Message from our CEO…. For the past seven plus years I have had the privilege to work with Linnea within our relationship with Shared Assessments Organization that sets the standards for Third Party Vendor Risk Management. Over the years, Linnea has been invaluable to us at Copytalk for her guidance and wealth of knowledge within this space. We are very grateful to her for sharing her expertise.
Our economy is becoming more global and digital, creating an interconnected ecosystem that changes how jobs are structured and how employees interact with their employers and customers. Mobile, Social Media, IoT, and digital data disruption are now commonplace. Virtual Assistants listen and wait for simple commands. Virtual Agents leverage artificial intelligence to replace human contact center workers for routine transactions. Research firms have predicted an uptick in the pace of technology blending the use of AI and human interactions. However, a recent article by technology research firm, Gartner conveyed that executives today need to set realistic expectations on how to manage customer service technology innovation. As technology evolves our perspective on traditional roles for customer service and telephony based services are morphing. Third party technology service providers are providing more sophisticated vendor based staffing models acting as an extension of organizations within the financial services industry. Often financial pressures created competing staffing models for transcription services primarily from offshore providers or at home transcription services. Financial institutions that rely on transcription services to enable their customer interactions need to rely on trust and validation of controls with their transcription services partners. Regulated banking organizations can’t outsource accountability. As a risk professional, managing compliance, privacy and security in a transcription facility environment has always created challenges when assessing third party risk. When transcriptionist roles shift to offshore based workers, or at home workers, managing risk and compliance is challenging. Conducting third party risk assessments in these virtual environments can be challenging, cost prohibitive and resource intensive. Assessing the process, accuracy, and quality of transcription services requires and end-to-end view of their entire process and vendor risk management protocols. Risk professionals need to conduct due diligence and control assessments from not only a remote environment, but one where cultural differences and geopolitical risks may be added to the equation. The benefits of remote transcription workers have focused on the decreased costs due to low overhead, ability to leverage time zones, and providing flexible hours to workers. Those benefits create tradeoffs with risk management that need to be considered over the long term. Remote agents are more difficult to manage from an employee monitoring perspective, and oversight functions can be complicated since remote workers may be independent contractors and not employees of the third party provider. Managing the use of personal equipment, providing training and development, and deploying information security controls are more challenging in a remote environment. While automated speech-to-text transcription services may be useful for simple transactions, more complex transactions, like those involved in investment or trading services require stronger governance controls. The SEC Office of Compliance Inspections and Examinations released their 2019 examination priorities based on the results of performing over 3150 exams in 2018, up 10% from the prior year. These results included 300 exams of broker dealers, that cover 156,000 branch offices across the country. Focus topics highlighted that operations are becoming more complex, diverse, and interconnected. Vendor risk management, security patching, cybersecurity, and insufficient policies/procedures continue to be focus areas for compliance. Vendor management risk for transcription services is not simply about security or technology. Accuracy of transcripts, inaudible recordings, agent fluency in financial terminology, and the ability to interpret the nuance of speech factors into the overall business case evaluation of outsourcing functions related to third party transcription services. When financial institutions or advisors dictate client-meeting notes directly onto platforms, dashboards, and CRM’s; accuracy and integrity in the delivery of services is critical to managing risk and compliance factors. Within third party risk management programs, organizations are required to establish a vendor risk management policy and standards for due diligence based on the risks involved in outsourcing specific functions. When considering using a third party transcription services company, consider these factors to frame context of the business case and establishing your due diligence assurance requirements:
- If the provider is offshore, does your Third Party Risk Management Program have the capability to conduct an independent and periodic onsite audit of the locations delivering the services?
- If the provider’s workers are primarily remote, how will you gain assurance on not only the implementation of controls but the oversight functions to address compliance obligations?
- What types of due diligence artifacts or evidence of controls, including testing is required based on the compliance obligations of the services being provided?
- Do you have documented policies and procedures that define the expectations for the use of third party transcription services?
Linnea Solem is President and Founder of Solem Risk Partners, LLC a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. She is a management consulting executive and retired Chief Privacy Officer and Vice President Risk/Compliance at Deluxe Corporation. She has a cross-functional background with 29 years of experience working in regulated industries and over 20+ years of experience working with C-Suite expectations for risk management and service provider relationships.