A common misconception is that the “real test” of third-party risk management is to make sure your financial institution is ready for your annual regulatory examination. That’s simply not true.
I’ve been a third-party risk manager at a couple of different banks of vastly different sizes and have also worked in various forms of outsourcing. While the exam is a constant thought it should not be your guiding compass.
7 key tasks
When you’re working in third party risk, the day-to-day activities should be your primary concern to mitigate vendor risk to your institution.
Here are 7 tasks that used to keep me up at night and which I’d consider the “real job” of third-party risk management:
1. Do you have the support of senior management and the board?
Without their support in setting tone from the top, you won’t have the confidence to know that they will help you set direction or that they won’t back you when things get sticky or need to be escalated with a third party. Regulatory guidance, particularly OCC Bulletin 2013-29 and OCC Bulletin 2017-7, identifies responsibilities for board involvement, such as ensuring an effective process is in place to manage third-party risk and approving contracts with third parties that involve critical activities.
2. Are the lines of business keeping you informed and involved?
If the first time you’re hearing about a new third party is at an unrelated meeting or when an issue occurs, this can be a huge problem. Your bank needs to set standards to have the lines of business bring third parties to your attention well prior to the contract being signed. Additionally, the first line of business, which really experiences the day-to-day activities with the third party, should document and notify of a decline in service levels.
3. Are your processes well documented and accurate?
Developing a rigorous plan takes time and ongoing effort. It’s critical that the work product match what’s described in your third-party risk policy in order to not only satisfy senior management and the board, but also your examiners.
4. What problem might you encounter—and are you prepared?
Planning for the unexpected is important. In fact, it’s a great idea to work closely with your lines of business and key people from around the organization to think through all the problems that can occur. When problems do occur, you’ll be better prepared and have the opportunity to provide constructive feedback to see what could be done even better the next time. It’s not just a good idea, it’s actually required by the FFIEC IT Examination Handbook, Appendix J. which outlines expectations.
Having confidence that you are prepared for a problem, whether it be a data breach or an act of nature, with minimal disruption to your business or delivery of products and services to your customers, is incredibly important. Proper planning and well-planned communication strategies truly are a necessity. Review and test your disaster recovery plans to make sure they are adequate in all scenarios.
5. Is your program up-to-date and do your actions match your words?
Making sure that you’re working off the most recent regulatory guidance is crucial. Using outdated guidance leaves you open not just to examiner criticism, but also to missing key changes in expectations or best practices. Your internal audit program should include a thorough review of third-party risk management.
6. Have you cut a corner and left something unattended?
It’s easy and tempting to cut corners, but with the benefit of hindsight and many stubbed toes, I’ve often been able to track problems back to things we could have done more thoroughly, such as inadequate review of due diligence documentation, underestimating risk or simply lax oversight.
7. If you need to terminate the third party relationship quickly, can you?
Particularly for your critical third parties, you simply must have a well-planned exit strategy, contemplating both the sudden and gradual unwind of the relationship. You should document it carefully, determine who needs to be involved, and test it periodically. If you need to terminate a third-party relationship suddenly, it’s a good idea to have a replacement third party in mind and ready to take over the crucial responsibilities.
Exam demonstrates your year-long efforts
The exam is like a final exam in school; important but an abstract after-thought for 11 out of 12 months of the year. It’s important to understand that the work you do every day is what prepares you for the exam.
Your biggest concern every day should be whether or not you’ve done enough to make things a little better today—not prepping for an exam but for the real-life situations that happen every day. Your board expects it, your customers deserve it, and your shareholders will appreciate it.
One of my favorite quotes on the wall at MBNA America, my former employer, was, “It is always the thousands of little things done right that add up to the unassailable advantage. Above all, we want a reputation for doing the little things well ... and the big things will follow.”
This is a perfect description of why third-party risk management is so vital to your organization. A well-managed program can help create value, save money, drive quality assurance, reduce redundancy, protect your customers and your data.
About the author
Branan Cooper is chief risk officer at Venminder.