Trying to navigate through the OCC, CFPB, FDIC and FFIEC risk management “guidance” releases can be daunting. These bulletins are not guidelines, they are requirements and the penalties are stiff for lack of compliance.
It’s helpful to remember that the primary objective of these oversight committees is to ensure that you are effectively protecting your business and your customers from unnecessary third-party risks. Sounds a lot like smart business, doesn’t it? And in fact, many of the requirements closely follow third-party risk management best practices.
Take, for example, the OCC 2013-29 Bulletin, which caused a lot of stir in the financial industry when it was first released. If we examine the core principles outlined in this bulletin, they closely align with what most risk managers would consider key components of an effective third party oversight program.
Here are the critical areas of concern as noted in the OCC 2013-29 Bulletin:
Planning: Do you have a plan to manage your third-party relationships?
Due diligence: Prior to onboarding your vendor, do you have a process for completing due diligence that allows you to evaluate your vendors against your organization’s risk tolerance?
Contractual expectations and enforcement: How are you going to outline and define your expectations of your vendor while also having a plan for enforcing those requirements? More importantly, how will you limit your own liability?
Ongoing monitoring: Do you have a plan and process in place to monitor the performance of your vendor once they are on boarded? How will you hold them accountable and maintain a positive relationship?
Roles and Responsibilities: Have you defined and assigned clear roles and responsibilities and does everyone have a clear framework from which they can operate?
Reporting: How are your tracking and documenting your third party relationships? Where are you housing this information for reporting and analysis? Equally important, what are you doing with this information and how are you using it to generate specific actions? Are you being proactive or reactive?
Transitioning: What is your plan if services end due to an unanticipated disruption, such as a geo-political or macroeconomic event? How will you transition out of a contract when the time comes? What if you simply want to transition to a new provider? Each of these requires a contingency plan and each has a different process that needs to be considered.
Auditing: Are you too close to the process? Do you have an objective party that can evaluate the plan, process and tools you have in place?
The OCC has made it glaringly obvious that the scrutiny of the Financial Services industry will only continue to become even more rigorous. If you’re doing business with third parties, it’s not enough to simply have a supplier monitoring tool. You’re also responsible for having an effective risk management process in place, a framework and reporting structure that allows you to better manage your third party vendors throughout the entire lifecycle.
If you are looking for more insights on how to develop strategies and plans for Third Party oversight within your organization, we can help. Supply Wisdom delivers alerts and insights that help companies track and mitigate supplier- and location-based risks in real time. Contact us for more information or to get started with a free trial.