Third party risk management practitioners today work in an environment rife with conflicting demands. Mounting pressure for speedy vendor onboarding is occurring in an environment that is facing escalating regulatory requirements, even in industries where in the past regulations have been minimally invasive.
A team of members from two Shared Assessments working groups, Best Practices and Regulatory Compliance, shared their experience in dealing with these issues, and – in particular – documenting best practices for making the case to management for additional TPRM resources. Obtaining the resources needed to build and sustain a strong vendor risk management capability requires a sound business case that is well-aligned with organizational priorities.
The California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) are game-changing relations with wide impact across multiple industries, and financial services companies on both sides of the Atlantic have seen new or revised regulations with tightened focus on resilience during the last quarter of 2019. New third party risk management (TPRM) regulations consistent with the February 2019 European Banking Authority TPRM guidelines are being drafted in the UK and the EU more broadly.
Organizations require both real-time understanding about the impact of emerging regulations and the ability to reliably secure the resources necessary to meet seemingly ever-escalating regulatory requirements. The newly published Shared Assessments white paper, “Meeting Increasing Regulatory Expectations Amid a More Challenging Risk Environment,” provides timely guidance and two tools to help practitioners meet tightened requirements while at the same time maximizing risk management performance and process efficiencies.
The paper identifies three fundamental problems that seem widespread today:
- First, regulatory expectations are not being translated into risk-based operational processes that are responsive at the business level. Business leaders surprised by new vendor risk management steps their teams need to follow are asking managers and executives within their areas of the business to demand an explanation; in turn, these executives ask third party risk management executives why this additional work is necessary.
- Second, many companies are having difficulty satisfying new data privacy requirements that affect vendor relationships. While many companies have been busily adding data security experts to their ranks, data privacy represents a distinct skill set that relatively few organizations outside of the technology, financial services organizations and healthcare industries have traditionally recruited and developed.
- Third, some vendors do not fully understand or are unable to develop the new operational risk processes required to meet new privacy regulations. When new regulations are promulgated, many companies do not understand the extent to which existing vendor relationships should be reviewed to determine where existing contracts require amendment.
The team suggested seven best practices for obtaining additional resources when faced with both new regulatory requirements and pressures to speed up the vendor review and onboarding processes:
- Translate vendor risk management objectives into business goals: While it is important to show how current approaches to vendor risk management are insufficient from industry standards and/or regulatory compliance standpoint, it is even more important to translate this shortcoming into company-specific business terms.
- Early collaboration with key stakeholders is critical to the process: Third party risk management professionals should involve other key internal stakeholders early in the process of building a business case.
- Select a small number of relevant measures: The information vendor risk management groups share with senior management teams, finance executives and business colleagues is typically based on a self-audit that ranks vendors according to their risk profile and measures how well the company evaluates higher-risk vendors.
- Leverage outside perspectives: Assessments of vendor risk management capabilities conducted by internal or external auditors and other experts can strengthen arguments, especially when those independent evaluations confirm prior program enhancements have achieved desired results and highlight shortcomings that feature prominently in the current TPRM program.
- Tailor key messages about TPRM to different audiences: Vendor risk management professionals should tailor their messages to connect more effectively with different audiences. For instance, C-level executives should get the 30-second, big-picture version; the finance and accounting manager considering a budget request should receive a more comprehensive version of the messaging that centers on quantitative content.
- Continuously update your measures and the narrative those metrics portray: As vendor risk management groups promote the benefits of mature capabilities, they should integrate new measures and benefits into their story lines as progress is achieved.
- Have alternative plans ready to implement: Vendor risk management leaders should be prepared to optimize the funding they receive when it falls short of what the practitioners request. Executives in charge of leading TPRM programs typically run scenarios, so that they are prepared to recalibrate their program as needed. Having those alternative approaches ready to roll out also demonstrates flexibility and foresight to senior management – qualities that can help generate future resource increases.
Read the new paper here.
Gary Roboff is a Senior Advisor to the Santa Fe Group where he focuses on payments, risk management, mobile financial services, and information management. Gary has almost four decades of experience in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third party risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.