Broadened Regulatory Guidance
Recent regulatory guidance from multiple agencies is creating a focus on the need for broader risk management practices in the areas of operational risk of third-party service providers. Information Technology or Security controls provide a more black and white approach to compliance, while operational risk can feel more in the grey zone based on the scope and risk level. Building operational risk into your existing third-party or vendor risk management process is a key component to developing the holistic approach the regulators expect.
Almost every banking organization uses third-party vendors today to help accomplish their goals and objectives cost effectively. The presence of third-party vendors within financial institutions began with technology service providers. Now, outsourcing touches nearly all aspects of a financial institution’s business, from branch operations to marketing and web management. The OCC recently updated guidance on oversight of third-party risk in service provider relationships.
While the OCC has oversight for nationally chartered institutions, the guidance outlines the alignment to the expectations for community banking organizations to adopt a risk-based approach to adapt the principles in this guidance. Although a financial institution may successfully manage third-party relationships, it has much less control over vendor accountability – particularly when it comes to operational business or reputation risks. Your service provider is acting on your behalf, whether the regulatory driver is business continuity, information security, IT operations, consumer protection or direct marketing. As such, that vendor and its controls need to be integrated into your organization’s internal risk and compliance assessment.
Structuring and maintaining an ongoing vendor management program requires integration of multiple regulatory and risk drivers. In today’s market, vendors are a critical part of your overall security and risk assessment. Your organization should not only audit and review vendors objectively, but also look at ways in which the business partnership can help you meet the industry’s risk management expectations.
The Risk and Vendor Management Lifecycle
Most vendor management efforts focus on due diligence at vendor selection or during merger and acquisition efforts. However, effective vendor oversight requires ongoing due diligence for existing providers to adjust for changing market and organizational risks.
Regulatory expectations are focusing on the risk or vendor management lifecycle – building processes for each stage: planning, due diligence and selection; on-boarding of requirements; continuous monitoring; termination or off-boarding. The driver is to demonstrate more oversight of the lifecycle functions in how they are governed, with an assessment of process maturity.
Best Practice Focus Areas
Current market compliance trends show the uptick in compliance oversight across product lines. Organizations need to risk assess their offerings to see if they have triggered new compliance obligations or risk for consumer protection or Unfair and Deceptive and Abusive Practices (UDAAP). This requires an expansion of traditional “vendor risk” programs to address the non-IT activities that are more related to business processes and sales practices.
Documentation and Reporting
- Identify your key third-party relationships that are not “IT” but have critical business functions.
- Prioritize their function to your key performance indicators.
- Establish a formal program with metrics, management reporting and service level agreements.
- Identify your key compliance risk areas that need enhanced oversight based on what functions are outsourced.
- Monitor your internal metrics and external reporting messages to demonstrate the shifts in risk focus areas to identify new trends
- Define a strategy to expand management reporting for broader compliance topics than IT controls.
- Assess what metrics work for your business to help you tell the compliance story.
Oversight and Accountability
- Define in your organization’s accountability for operational risk.
- Partner with internal technology or sourcing teams to classify third-party relationships based on risk that includes consumer protection and operational risk.
- Expand your traditional program to include operational risk with revised metrics, management reporting and service level agreements.
- Identify your key compliance risk areas that need enhanced oversight for consumer protection or operational risk, and prepare for governance audits
- Integrate operational risk and consumer protection into management and board reporting.
- Establish stage gate processes to address compliance risk with a focus on business enablement.
Independent Reviews
- Define your organization’s ability to conduct independent reviews and for what risk focus areas.
- Analyze artifacts from any external assurance sources of your third party provider.
- Leverage vendor risk artifacts or testing results in your internal assessment preparation.
- Identify your key compliance risk areas that need enhanced oversight.
To ensure effective, consistent oversight, your vendor management policy and governance framework should identify how you will inventory your vendors, the measures you will use to assess the activities they perform and the risk criteria you will apply to evaluate their controls.
The Maturity of Your Processes
Effective third-party assurance does not need to be overly complex, but should be repeatable, adaptable and formalized. For example:
- Establish risk-based criteria that define the level of oversight. Not all vendors need to follow the same standards. Criteria are based on risks, vendor work function and the data to which the vendor has access. Develop criteria for the kind of oversight required for each vendor function. Prioritize higher risk functions, or those with accountholder interaction.
- Develop a vendor lifecycle approach. Risks change as do your vendors. Establish criteria for when to review your organization’s vendor controls, such as accessibility or reporting. Be able to justify how often you evaluate a vendor and establish trigger events that require an updated vendor review. Implement processes for each phase of a vendor lifecycle.
- Structure and review compliance documentation. Request independent audit results or monitoring where available. Develop a checklist for the documentation that you require annually and the documentation that should be provided upon request. Define your baseline of what you need from the service provider to attest to their controls.
- Conduct lessons-learned reviews. Evaluate your toolset, track results from vendor reviews and update your vendor management program. Ensure you define and document any exception process to your vendor management program’s standards.
- Address contract provisions. Define contract changes for operational risk and address contract provisions as market risks adjust, regulations evolve or service vendors change. Ensure your organizational roles define responsibilities and keep contracts updated.
Linnea Solem is the Chair of the Shared Assessments Program and is the Chief Privacy Officer and Director of Business Risk & Privacy Management for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management .She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation.
Reposted with permission from Forward Banker