Third-Party Risk Management: More Than Just a Regulatory Obligation
A Third-Party Vendor Management Strategy to Protect Your Bottom Line & Brand Reputation
For many businesses, the significant benefits of outsourcing have led to a growing reliance on third-party relationships that only expand in sophistication and complexity. As a result, the risk and costs of managing third parties have escalated dramatically over the past few years. For financial services in particular, sweeping regulatory reforms have accelerated the maturity of third-party risk programs ahead of other highly-regulated industries.
Despite the OCC, Fed, CFPB, FDIC, and other governing bodies offering high-level guidance for effective third-party risk management, the lack of industry-wide, best practices for meeting their standards has left many financial services firms scrambling to interpret and put programs in place to meet requirements. As regulatory oversight continues to evolve and the learning curve to define best practices remains steep, one thing is certain – risk management is no longer a boxchecking exercise.
The Onset of OCC Regulations for Third-Party Risk Management
The release of the Office of the Comptroller of the Currency (OCC) Bulletin 2013-29 was the first step towards formalizing risk management practices for third-party providers, spelling out for banks that “the use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
In addition, the OCC bulletin cemented that thorough risk assessment requires evaluation of the third parties’ financial condition, meaning reviews of the third party’s audited financial statements. While OCC’s guidance in other sections is less prescriptive, the Financial Condition section clearly describes the process for assessing financial health to include evaluation of “growth, earnings … and other factors that may affect the third party’s overall financial stability. Depending on the significance of the third-party relationship, the bank’s analysis may be as comprehensive as if extending credit to the third party.”
Highlights of OCC Bulletin 2013-29 include an outline for third-party risk management life cycle which include:
“Before entering into a third-party relationship, senior management should develop a plan to manage the relationship…[which] should be commensurate with the level of risk and complexity of the third-party relationship.”
Due diligence and third party selection
“A bank should conduct…an objective, in-depth assessment of the third party’s ability to perform the activity in compliance with all applicable laws and regulations and in a safe and sound manner.”
“Once the bank selects a third party, management should negotiate a contract that clearly specifies the rights and responsibilities of each party to the contract…[and] should review existing contracts periodically.”
“After entering into a contract with a third party, bank management should dedicate sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the third party commensurate with the level of risk and complexity of the relationship.”
Oversight and Accountability
“The Bank’s board of directors (or a board committee) and senior management are responsible for overseeing the bank’s overall risk management processes.”
If protecting their bottom lines and brand reputation isn’t motivation enough for banks to adopt best practices when it comes to risk management, the OCC’s in-depth requirements certainly are.
Financial Institution’s Progress So Far in Vendor Risk Management
Since the OCC’s 2013 release, financial institutions have made significant progress, especially when compared to their insurance and asset management counterparts. Banks have shown a greater focus on third-party risk assessment, with a significant increase in the amount that require all third parties to undergo some form of risk assessment. Moreover, this risk assessment is stretching past just the pre-contract phase, not only satisfying compliance regulations, but also increasing operational efficiency and profitability, maintaining business continuity, and protecting brand reputation.
Organizations are moving away from the basic “high,” “medium,” and “low” risk classification and taking a more comprehensive approach to identify and categorize potential risks. Most are diving deeper by not only maintaining a list of critical third parties who could have the greatest impact on their bottom line, but also keeping tabs on their fourth party relationships. Some are even enlisting the help of their third parties to manage and evaluate fourth parties through controls or contractual terms.
Financial institutions are recognizing that the data and subsequent analysis necessary to maintaining a strong third-party risk management process require technology, for the consistency, repeatability, and scalability that the OCC expects can’t be achieved without it. This is why they’re investing heavily in risk management tools and technology to help streamline processes and increase efficiency.
Third-Party Risk Management Pain Points
While the progress banks have made is commendable, there is still plenty of room to grow. It’s clear that banks are struggling with oversight and governance of their third-party risk management programs. The OCC clearly outlines that the bank’s board of directors and senior management are responsible for risk management oversight, yet a majority do not report emerging risks or incidents involving third parties to their board of directors. Additionally, even though they are increasing investment in technology, banks still complain of the level and success of tool integration in their third-party risk management processes, jeopardizing the accuracy of their programs. Banks that are struggling with these particular pain points are only putting themselves at risk when they’re actually trying to manage it.
It’s no surprise that oversight and accuracy are at the heart of financial institution’s struggles with third-party risk management simply because of the vast size and scope of their third-party relationships. Conducting thorough evaluations for so many different third-parties across so many different business areas and functions is no easy feat, particularly when the necessary information isn’t immediately available. These evaluations need to be consistent and accurate, especially to avoid too many false positives, making the third-party risk management process even more complex and time consuming.
Evaluating Financial Health for Vendor Risk Assessments
One of the first steps towards developing third-party risk management best practices is obtaining the right tools, and when it comes to risk data and analytics, there’s no shortage of available technology for a company. However, how does a company decide which tools to use? What’s the best use of the data that’s available? What type of data should companies even be focusing on? It might not be the only risk control area for all third party risk, but financial health is certainly the right place to start. Understanding the financial health of a third or fourth party helps assess their financial viability and resiliency, enabling financial institutions to identify that particular company’s level of risk. This simple solution facilitates the rest of the risk management process, empowering professionals to make appropriate decisions commensurate with a third or fourth party’s level of risk.
Using financial health as a Key Risk Indicator (KRI) is important for a variety of reasons. The OCC Bulletin clearly states that assessing the financial condition is a requirement in all third-party risk management programs, making it a regulatory requirement. However, it is also imperative to build a program using a consistent measurement to evaluate various types of third and fourth parties, including both publicly and privately-held ones. Assessing the financial health and stability of third parties provides a pulse on each supplier, vendor, counterparty, or business partner relied upon for business continuity.
While financial institutions have many teams of professionals who can create individual financial models, third-party risk management requires consistent and accurate metrics to evaluate financial health quickly. Any successful program must have the ability to scale without the need for additional headcount. This is why it is necessary to have the right data and tools to provide the baseline for an effective and efficient third party risk management program. The most useful data should also come in a variety of formats – easy to read and insightful reports on financial health that can be presented to senior management and board members, Excel downloads to manipulate an entire portfolio of data, or the ability to simply incorporate metrics into your existing workflow and systems through an API.
Full Whitepaper: Third-Party Risk Management - More Than Just A Regulatory Obligation