An Important Week In Third Party Risk Management

It’s been an exciting week in the 3rd party oversight arena, first with the OCC’s revised third party guidance released on October 31st and then, on November 7th, the formal release of the latest PCI DSS, version 3.0. As expected, both the OCC’s guidance and the latest PCI data security standard release will have a significant impact on third party security related governance, process, and evaluation, and that’s a very good thing. And as we’ve said before updates to both releases – at a high level – are designed to move the industry toward a much more purposeful focus on third party risks and security related process (including governance) and assuredness. Said another way, in terms of the Shared Assessments Vendor Risk Management Maturity Model, the OCC is pushing the industry to levels 4 and 5 performance.

The OCC’s updated guidance contains newly enhanced prescriptive guidance on the roles and responsibilities of three bank cohort groups (the board of directors, bank senior management, and bank employees who directly manage third party relationships – see Appendix. It’s worth focusing here on Board responsibilities for two reasons: first, the depth of roles as defined by the OCC for this activity is unusual, giving the board of directors in practice an ongoing management role at a level not previously seen, and second, because it would seem in today’s climate that boards would be unwise to “delegate” these responsibilities to senior management even in part, which might have been common at another time. The OCC is clearly trying to influence “tone at the top,” which is essential if the industry is to make step function strides in third party risk management.

Three board level responsibilities are particularly interesting, and let’s digest them one by one. First, the new guidance requires that boards review summaries of due diligence results and management’s recommendations to use third parties that involve critical bank activities. For third parties supporting those critical bank activities, boards will need to understand what management found when reviewing the third party’s hygiene in all relevant respects, as well as the economic and practical case for outsourcing those activities in the first place. That’s critical for the board to have the information required to approve these contracts, which is also a requirement. That process should lead to less rubber-stamping of management requests.

The new guidance also emphasizes the ongoing nature of third party due diligence, with the pace of periodic review intervals tied to the relative risk of the outsourced activity. Senior management is responsible for evaluating the results of those ongoing reviews with the board on an ongoing basis, thereby keeping the board focused on the relative risk associated with those critical activities and the company’s effectiveness in mitigating those risks.

And perhaps the most striking responsibility of them all is the expectation that boards will review the results of periodic and newly prescribed independent reviews of the bank’s third-party risk management process. The OCC now expects that banks will initiate regular third party reviews of their own third party risk management process, with board level review, and that is an enormously significant obligation. This new provision takes third party risk related full circle at the board level, anticipating external reviews of this critical risk mitigation activity, presumably even incorporating the board’s effectiveness in this revised role.
For years the industry has done a good job describing the characteristics of a properly functioning, mature corporate risk control environment (for example COSO Integrated Risk Management, COBIT, and others). With the latest OCC guidance, the industry should – at last – move at a much faster pace toward vendor risk management proficiency.

Appendix

OCC’s Third Party Relationship Roles and Responsibilities
OCC’s Third Party Relationships Guidance, October 30, 2013

Board of Directors

1. Ensure an effective process is in place to manage risks related to third-party relationships in a manner consistent with the bank’s strategic goals, organizational objectives, and risk appetite.
2. Approve the bank’s risk-based policies that govern the third-party risk management process and identify critical activities.
3. Review and approve management plans for using third parties that involve critical activities.
4. Review summary of due diligence results and management’s recommendations to use third parties that involve critical activities.
5. Approve contracts with third parties that involve critical activities.
6. Review the results of management’s ongoing monitoring of third-party relationships involving critical activities.
7. Ensure management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring.
8. Review results of periodic independent reviews of the bank’s third-party risk management process.

Senior Bank Management

• Develop and implement the bank’s third-party risk management process.
• Establish the bank’s risk-based policies to govern the third-party risk management process.
• Develop plans for engaging third parties, identify those that involve critical activities, and present plans to the board when critical activities are involved.
• Ensure appropriate due diligence is conducted on potential third parties and present results to the board when making recommendations to use third parties that involve critical activities.
• Review and approve contracts with third parties. Board approval should be obtained for contracts that involve critical activities.
• Ensure ongoing monitoring of third parties, respond to issues when identified, and escalate significant issues to the board.
• Ensure appropriate documentation and reporting throughout the life cycle for all third-party relationships.
• Ensure periodic independent reviews of third-party relationships that involve critical activities and of the bank’s third-party risk management process. Analyze the results, take appropriate actions, and report results to the board.
• Hold accountable the bank employees within business lines or functions who manage direct relationships with third parties.
• Terminate arrangements with third parties that do not meet expectations or no longer align with the bank’s strategic goals, objectives, or risk appetite.
• Oversee enterprise-wide risk management and reporting of third-party relationships.

Bank Employees Who Directly Manage Third-Party Relationships

• Conduct due diligence of third parties and report results to senior management.
• Ensure that third parties comply with the bank’s policies and reporting requirements.
• Perform ongoing monitoring of third parties and ensure compliance with contract terms and service-level agreements.
• Ensure the bank or the third party addresses any issues identified.
• Escalate significant issues to senior management.
• Notify the third party of significant operational issues at the bank that may affect the third party.
• Ensure that the bank has regularly tested controls in place to manage risks associated with third-party relationships.
• Ensure that third parties regularly test and implement agreed-upon remediation when issues arise.
• Maintain appropriate documentation throughout the life cycle.
• Respond to material weaknesses identified by independent reviews.
• Recommend termination of arrangements with third parties that do not meet expectations or no longer align with the bank’s strategic goals, objectives, or risk appetite.

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.