Discipline 1: Clarity of TPRM and the Corporate Role

In our first article in this series, we outlined the 7 Essential Disciplines of Third-Party Risk-Management Programs. In this article, we take a deep dive into Discipline 1 and how to build a solid foundation for your TPRM program. 

A robust TPRM program requires a governance structure that extends from the board of directors to the front lines with all parties understanding the entire risk picture and the role each plays in risk management.  Ensuring collaboration between the enterprise’s overseeing entities is enabled through the establishment of a TPRM Charter.

Step 1. Development of a TPRM Charter

The TPRM Charter should state the purpose and objectives of the TPRM program and establish guidelines for the relationship and interactions between the following: 

1. Business lines: the revenue generating units that interface with clients and customers.
2. Day-to-day operations: the parties and groups within the organization that will oversee the working relationship with each supplier.
3. Risk Management: the standards, governance tools and programs that will ensure third-party compliance and alignment to the organization’s third-party risk appetite.
4. Audit functions: the parties, both internal and external, that will oversee the performance of the organization’s risk managers.

The charter development process needs to involve collaboration between the organization’s operational, oversight and governance entities. It’s essential that its sourcing provisions reflect and further the organization’s business strategy. Additionally, it should spell out who is Responsible, Accountable, Consulted and Informed (RACI). When completed, a RACI matrix includes all the activities or decision-making authorities undertaken in an organization set against all the people or roles. 

Step 2. Establish a TPRM Strategic Committee

To ensure the organization is adequately protected, the TPRM charter should also establish a TPRM Strategic Committee to oversee all areas of risk, including AFC/AML (Anti-Financial Crime/Anti-Money Laundering), governmental compliance, tax issues and related legal issues. This committee should include the organization’s Chief Information Security Officer and have:

1. A well-defined organizational structure with carefully defined roles and responsibilities
2. Formalized communication types, reporting metrics and cadence
3. Formalized upstream and downstream communication channels and reporting lines
4. Defined participation and meeting schedule
5. Clearly delineated agreements with each control function

The effectiveness of any TPRM Charter depends upon a clear understanding of all risk criteria and risk-related procedures by all parties. The relationship between the organization and third parties as well any fourth or remote-party suppliers should be spelled out in the service agreements, both the terms of compliance and the penalties for non-compliance.

Step 3. Develop a Board Approved Sourcing Strategy Framework with Risk Appetite Guidelines

It is imperative that the committee develop a Sourcing Strategy Framework with risk appetite guidelines that are aligned across the organization and are approved and periodically reviewed by the board of directors. The individual business units own their sourcing strategies which become part of the overall Sourcing Strategy Framework. This framework sets risk management criteria compatible with the organization’s business plan, risk tolerance, and risk appetite. This allows qualified parties familiar with the underlying sourcing strategies and approved level of risk tolerance to assess and onboard potential suppliers in a way that is designed to ensure successful partnerships. Often it is the Chief Risk Officer who will review and approve risk appetite values and determine allowable exceptions. 

Approved sourcing strategies should be reviewed periodically — at least once yearly for higher risk vendors — to ensure that the organization’s sourcing strategy remains consistent with the business plan, and that its directives are followed.

Procedures should be in place to:

1. Establish sourcing criteria — what can and cannot be sourced
2. Ensure compliance with approved sourcing policies
3. Ensure that current sourcing strategy is consistent with regulatory requirements
4. Process exception requests
5. Manage non-compliance issues

The business strategy of any successful organization must drive the sourcing strategy. One size does not fit all. Therefore, divisions must develop their own sourcing and risk appetites, but they must be consistent with the board approved framework.

