Who Sets the Rules for a Third Party Risk Management Program
You can download a full copy of the slides from this webinar.
Full transcript available below:
Hello everyone, and welcome to today's webinar hosted by me, Bethany Sirven of MyComplianceOffice, and Third Party Risk Expert and President of ONTALA, Linda Tuck Chapman. |
So let's move on from the agenda. When you start to think about this really ... I mean, it comes down to we already know it's a team sport. There's a awful lot of people involved in this, but you have to also consider when you're thinking in terms of the three lines of defense who sets the rules for how things work. Is it your senior management or your board? Is it people in information security? Because that's certainly an area of great risk. People in finance, operational risk compliance, is it your customers, is it your board, is it the business themselves? |
What I would suggest is that if you're in the process of either building a program or looking at your program and trying to make it better, more efficient, more effective and produce better outcomes, that's not going to have a look at all of your stakeholders. So for whatever reason, everybody knows how PowerPoint works, I actually did have something down the left hand side, which really depicts other stakeholders, including your board, your customers, et cetera. |
So I'm working with a company currently that is not in the financial services sector. They're a technology company, and when they look at why are they doing this, they're really focused on some things that everyone is. Everybody has different compliance laws, regulations, et cetera, that they need to pay attention to. Everybody's working in an environment where they're governed by laws, regulations, et cetera. Some industries have more to consider and some have less, but nonetheless there's no company out there that operates in the absence of laws and regulations. |
So when you're thinking about your program, reading the laws and regs and trying to turn them into something is actually pretty tricky, but you really do need to pay attention and it's important to belong to networking groups so that you can hear how others are interpreting. One of the best pieces of feedback you can get from a regulatory exam is that your program is in keeping with other organizations of your size and complexity in your industry. That actually is very high praise. The second thing that you really want to do is you want to make sure that you are learning best practices from others and how they're applying, and that'll save you a lot of time and effort. |
So in this particular case that I refer to, I think you'll find that when you're thinking about third parties, in many, many cases you also will find that those third parties are your customers or customers themselves as a stand alone are a stake holder group. Most companies, not only are they trying to conduct their own due diligence on third parties, but in fact they're receiving incoming due diligence requests from the companies they do business with including sometimes a lot of pressure from customers. Those customers are most often in the form of other corporations, so there's a lot of pressure in terms of trying to get this right. And also, companies who are a little bit behind the curve, they're having a hard time stepping up to the incoming due diligence requirements and the expectations of the customers who are probably a little bit ahead of them. |
So last but not least is you really do need to think very, very carefully about senior management and your board, because in the long run they're responsible for the operations of the company. So this is not all about task management, as I said. It's really about complying with laws and regs, meeting customer expectations, dealing with your third parties, getting the right data, and then being able to distill that down into something useful that your senior management and your board can deal with. And so in the context of the three lines of descent, your board and senior management have a role in the three lines of defense as you do, either in a business unit who are responsible for managing large, complex relationships, or in what's known as the second line of defense, which are these risk experts who are helping set the stage for determining what the risks are and what you're going to do about it. |
So when you think about stakeholders, there really are many stakeholders in this. They're all actually have a very important role to play in setting up and helping you figure out your program. But also, if you're early days in this what you really want to think about is how are you going to pare this down so that you can actually build and expand your program on an orderly basis? Any company that I've seen that's tried to tackle everything at once has actually had a hard time getting things off the ground, because it's too much activity and it's too much change management for your company. |
|
This webinar was co-hosted with Linda Tuck Chapman of Ontala Performance Solutions. |