Part II in a IV part series
As I outlined in part one in this four part blog series entitled, Regulators Expectations for Third Party Risk Management, organizations need to deploy a risk-based approach when developing their third party oversight program. Today, I want to explore concepts for how organizations can structure governance & oversight programs for each phase in the third party relationship lifecycle.
Building a relationship with a third party service provider, especially one that your organization may be outsourcing a key service or function, is not a one dimensional task, but a multi-faceted strategy to meet current market expectations. The Office of Comptroller of the Currency (OCC) set the bar on establishing a lifecycle approach with their updated guidance on managing risk in third party relationship. A differentiator in that guidance was the expanded accountability for senior management to be directly involved in assessing the process for selecting and implementing new third party relationships. For those relationships defined as critical to a financial institution, senior management must engage Board of Director level engagement to formalize such relationships.
Financial organizations of all sizes have different processes or approval mechanisms to engage senior management, audit committees, and Boards of Directors. The starting point is in the planning phases when considering a change in third party relationship. I call it the “4 P’s” in the third party proposal process.
The 4 P’s of Third Party Risk
When initiating the need to create a new third party relationship; change an existing third party relationship; or outsource a new function there are different steps to be taken in the pre-assessment phase of defining requirements. The regulatory landscape today requires a more thoughtful and strategic approach to ensure that the management has properly assessed, and understands the risks involved and has aligned the third party RFP or selection process to the organizations requirements.
- Planning: During the planning phase of third party selection, it is important to know and establish the stakeholders who need to be involved in the selection process. Identify the subject matter professionals who need to define business and technical requirements.
- Preparation: Determine what steps and type of due diligence that must be performed to meet the risks of the relationship. Establish in the business case the resources needed for the selection process, and the direct and indirect costs in making a change.
- Process: Typically the business lines are driving the need for a change in service delivery that requires usage of a third party relationship. Validate your defined internal committees or governance structures that may have to provide authorization or require information to advance making a third party relationship change. Understand any stage-gate triggers up front in your planning process so you perform adequate due diligence and account for timelines needed in the approval process.
- Performance Criteria: Prior to initiating the due diligence, establish your critical success factors and key relationship performance indicators who how you will evaluate the selection decisions. This can become a balancing act, and you can avoid conflicts with competing influencing if you have engagement stakeholders up front in the process.
Due Diligence & 3rd Party Engagement
During the due diligence process and onboarding for third party relationships you will establish the required due diligence based on the type of service and level of risk in the relationship. The due diligence process may involve unique areas of accountability from within your organization, but also from the service provider. The due diligence process to assess Information Protection, Service Continuity, or Regulatory Compliance may be quite different. Each function may require different risk assessment activities within your organization, and involve different subject matter professionals at the third party service provider.
- Governance: Establish the linkages to your own internal governance processes for key risk areas of information protection, service continuity, and regulatory governance. Each of those functions may have different organization governance mechanisms for approvals, or specific needs to be met.
- Oversight: By engaging the stakeholders early on, you can ensure you have alignment to their critical requirements to avoid road-blocks in contract negotiation. The lack of involvement up front can create a “due diligence loop” where the business line has to keep going back to get more information, or repeat the risk assessment process with other functional areas.
Contract Negotiation & Structures
Regulatory guidance for what types of contract terms, conditions, and requirements has quickly advanced the maturity of the contracting process. While important to align the third party contract to regulatory expectations, don’t try a one size fits all approach. Different types of third party relationships will trigger different sets of terms and conditions or requirements. As contract expectations evolve, it requires more education internally on how the due diligence process works. Right to audit provisions and Fourth Party subcontracting oversight are known risk processes to the risk and third party assurance teams, but not processes typically that Legal team engage in at an operational level.
When building out the contract structures for different types of third party relationships, consider the resource and management on the go-forward basis. There are pros and cons to the “Master Services Agreement”, which may help minimize the number of contracts in place, but in most cases the actual specific operational requirements may not be known at engagement. The structure of the contract, or statements of work should help you break out the contracts obligations in the “what” and the “how” – knowing the how’s can change during the third party lifecycle, so address the change management process with resources and administrative complexity in mind. Define up front the approval or oversight process and stakeholders who need to approve changes in the third party relationship after the contract is finalized.
Ongoing Relationship Monitoring
More thorough due diligence is conducted in the initiation stage of the third party relationship. However, the expectations today require ongoing monitoring. This can often be confused with “vendor management” which tends to be the operational oversight of day to day operations with lines of business. Vendor management functions are critical to ensuring business needs or key performance indicators are met, but may not be the primary mechanisms for ongoing monitoring of third party risks.
Separate of duties and independence of the risk management function for third party oversight are the primary facets in the governance and oversight of third party risk. Financial institutions should define and set expectations internally with their third party service providers for what the annual, bi-annual, or frequency will be for updating due diligence, or providing artifacts or evidence to meet contractual obligations.
Establish third party scorecards and dashboards and internal reports to management for key third party relationships. Senior management has an ongoing risk obligation to ensure that the relationship risks are being management. This may involve initiating linkages to changes in corporate governance policies, including periodic reviews of the organization’s Third Party Risk Management process.
Change Management, Exit Strategies & Disengagement
Third party relationships can change or evolve during the term of the agreement. Both internal and external events can trigger changes to the contract or due diligence process. Based on recent guidance, financial organizations need to build more thorough strategies into the contracting process regarding the roles and responsibilities of the end of the relationship, including costs and support in the off-boarding process.
Managing and negotiating these terms, can’t just be a one-side debate – a mutual third party relationship is in place which requires agreement on how parties disengagement that satisfies the terms of the agreement and reason for termination. A change management process for negotiating the terms of disengagement, return of data and what third party risk obligations survive the current term need to be considered up front, and not just at relationship end.
Defining the organizational structures and oversight programs for third party risk has become a collaborate effort between lines of business, risk management and assurance functions in both financial institutions and service providers. Managing agreement to changes in third party subcontracting, or fourth party risk, and how to leverage external assurance strategies is the next topic in this series.
Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs