While proactive operational risk management is essential to risk mitigation and business continuity planning, it nonetheless cannot eliminate risk. Rather, the growth in reliance on Third Party Service Providers and their Subcontractors and sub-outsourcers for Critical Dependencies increases the probability that over time a Critical Incident will occur. This necessitates a proactive approach to Incident Management applicable across the range of your Critical Dependencies.

Current regulations and virtually all contracts between Financial Institutions and Third Party Service Providers require prompt notice of Incidents like service disruptions and cybersecurity events, yet few formal processes (and even fewer specialized platforms) between Financial Institutions and Third Party Service Providers exist. This challenge is further complicated by possible chains of Subcontractor and sub-outsourcer relationships.  CRINCIDENTS helps Financial Institutions and their Third Party Service Providers proactively manage incidents like service disruptions and cybersecurity events and mitigate the risks of Incidents on the Financial Institution and its customers. Building upon the mapping enabled by the CRINRISK module, CRINCIDENTS allows Financial Institutions and their Service Providers to more quickly and efficiently identify and communicate potential risk events.  The CRINCIDENTS communications platform accommodates both bilateral and one-to-many relationships in a secure, straightforward manner. Pre-validated company contacts avoid risks of human error or lost-time when a low probability event occurs.

The CRINCIDENTS module enables you to promptly execute communications with a designated audit trail, including when a Service Provider’s primary application or operations are experiencing disruptions. CRINCIDENTS also anticipates evolving regulatory notification requirements, including pre-populating content for—and where allowed—delivering time-sensitive notifications to regulators or other competent authorities.

Operational risk management requires active monitoring and vigilance throughout the lifecycle of a counterparty relationship.  Over the course of that lifecycle, contract parties will update their contracts or service level agreements or provide notices requiring acknowledgements from the recipient or may wish to transmit specific sensitive information. CRINSEAL enables these functions, all within the context of your CRINDATA risk and incident management platforms.

Streamline the time consuming re-requesting, tracking, and collecting legal, contractual, and regulatory notices and documents (contract amendments, insurance documents, regulatory notices, commitments for counterpart disclosures). Powered by DocuSign® and integrated into the CRINRISK and CRINCIDENTS solutions, CRINSEAL (secure, encrypted, GDPR and CCPA-compliant SaaS) sends, tracks, reminds, notifies counterparties, receives, and collects documents .  You choose whether to incorporate countersigned or acknowledged files within your CRINRISK counterparty documentation, a record of transmission related to a specific CRINCIDENTS occurrence, or integrate with your broader contract management systems. 

• One-to-many capability:  Hundreds or thousands of counterparties to which you might need to send a single notice?  CRINSEAL securely handles and unlimited number of documents and counterparties. 

• Do you need signatures or just proof of delivery and review?  CRINSEAL is customizable to your needs, whether that is signature collection, evidence of delivery, or both, in all cases with easy oversight of the process and evolving status.

• Do you prefer to separate your risk and incident management systems from your document collection and tracking systems, or have even broader needs for a trusted electronic signature capability? CRINSEAL operates as an CRINDATA-integrated or distinct solution with common or distinct user groups and rights.   

• Are your systems to send and collect critical information as secure as you wish them to be? For example, in the context of an operational incident, you might need on an exceptional basis to disclose to your counterparty aspects of the impacts, or details of affected persons.  CRINSEAL operates on the internationally-respected GDPR and CCPA-compliant DocuSign® backbone. 

In today’s complex world of internal operations infrastructure and consumer interactions, almost all financial institutions increasingly rely on Third Party Service Providers (and their Subcontractors or Sub-outsourcers) to provide or support Critical Dependencies. Relevant Service Providers could be software for core banking or risk mitigation functions, fintechs providing supplemental services or a new portals for customer services, administrative functions by an affiliate or holding company, or white-labeled products or services operated by another entity. In all these cases, the Financial Institution is solely responsible for understanding and managing the risks of relying on external Service Providers, with enhanced expectations for “Critical” relationships and activities.

Critical Dependencies are financial institution products, services, and systems the disruption of which could limit or materially disrupt (even for a limited time) the institution’s ability to: (1) serve a material number of customers, (2) carry out material banking operations, or (3) earn revenue or profit. Additionally, Critical Dependencies include systems the failure of which could (4) expose consumer data or other confidential information held by or on behalf of the Financial Institution. 

A particular challenge for many financial institutions derives from the evolving reliance of Third Party Service Providers on further Subcontractors or Sub-outsourcers. The movement to cloud-based solutions in particular often involves not only the contracted Service Provider but other “fourth parties” that materially enable this solution.  Chain Risk is the risk that a service disruption or cybersecurity event at a Subcontractor or Sub-outsourcer will adversely affect the Third Party’s ability to deliver services deemed critical by the Financial Institution. Outsourcing or sub-outsourcing that ultimately creates common dependencies should be identified and evaluated as a potential concentration risk for the Financial Institution and/or its service providers.

CRINRISK helps Financial Institutions and their Third Party Service Providers identify, map and mitigate risks in their Critical Dependencies—proactively throughout the entire life cycle of the third party relationship. CRINRISK incorporates industry best practices with respect to maintaining current data and documentation relevant to critical relationships, while allowing customers to prioritize the elements most relevant to their risk evaluation and mitigation.

CRINSIGHTS are the Critical Insights and proactive alerts derived from monitoring and data analysis or risk indicia; against the background of regulatory requirements and best practices; and straightforward reporting tailored to the targeted recipients.

The CRINDATA platform actively monitors the full range of Service Provider relationships, including Subcontractors and sub-outsourcers. Third party data sources are monitored to identify elements (i) relevant to a CRINRISK risk profile, for example, mergers and acquisitions or other potential change in ownership, control, or location of services or data; or aspects of negative news; and (ii) relevant to market awareness of a potential incident or vulnerability prior to specific notice being delivered by a contractual counterpart. CRINDATA also draws upon its direct relationships with service providers to validate, and avoid inconsistency, errors or outdated information.

The CRINDATA team also keeps abreast of changing regulatory requirements, guidance, best practices, and notification obligations. A Knowledge Database is made available to CRINDATA customers to direct them to original source materials, facilitated by an automated decision-tree that suggests likely applicable regulatory expectations in light of the entity’s corporate and licensing profile and the circumstances of an incident. When a low probability, Critical Incident occurs, it is too late to begin educating oneself about the implications. Tailored guideposts and summaries complement your business continuity efforts.

The CRINDATA platform allows you to readily generate reports and locate the information you need across the lifecycle of risk management in Third Party Critical Relationships. The reporting templates and functions support the responsible managers in day-to-day operations, and in evaluating trends and patterns over time. CRINSIGHTS also generates the information relevant to executive management and the regulatory expectations for board of director oversight of Third Party Service Provider risk mitigation.