Part I in a series
In less than eighteen months, there has been more industry guidance and updated regulations regarding third party risk than at any other juncture in the evolution of governance within the financial services industry.
Media attention from retailer breaches and enforcement actions by industry regulators has put the oversight of third party risk as a top priority for all levels of management within banking organizations. Each regulator has issued their own guidance specific to third party risk management creating an overlap of requirements depending on the types of services that a financial institution may have outsourced. Developments in payment card security standards have expanded focus on third party risk management. Common themes have emerged when looking across the various published contract or third party examination expectations.
A common misperception is that there is a vast number of “net-new” requirements, when in fact the recent issuance simply put expectations more clearly communicated to align third party governance to industry best practices. The focus is less about a specific prescriptive approach, but rather describing what practices should be deployed to demonstrate how third party risk is being managed.
These practices will be explored in a series of blogs to share insights how to mature your third party risk management oversight program to meet the higher threshold expected in today’s market landscape. The themes to be explored include developing a risk-based approach; structuring your governance model; addressing assurance for fourth parties or subcontracting; and assessing contract and audit processes in third party agreements.
STEP 1: Deploy a risk-based approach to third party risk management
Third Party Oversight has evolved since the days of checklist compliance – checking the box on an insurance certificate or receipt of a SAS-70 is a waning memory of simpler times in thinking about third party risk. As the usage of third parties grows across the supply chain; and services become more pervasive with adoption of new technologies, the approach to identifying, assessing, and mitigating third party risk evolves.
All third parties are not alike – in terms of the type of services they provide to your organization. Commodity suppliers present different risks than technology service providers. Companies that sell or market on behalf of a financial institution may trigger consumer protection risks that are not applicable to service providers that don’t have accountholder interaction.
Third party risk management is not a “one size fits all” approach – the level and type of risk assessments to be performed about a third party is directly related to the scope of work they perform, the type of data or information sharing, and may trigger different regulatory compliance obligations based on the type of function performed. A function or process can be outsourced, but the financial institution can’t outsource accountability for information protection, regulatory compliance or service continuity.
Regulators expect organizations to develop a third party risk management program that meets the size and complexity needs of the individual organization.Here are some suggestions as you look to develop or improve your third party risk management program:
- Create a third party dictionary: Retail, Operations, Lines of Business, Sourcing, Information Security, and Legal all define third parties in different ways. Vendors, suppliers, service providers, outsourcing, technology service providers (TSP), business process outsourcing (BPO) are all examples of types of third party relationship. In large holding company relationships a third party can even be an affiliate or sister company. Create a common set of defined terms that describe the types of third party relationships that exist within your organization. Make sure that you have alignment on the structure of the types of third party relationships in scope for your program. Don’t overburden a third party with governance requirements that are not applicable to the type of service. Be able to articulate “why” and “how” you defined the types of third party relationships in scope for your risk-based program.
- Assess your own risk factors: Just like all third parties are not alike – risks are not alike. Governance models can differ based on what risks you are trying to mitigate. Enterprise risk, credit risk, market risk, regulatory risk and operational risk all require different strategies and tactics to identify, assess, and mitigate risk. Within your inventory of third party relationships, identify what types of risks that relationship creates for your organization. The type of risk will influence the level and type of risk management activities that need to be implemented. The complexity of the types of financial products and services your organization directly offers to accountholders, vs. leveraging third parties will directly impact the types of risk management controls that may need to be structured. Good contract terms alone can’t take the risk off the table in today’s regulatory landscape.
- Define your Third Party Risk Ladder: A risk-based approach requires a clear strategy for determining low, medium and high risk third party relationships. Based on your Third Party Dictionary and Third Party inventory, define a hierarchy or stratification structure to group your third party relationships. Your highest risk vendors are the top rung of the ladder – that require the strongest oversight and governance. The number of steps or levels may differ based on your product offering; the types of outsourcing in scope; or your organization’s strategic direction of what is insourced vs. outsourced.
- Determine the Depth, Breadth, and Frequency of Third Party Oversight: Build into your third party classification structure what due diligence or oversight activities need to be performed. Create and document your strategy for what level of independent assurance is needed. Regulators expect financial institution’s to request due diligence and compliance documentation from third parties – but this is not simply a paper pushing exercise. Define what types of controls need to be in place and how you expect your third parties to accomplish meeting your expectations. A risk-based approach requires your organization to be able to articulate how you leveraged the information provided by the third party to assess the risk within the organization.
- Practice what you Preach: After structuring your program – think like the examiner and be prepared to defend your decisions. Expectations today are that third party risk programs are adaptable and must be aligned within your organization to the risk management strategies at all levels. Have your internal teams to a “dry run” or “simulation” of presenting and defending why the inventory and oversight approach meets the needs of the organization. Having confidence in being able to show how the organization used a risk minded view to structure the third party program will strengthen your organization’s compliance readiness for inspection.
- Update Your Third Party Report Card: Risks change based on many types of market events. A third party report card is not just about grading a third party – but should be reflective of the risks being managed. In today’s highly focused landscape there is more accountability at senior management to understand third party risks and how their organization is addressing the oversight expectations. Broaden management reporting to include third party risk, but also highlight the activities and actions put in place. A risk-based approach requires not only governance but adequacy of resources, skills and capacity to accomplish the third party service provider program expectations. Senior executives and Boards of Directors require more than a risk management report card; but more formality on providing assurance on third party risk.
Stay tuned for Part II in this series where I’ll explore governance and oversight programs for each phase in the third party relationship life cycle. Adapting third party risk management to third party assurance is a journey for organizations of all sizes.
Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs