The Fundamentals of a Strong 3rd Party Management Program
You can download a full copy of the slides from this webinar.
Full transcript available below:
Hello, everyone, and welcome to today's webinar hosted by me, Joe Boyhan, of MCO and third-party risk expert and president of ONTALA Linda Tuck Chapman.
On the next slide, really looking at the fundamentals of third-party management is really where you want to go next. It's really what does this really mean? When you think about the overall fundamentals, it really is that it's a set of practices to allow you to put processes in place and to put tools in place, et cetera, so you really think about how you can go through this life cycle. Those of you who are familiar with the OCC guidance on third-party risk, this is, from what I understand, the first and only time they've ever put an image into guidance. It's a nice image.
|
It has a triangle and a circle, and so this circle is meant to represent the life cycle and the triangle is meant to represent the governance that goes with this. If you're in the financial services sector, regardless of whether you are regulated at the OCC, it's helpful to help people understand this is not a simple thing to do, and it really does. It's kind of a team effort to get there. I should break that down into what that might look like for your organization a little bit later, but if you look at it, basically, the whole risk game is all about looking at all of your relationships. Banks and the insurance companies and financial services companies do not buy a lot of tangible goods, but some of them are really important. |
|
You may be less worried about your carpet than you are about your routers, but there are still many tangible goods that come through the door. The strategic relationships is really trying to get at that notion of criticality. What's strategic to your business? What do you need to operate? And so on and so forth. I've got a definition that we've developed through the RME that'll help differentiate vendors from third parties and I'd have to say, probably, on the top line above the illustration it's probably more focused on your vendor relationships and then if you look at the other ones in-direct services, strategic they actually could be other types of third parties. Regardless of what you're trying to do, the question has always been is there a way to create a single program for vendors and non-vendors in your third-party program? |
|
What we found through doing surveys through the RME is that the answer to that is yes. You can have a single policy and you can probably end up with sort of a single lens on how you create your life cycle management processes because many of the risks that you face, whether it's strictly a vendor relationship or another type of relationship are very similar. They present similar risk. What's different actually is the governance model and I'll talk a little bit more about that later. As you go through and start thinking about really what are you trying to accomplish with your management program, obviously, there has to be a process to identify risk and this actually leads into the completeness. |
|
You need to have some kind of an on ramp so that you understand whether or not you're capturing all of the relationships and can do at least the preliminary look at them to determine whether, in fact, there are risks present that need to be actively managed. If your contract basically protects a contact center with buying office supplies, you can see there's a lot of differences there. You need a lens to go through that and one of the ways that this is done is to consider whether you are going to invest in technology and regardless of the size of your company you're going to probably find that a technology solution is going to be really important because there's so much to record there are ... You have to. It's an evidence-based program. There's lots of people involved in this AME workflow. You need a repository for documents. |
|
You need to remind people to do certain things. That's something you really want to think about is how are you actually going to execute against this? Once you've identified which of your relationships are in scope for because they do represent some risk, it's back to your risk adjustment. You only want to conduct due diligence on the areas where risks are actually present. When you're doing that your purpose is really to assess the strength of the third parties' control. People get a little bit confused about that and I'll talk about the difference between criticality and risk further in the presentation. Once you know what you know, obviously, one of your goals is to either avoid those risks, to mitigate them or to manage them because a risk-free business is not realistic nor is it actually prudent to try and get there because you probably would have to shut down. |
|
Then once your program is in place, you've got issues and incidents. That should be part of your program as well is figuring out, well, how are we going to move things forward so we can either remove systemic issues. We can respond to issues, in fact, that aren't issues at all. Maybe our program isn't tooled quite correctly and it's identified things that aren't really a problem. Last, but not least, is to manage the relationship and the performance. Basically, these are the principles and, Joe, if we go onto the next slide, we can talk about how you might want to focus on that. This combination between critical activities that you see in guidance or that you think about from a business perspective and the relationships themselves, in fact, are really kind of different things. The critical activities usually are associated with critical relationships to deliver those critical activities. |
|
This is a lens that you can put on for risk adjusting your program. Defining criticality can be difficult but, generally speaking, most firms identify those relationships which are "enterprise critical." So if, in fact, your service provider or your third party was not functioning that day, it would bring the company exactly to your need. What we're seeing is certainly in the financial services sector that you would have maybe a handful of these, maybe 10 or 15 of them. If you have more of them to your one enterprise critical, you may be very, very heavily outsourced or you may be ... People think of it as conservative to capture more. You may be capturing too much. It's the opposite of conservative because if you put too much noise in the airwaves, people don't pay attention to those things because they're not as important as you're saying they are. |
|
One of the reasons why you want to focus on this so intently is because from a criticality perspective and, also, from a management perspective in the financial services sector third-party management is an indicator of your overall safety and soundness as a company. Those of you who might be familiar with the CAMEL's Rating, which is Capital Asset Management Equity Liquidity, each of those can be measured through different ways in a regulatory exam. Management has always been a little bit trickier to put your arms around. Third-party management is now considered part of the management capabilities in an exam and that put it on the agenda of senior management and the board. |
|
In order to determine which are critical activities and, therefore, are critical relationships supporting them, you really need to put ... You need to define them. How are you going to know what's critical to ongoing operations? I'd suggest your first line of defense your business knows and usually more senior people will have a very realistic view of this. Some of the test, do you think they can have an impact on your reputation or your results or will likely impact on your reputation and results? One of the ways you can differentiate your enterprise critical from others is a simple rule of thumb. If the service provider, your third party, if they had a serious problem, could it affect more than three to 5% of your annual operating income. |
|
That's a very clear indication that they should be in that enterprise critical level. If the answer to that is no, it's probably somewhat less than that. It maybe not a top tier. It's probably very important to the business, though. You also want to think about criticality through the lens of cyber security, privacy, information security. What kind of data do they have? How do they have it? Is it data? Basically, they have access to the data. Is it data in transit, data at rest or are they managing the records? Because you can risk adjust your program accordingly. New products and services usually do require more effort and more oversight, so that's something to think about basically is this new, junior company. |
|
You may not know enough about managing their relationship because it's all new. One of the things to bring in there, also, is dealing with the fin tech innovators. Where there are innovators it is entirely possible that you're dealing with companies that don't meet your risk threshold and, yet, it is important you deal with them. Some companies that I work with actually create sort of a tech reg category which may be temporary in nature for the involvement of certain third parties as they learn and grow with the company. If you do that, if you separate them out, it recognizes this is important, but it gives you different management and oversight. Also, material compliance risk. If there are very, very clear compliance requirements beyond the norm for just a typical third-party relationship, those in itself may warrant a lot more focus. For example, if they're doing regulatory reporting for you, that's a material compliance risk |
|
This webinar was co-hosted with Linda Tuck Chapman of Ontala Performance Solutions.
Request a demo today to learn how MyComplianceOffice puts you in command of your compliance program, synchronizing your business needs with regulation.