The Sourcing Strategy Framework should include (at a minimum):

Strategy Control Elements:

• Criteria to identify services and functions that can/cannot be sourced
• Identification of what can be sourced internally versus externally
• Risk management and appetite
• Governance including consequence management to address non-compliance

Local Strategies:

• Business and divisional sourcing strategies – consistent with and aligned to the respective business and divisional overall business strategy
• Jurisdictional sensitivity – designed to ensure local regulatory compliance
• Division-managed processes – example, General Counsel managing legal firms 

Scope:

• Range of coverage, applicable to both internal and external service providers

Step 4. Establish a Governance Forum

TPRM governance includes three lines of control: operations, risk management and audit procedures. Each control function must have a formal risk assessment procedure in place ensuring accurate management of risks consistent with the organization’s risk appetite. The TPRM charter should provide for continuous assessment of third parties as well as all subsequent participating external parties. 

Most major organizations have implemented or are in the process of implementing a version of the well-known Three Lines of Defense (sometimes referred to as the Three Lines of Control).

The concept is based on distributing any required operational governance over the three primary functions, namely:

1. Operations (First Line): Has direct day-to-day management of any internal or external function or service.
2. Risk Management (Second Line): Establishes appropriate control minimum standards through collaboration with the First Line and the risk assessment process and tools/programs that will be employed by the First Line and Second Line to reasonably ensure compliance.
3. Internal and/or External Audit (Third Line): Oversees the performance of the Second Line in their governance of the First Line.

The Governance Forum should be a top-down, clearly defined and verifiable distribution of regulatory and audit requirements that is complemented by a bottom-up confirmation of adherence, exception escalation and remediation reporting. The Management Board should review and approve the individual business line’s sourcing strategies with a sponsoring board member approving all product and process proposals which meet the predefined risk criteria established in the overall sourcing strategy. Based on an organization’s structure, either the Chief Risk Officer or Head of Operational and Non-Financial Risk, should approve the risk appetite values and exceptions.

Third-Party Risk Management should:

• Update sourcing strategy – on an annual basis consistent with regulatory requirements
• Process exception requests
• Monitoring compliance with the approved sourcing policy
• Manage consequence and issue escalation

Divisional and business lines (consistent with their approved sourcing strategy) should:

• Develop sourcing strategy and appetite parameters
• Update division/business sourcing programs
• Monitor First Line R&CSA and relationships

R&CSA stands for Risk and Control Self-Assessment which means every operational function should have a formal program with a defined cadence to evaluate the current risks associated with their products and/or processes, and a self-testing and reporting protocol to ensure the controls in place are accurately and effectively managing the current risks consistent with approved risk appetites.  

About the Authors

Atul Vashistha is recognized globally as one of the leading experts on global business services, governance and risk. Atul was named to Consulting Magazine’s “Top 25 Most Influential Consultants” and “Top 6 IT Powerbrokers”. He is the founder and Chairman of Supply Wisdom and Neo Group. Supply Wisdom is a leading real-time and continuous risk intelligence and monitoring solution used by the largest banks, health care, insurance and others such firms to manage third party and location risks. Atul serves on the Shared Assessments Board of Advisors and is also the Vice Chairman of the Defense Business Board at the US Department of Defense.

John Bree is Chief Evangelist and Chief Risk Officer for Supply Wisdom. Prior to joining Supply Wisdom, John held senior positions in New York, Tokyo, Singapore and London for Citi and Deutsche Bank covering corporate, investment, commercial and consumer banking operations. John has managed global staffs and corresponding budgets in multiple locations and delivered cost efficient and operationally effective programs ensuring compliance with local and global regulatory requirements. Through interaction with Business Units, Internal Audit and regulatory agencies, John resolved MRIAs, MRAs and Findings, on time and without penalty. John is a member of the Shared Assessments US and UK Steering Committees and Co-Chair of the Financial Industry Vertical Strategy Group. He has authored numerous articles and blogs on Third-Party Risk Management and Governance in the Digital era.

Up Next – Discipline 2: Third-Party Integrity

Ready to learn more? Subscribe to our blog to be notified when our next article in the 7 Essential Disciplines of Third-Party Risk Management series is published. Or request a Supply Wisdom demo to see how Supply Wisdom can elevate your Third-Party Risk Management program.