Third Party Risk Management Introduction
- 1. Telavance, Inc. – 517 US Route 1 South, Suite 5400, Iselin, NJ 08830 THIRD PARTY MANAGEMENT RISK Experience the Telavance Advantage™ On October 30, 2013 the Office of the Comptroller of the Currency (OCC) issued updated guidance on third-party risks and vendor management. The OCC's bulletin points out that its updated guidance replaces OCC Bulletin 2001-47, "Third-Party Relationships: Risk Management Principles," and OCC Advisory Letter 2000-9, "Third-Party Risk." These OCC guidance apply to all banks with third- party relationships. Bank’s risk management practices should be appropriate with the level of risk and complexity of its third-party relationships. The OCC expects bank's board and management to have risk management processes and practices in place to assess, monitor, and manage the risks. For critical activities that impact significant banking functions, the OCC expects banks to have a comprehensive oversight, management and regular monitoring of third-party. This regulatory risk and compliance elevates the importance of vendor management to entire financial institution. Banks’ face considerable challenges in managing, monitoring and documenting third-party relationships. As banks outsource mission critical processes to third-party vendors, the effort required to ensure compliance increases. Vendor management should not be considered only from a risk and compliance perspective but also the business benefits derived from managing these relationships effectively. It could help reduce costs, increase the value from the third-party and potentially reduce risk.
- 2. Telavance, Inc. – 517 US Route 1 South, Suite 5400, Iselin, NJ 08830 The bank’s board of directors and senior management are responsible for overseeing the bank’s third-party risk management program. However, the responsibility is often delegated to the Compliance or Risk department. And the oversight has to align with the level of risk and criticality of the activities provided by the third-party. The third party relationship impacts bank’s current risk or adds new risks. A bank has to incorporate this in their Enterprise Risk Management framework and has to assess and rate third-party risks in categories of Operational, Strategic, Reputational, Credit, and Compliance Risk. By aligning the third-party assessment with standard risk category the bank can benefit from the practices and procedures established in the Risk Office. Telavance has developed process, procedures and templates based on the Operational Risk and Control Self-Assessment concepts to help banks identify, assess, classify, risks and controls and due diligence for third party relationships. This repository also has third party information with third party criticality, controls, performance measurements, compliance testing, reporting and other functions will help bank document, track and report. Creating this “single version of truth” is critical to meet compliance requirements and also helps drive down the overall cost. Telavance can help you with an effective third-party risk management process that follows a continuous lifecycle for all relationships and incorporates the following: Vendor Management Program Setup Vendor Risk Assessment – Initial and Ongoing Vendor Risk Level Quantification Ongoing Monitoring and Compliance Testing Documentation and Reporting Independent Reviews of Vendor Management Program Third Party Risks To put the third party risks in context, consider the statement from The New York State Department of Financial Services’ 2014 Report on Cyber Security in the Banking Sector said: “Another continuing challenge is the industry’s reliance on third-party service providers for critical banking functions. … In addition, most small and medium institutions outsource functions such as payment processing and most of their web application and online banking systems to external companies. This interconnectedness suggests that an institution’s cyber risk level depends in large part on the processes and controls put in place by third parties. … To the extent that institutions do not have adequate insight into the sufficiency of the processes and controls of their third- party service providers, this may represent an area in need of heightened due diligence and monitoring. Cyber security and data protection requirements should be incorporated into institutions’ third- party contracts from the outset.” While the financial institutions will have the means and methods to counter cyber-attacks, there is a focused effort to target smaller third party service providers. (An infamous incident is the Target breach). The question to ask yourself is - How would my financial institute work with a third-party without understanding their security practices, risk controls and monitoring on a regular basis and what risks does it put a financial institution under?