The need for community banks to be particularly attentive to third party risks was underscored yesterday in a speech by the Controller of the Currency’s Thomas Curry. Smaller institutions tend to be more dependent on third parties for IT services. Curry noted that reliance on third parties for IT services can be “particularly problematic for community banks and thrifts that may not have the resources or specialized expertise to identify and mitigate” third party risks.
Unfortunately, the supervision of technology service providers by regulators provides limited relief for banks’ third party risk management efforts. While federal regulators have the authority to examine a category technology vendors, Curry stressed that their supervision “does not take the place of due diligence or ongoing monitoring commensurate with the level of risk and complexity of the arrangement.”
Fortunately, the Shared Assessments Program is well suited to help smaller institutions address their third party due diligence requirements. Shared Assessments Tools and implementation best practices have been under continuous development and refinement since 2005. IT security, privacy and many other risk professionals have contributed their knowledge and expertise in the area of third party risk assessment and management to the Program since its inception. These same professionals keep the Program’s Tools and training current with yearly updates and frequent workshops on current third party risk threats and trends.
Shared Assessments’ robust set of tools and training provides the perfect solution for institutions that do not have the resources to develop and maintain a comprehensive third party risk program. Rather than try to develop and maintain third party questionnaires and onsite assessment procedures, smaller institutions can leverage the expertise and best practices that has been (and continues to be) put into the Shared Assessments Tools for use in their own third party risk programs.
Smaller institutions do not have to go it alone. By joining the Shared Assessments Program they have access to current third party risk management best practices and a network of risk professionals eager to share their experience in addressing third party risks.
Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @sfgbrad or on LinkedIn.