense. So So what if you're looking at a well- constructed RC say can you just talk about the in the internal and the third party components or do you include fourth parties at your like how how deep do you recommend that people go and what's the benefit of going there?
David Dunn: Yeah, I think I think you have to go uh at least to a fourth party view. Um and again this is what the challenge is when when you start to go to fourth or fifth party um your visibility into those get gets really diminished. It's very difficult. And so um you know certainly you can use things like sock reports and and other uh reporting but the further away you get from yourself the more imperfect the data. So I I wouldn't go much further than fourth party um simply because I think the the the probitative value starts to diminish and and you might actually get information that's you know not not useful. So I do think though that if you can have a really strong relationship with your third party and you can establish uh some good routines and understanding and norms with that third party on their first layer of third parties especially ones that are really crucial like again I don't think you have to have uh you know wallto-wall carpeting but but you need to make sure that you're getting those things that could impact your business. in a meaningful way. You want to get those represented in your in your RCSA.
Linda Tuck Chapman: So, one of the things that I've seen organizations do, I've been a I've consulted in this area for a very long time. One of the things that I that I think is is to define what do you even mean by, you know, material fourth party? Which ones actually matter? So, if you were just to give us a couple of examples, what what which which what characteristics might a fourth party have that tells you you should know who they are and what they're doing?
David Dunn: Yes. So it really starts with in my opinion it really starts with your own business process and and what what are you actually trying to uh um you know execute or deliver and it starts with your own definition of what are your KPIs and KIS for that process right then you have to dovetail in well where am I relying on delivery of those on a third party and uh and again where in that third party, do they rely on a third party that might be delivering that value back to you? And so it's a marriage of here's my process and my intended outcomes, my OKRs, my KPIs, and I have to marry that then with my SLAs's that I have with my vendor and really get into the contract, really get into what what's the actual delivery and how are we going to manage that over time. What's the routine you have with that third party to get their SLA data? How how how are you managing them against any tolerances that you might have built in? There's no substitute for knowing your business and understanding how that third party could impact it. And and you chuckle, but I know you've seen this. It it ends up being sort of, oh, I just kind kind of assumed it was going to take care of itself and it it just doesn't. So, I think when you're really diligent and you start with that strong understanding of your business and you pull the string through, those are going to identify the things that really matter that you're going to want to include in your RCSA.
Linda Tuck Chapman: Okay? And I I think that, you know, when people are starting to throw out the baby with the bath water here, it may be because they're overdone or because they're not taken seriously or they just lay in, you know, sort of on a on a sur somewhere but they can be extremely extremely helpful uh to manage your business. So if I go back to the guidance yeah the guidance talks about critical activities right but those are yours right that's your internal view that's right that's right and then you've got basically your critical third parties that support your critical activities the word critical is not my favorite right since I start working outside of uh and working with a lot of people outside of the financial services sector I have changed my language to operational dependency right because people do understand that critical could mean who knows many many things.
David Dunn: means a lot of things.
Linda Tuck Chapman: It means a lot of things. So yeah, so basically you've got basically this construct. I'm seeing your enterprise risk management framework. You have RCSAs that support that. You've talked about key risk indicators, key performance indicators. One of the things I would like to ask you is do you subscribe to the three lines of defense framework?
David Dunn: We do and I think it's really important um you know and again look certainly I grew up in the banks and and you know we had adopted the three lines of defense model um pretty pretty early on. Heightened standards uh coming out from the OC and the Fed. Um I do think it's really important and it's really an extension of this concept of um really clear roles and responsibilities and the notion of segregation of duties. Um and and that's really all it is at the end of the day. But I do think it's important that Um, I want the folks in the first line to really feel ownership and responsibility for the risks that they create by doing business and the risk that they're responsible for understanding and managing um, in order to do that business. I think that's really important. I think that uh, if it becomes one of those situations where you've got uh, you know, first line activity over here and they don't feel that they're responsible or accountable for any of that risk and that's done by some mystery group over there. Um I just don't think you get the best quality output and the and the and and sort of that notion of diligence around managing it when you don't feel like there's any real risk to you or your organization. So I think it's really important. Um I'm a big believer in uh the second line being not just a challenge and oversight But we are considered part of management in the second line. So there is an opportunity for us to roll up our sleeves and be very helpful but always in the context of you own this risk and ultimately you're going to have to run it. Um and then you know audit comes in and sort of make sure that that ecosystem is operating effectively. Um and you know you mentioned it at the top around this notion that I have a big audit background as well as as risk management. I really see them as being two sides to the same coin. And I I have a great relationship with our general auditor and and we don't always agree on things. And I and I say, "Hey, that's okay. We don't have to agree". But what's important is we understand why we don't agree because in that conversation is where there's value. And it helps me to drive things in my program. It helps him to drive things in his program. Um because we're not trying to get to the same answer. We're we're trying to get to the right answer for us and then compare notes. Uh and we think there's value in that.
Linda Tuck Chapman: Well, there really is. I mean, a long time ago, I put together a visual. I mean, I see, you know, they basically the audit function kind of as a goalpost, right? They're they're helping the organization and the board ensure that within the bounds of the strategy that that things are happening as expected, right? And then I I see risk basically as as the you know, sort of the upper and lower levels in in the risk management organization because you're setting the upper limits on risk but also you can't operate with no risk. So, you know, sort of what's the reasonable framework and to me when you put them together it it it makes a lot of sense. I mean, I'm always looking for for visuals. It's the same thing with lines of defense, right? You've got the people out. I always think of a castle, right? Your first line of defense is out there on the ramparts protecting the castle, you know? Your second line of defense is back kind of developing all these tools and making sure they're being used properly, etc. And then you have the your audit function, your third line sitting up, you know, with the with the king of the castle kind of watching what's going on and making sure that everything's happening that and that they keep them informed. Yep. Right. It's an easy visual and I think that because people think it's an org chart. It just it just isn't.
David Dunn: So, it really isn't. That's right.
Linda Tuck Chapman: Okay. So, a while back you mentioned sock reports. So, uh a lot of organizations rep they depend entirely on a sock report. What is your thought on that?
David Dunn: I think uh so I have I I will say I have mixed feelings about sock reports. Um okay we we generate uh tens of thousands of sock reports. Um so we're we're I think they download something like 35 40,000 you know so customers clients are using them they're important. Um I think that whenever uh if you're if you're able to do u an on-site visit and you've got audit clauses in your um um uh in your contract, you should take advantage of those. Um but that's not always feasible. So the sock report is really important to fill those gaps. Um I will also say that a sock report does not substitute for a really strong relationship between client and third party. You want to have a really strong relationship. You want to have open d dialogue you are really trying to pull in the same direction and so um I think that's probably your best um u you know sort of way of getting uh confidence and assurance that controls are being managed appropriately just like I said earlier know your business know your vendor know your third party um they want to know you they want to be part of your organization it is a it is a symbiotic relationship so I think that's a really really important first step. Um, sock reports are great as um, uh, as an assurance vehicle if you have no other assurance vehicle. If you do have the ability to go on site and do audit work, you should take advantage of that. My advice, read the sock report first and then determine where where would I maybe want to probe a little bit deeper. May maybe there's certain things that were in the sock report that are general and universal for all clients. but I've got one or two things that are specific for me that I want to follow up on. So, use it as a tool. Um, and and you know, that's that's kind of the way that I've always thought about sock reports. Um, even from my old audit days, we get the sock report, I would use it and leverage it for as much as I could and then I would build my audit uh plan sort of accordingly.
Linda Tuck Chapman: So, one of the things we haven't talked about are service level agreements. So, you are subject to probably tens of thousands of them. Uh so and you also probably introduce service level agreements as well to your third parties. So what's your view of the world on on SLAs's? You know, are they useful? When are they not useful?
David Dunn: I think um so yes, I think they're useful. I think they're really important. Um but I think what's what's most important is that you uh again really be smart about how you create them um and use them, right? So, if you have a blanket set of a hundred things that you're gonna, you know, try to to manage to, it's probably not going to be very effective for a couple of reasons. One, it it's so large of a list that you you know, it's sort of a shotgun blast of, hey, I'm going to care about all this stuff. Vendors are are going to try to meet that and and What they're going to do is spend a lot of time creating a lot of metrics on things that I'm not sure you get as much value out of. Not all metrics are created equal. Um, one of the things that I say all the time is just because I can measure it doesn't mean I should. Um, so what are the things that really matter in your contract, in your relationship, in the services that you are uh contracting for? And be diligent and deliberate. and judicious around well what are the real measures that matter and if you can keep that to a reasonable number um and and there is no right answer for that it might be 10 might be 20 but if you're getting up into like you know 50 60 things that you're trying oh gosh unless it's a really big managed services contract where that really makes sense due to the volume of um services provided but I guess that's the the key right make sure that what you're asking for and what you're going to measure is commensurate with the services that are being rendered. Um so that it's it's meaningful and it's targeted and and it's something that you're not just creating a lot of administrative burden because that ultimately doesn't help them and it doesn't help you.
Linda Tuck Chapman: Well, I I'm I'm laughing. I worked with a very large healthcare provider in their procurement department and you know they had a lot of very very large contracts and their average SLA report was 38 pages long. How's the device like maybe the the relationship manager might know what that's about? Maybe because there are like paro graphs and all kinds of stuff. But when it's distill like how does management know if there are some trouble spots that are emerging or that there's a problem that that that isn't yet completely obvious through day-to-day operations?
David Dunn: Well, I think you know so so one of the things that I've always seen as being pretty effective is um so you have your SLAs's and you have the metrics and you get these reports and sometimes they are quite lengthy uh and they are very specific to services that are being rendered and you want to be able to tie those back and connect those dots but the relationship manager the person that has that relationship um they should be meeting with them regularly. I like monthly but quarterly might be okay. It all depends on the the situation, but that's when you really probe on those things so that that relationship manager should really come back and create a summary. And I love heat maps for just the reason that you were saying, right? I want to as as maybe an executive or as a manager, I want to be able to pick something up and look at it and go, "Oh, that's red. What what's going on"? Right. Um if I if you gave me 30 pages and I have to sort of figure out where the needle is in the hay stack, that's probably not going to be effective oversight and and relationship management with that vendor. Um, so I do think it's have that relationship, make sure you're measuring the right things, but then summarize it, pull it up and say, "How is this now meaningful to my business and to my leadership?" I think you end up with a much better you know, sort of oversight ecosystem, if you will.
Linda Tuck Chapman: Well, and and part of the challenge of the huge turnover basically, uh I find that you know, technology in some ways uh actually impedes communication because these these oneline texts, right, with an important relationship. I I you know, it's kind of interesting. One of my friends was managing a very very large outsourcing contract for her organization and she she ring fenced a small amount of money in their budget so that every time they did an off-site, they had their provider as as a part of that because they're essential to their success. And I thought it was really clever. And the the other thing is that, you know, people will have such a short attention span, right? So learning about the relationship when there's high turnover has got to be very tough for your people, too, because they get a new relationship manager who has no training, right? They don't really know what this is all about. They don't have any history and they're not about to pick up a bunch of policies or maybe even the contract to read it. So, that's got to be a huge challenge.
David Dunn: It It is. And I I mean, you you raise a really good point though when when you think about your overall third-party riskmanagement program or your third party program, however you sort of describe it. Um that notion of turnover, that notion of um I might have a relationship with a vendor that was initiated 10, 15 years ago by you know, Sus Q and she she hasn't been here for years and and no one really picked that up when she left and we just kind of keep renewing this contract. It's on autopilot. Right. Um or worse yet, I've seen in some cases um where um we had uh an agreement with a third party and it was a data sharing agreement. And so there are IP addresses and and there's these channels that are open um that that goes away like like that vendor goes away and no one turned off those connect points.
Linda Tuck Chapman: Oh my.
David Dunn: Right. Um those are the types of things where what I'm pointing out here is there's change management that you need to apply to your third party management program. And it takes on lots of different forms. It could be people, it could be relationships, it could be um you know um you making sure that when we turn off an arrangement, we turn off all the switches, we turn everything off. Um, you you you unplug it entirely. You have to be proactive in building that into your third party management program. Um, because I I all too often I think I've I've seen it sort of left to uh the engagement manager and we just assume that they know what to do and and they don't. You need to set the expectation. You need to give them the tools, you need the give them the training, and then you need to have the monitoring and enforcement in place to make sure it's happening.
Linda Tuck Chapman: Well, it's interesting. One of my friends is a deputy chief risk officer for a central bank, and she was saying basically that they she kind of believes that their organization in many ways is turning into third party managers, right? Because so much they rely so much uh for their operational components uh with that with third parties. So, it's it's just it's a bigger lens. So, now I'd like to actually just wrap up with one thing about all your different stakeholders, right? There's so many people involved. I mean, it's one of the most crossunctional things that you can do as an as an organization and you have you have clients in 150 countries, right? Not to mention the number of clients. So, how do you keep people informed? I mean, maybe why don't we start with your, you know, seuite and and board members. I I think that there's more awareness of third party risk, but you know, how would you keep them informed about what this is all about? and how things are changing.
David Dunn: So um so as I mentioned earlier you know we we think about the enterprise risk um you know overall program has a number of domains. Um third party is is part of our operational risk category. Um we have a number of routines that occur on a monthly basis at various levels of the organization. Um that that ultimately rolls up to the CEO and the leadership team on a quarterly basis. So we are keeping them engaged um as part of a normal enterprise risk committee routine uh which is a precursor to our quarterly board meetings. So there are there's always a standing section within my uh enterprise risk management report that looks at all of the domains and then we decompose some of the more critical uh components of that. So for example in in operational risk we've got thirdparty management but we also talk about data management, we talk about change management, uh, etc. So, uh, so there is good dialogue, it's it's repeatable. Um, we're standardizing our reporting around it so that they get comfortable seeing the language and the vocabulary. I think half the battle sometimes is making sure that we're really speaking the same language. Uh, and that that comes from defining terms. Don't assume we all mean the same thing when we say the same thing. Uh, and then it's sort of that muscle memory of, yep, these are these are things you're going to hear from me on a regular basis. Uh, and then as we move forward, expanding what that content is, uh, because we're not quite to where I would like it to be. I think there's a few more things that we should be talking about where it's it's happening maybe on the shop floor, but I want to make sure that there's board uh, awareness as well. U, but it's really about building routines. and making sure that um you know if there are changes we have a very formal change process for our policies and our standards. There's a uh a communication component and a training component. Um and then that gets baked into our our um enforcement uh process which is about how do we monitor uh and make sure that people are actually following the rules that we've we've laid out for them. Uh it's a lot of work. Uh but it's essential. It's essential to make sure that everyone's pulling in the same direction every day.
Linda Tuck Chapman: Well, it says some very important things. Certainly the taxonomy. Many organizations I've worked with, they different departments call the same thing different by different names. And also this notion of muscle memory, right? By by bringing it back because your board members work for other large organizations very often or they they're on other boards. They they're not going to hear the same use of terms, right? So So it's very very important to recognize that even at the board level that they they need to have the right support in order to be able to do their job. So anyhow, so we are we are at time. I can't begin to tell you how delighted I am to have you, David. You have just been phenomenal. So once again, this is uh David Dunn who is the chief risk officer at FIS. a fantastic company and fantastic advice today. Thank you so very much.
David Dunn: Thank you very much. It was great being here.
