Third-party risk management is worth doing well—not only to protect your institution’s reputation, resources, and customers, but also because third-party risk management is part of safety and soundness exams. The effectiveness of a third-party risk management program is seen as an indicator of overall management capabilities. The design of third-party risk programs varies across institutions.
There can be differences in:
- tone from the top
- criticality and services acquired from third parties
- expertise available to support development and enhancements of the program, including risk control experts and governance bodies
- investment in resources and tools
- adoption by key stakeholder
- cooperation from third parties
It’s easy to mistake compliance for risk management. With so much effort and activity driving these programs, it’s a good time to take a closer look at whether investments in people, tools, processes, and resource-intensive activities are noticeably improving third-party risk management.
Before we get started, a point of clarification: Third parties are more than vendors. The RMA (Risk Management Association) Third-Party Risk Management Round Table Steering Committee created two definitions that cover all third-party relationships. These definitions—for “vendor” and “non-vendor” relationships— can improve internal communication and bring clarity to program design.
With these points of reference, here are four basic principles of effective risk management:
4) Risk adjustment
Compliance and completeness are quantitative terms— and squarely in the line of sight for regulators and internal audit. Risk-centricity and risk adjustment are more subjective, but always in the line of sight of enterprise risk management —and hopefully for business leaders.
Assessing how compliant your program is with regulatory guidance is unquestionably a good place to start. Here is a little context for why this is important: During the September 2016 RMA Third-Party Round Table meeting, the Office of the Comptroller of the Currency’s (OCC’s) National Bank Examiner generously provided insight and data about 2016 examination findings. At national banks, according to the OCC, the number of Matters Requiring Attention (MRAs) peaked in 2013-14. As of the end of June 2016, the number of new MRAs issued to national banks had declined significantly, indicating there are still many gaps in compliance. By the middle of 2016, 14% of all MRAs issued to mid-sized and community banks were related to third-party risk management, an increase of about 165% over 2015.
According to its website, the Consumer Financial Protection Bureau levied 36 enforcement orders by the end of June 2016 and was on track to levy fines totaling between $500 million and $1 billion for the year. While such enforcement orders are a combination of internal and third-party violations, it’s important to note that contracting institutions are responsible for any violations committed by third parties. Each regulator publishes only one version of regulatory guidance, regardless of an institution’s asset size or business mix. For greater clarity, regulators drew a line in the sand with the 2014 publication of heightened standards for institutions with more than $50 billion in assets.
Regardless of whether an institution is above or below the heightened expectations threshold, expectations for institutions of all sizes and complexion are continuing to rise, as regulators are universally stating that third-party risk management practices are still immature.
The level of reliance, different services, and inherent risks across third-party relationships of many sizes and types will drive the need for additional due diligence and controls. It goes without saying that a cloud-based, foreign service provider delivering critical services; an outsourced mortgage servicing company; and a correspondent banking relationship will each have specific requirements for due diligence, controls, management, and governance.
A practical way to get actionable data on compliance is to undertake a thorough assessment of policies, procedures, and practices in comparison with regulatory requirements, at a line-item level. Then continue assessment across the enterprise by sampling adoption, documentary evidence, and user knowledge. It’s particularly important to be well informed about how regulatory requirements have been implemented at peer institutions.
Easy access to documentary evidence of internal compliance to policies and procedures—as well as reporting, issue management, and enterprise-wide, consistent adoption—are all necessary to meet the compliance test.
Make no mistake, achieving the completeness test is very challenging. Small institutions typically do business with 500 to 1,000 vendors. Meanwhile, the largest institutions may have relationships with 70,000 to 100,000 vendors, sometimes more.
When it comes to non-vendor relationships, the number depends on the mix of businesses and services and how those services are acquired and delivered. Insurance and wealth management companies typically deliver services through a large network of agents, stock repurchase counter-parties, correspondent banks, brand partners, and transfer agents. An institution may have a wide range of corporately sourced relationships, relationships sourced by a center-led procurement team, and of payee relationships. There are many types of non-vendor third parties, and they all need to be captured by one or more third-party risk management programs.
Meeting the completeness test for vendors is the easy part. Tight controls across procurement, third-party risk management, legal, and accounts payable processes are the key. If it’s possible to on-board or pay a vendor that has not been subject to program filters and controls, you’ve failed the test. The greatest challenges to meeting the completeness test for vendors are:
- long cycle times for completing due diligence and contracting
- heavy workloads
- inadequate user communication and training
- ensuring that quality documentary evidence exists and that there are appropriate consequences for failing to comply with the institution’s policies and procedures.
Including non-vendor relationships in third-party risk management programs is very new. At RMA’s first Third Party Risk Management Round Table, held in February 2014, there were just a handful of participating institutions that were capturing a small range of non-vendor relationship categories in their programs. Today, most participating institutions have completed or are in the process of completing an inventory.
The first step in expanding your third-party risk management program is to create a complete inventory of your institution’s non-vendor third-party relationships. Unlike your vendor third party relationships, which can easily be identified by a review of active vendors in the Accounts Payable system, there is only one way to create a complete inventory of non-vendor third parties. This means systematically working with leaders in each business segment and unit across the enterprise to frame the inquiry and analyze their third-party relationships.
A tool developed by the RMA Round Table Steering Committee is a list of 19 categories and 53 sub-categories of non-vendor relationships. This tool helps frame the project plan and helps in communication with business leaders. Criticality of the relationship to the institution and the enterprise should be determined as part of the inventory development process, aligning with vendor assessments and regulatory guidance. A second important dimension in the inventory process is determining the relative strength of existing management and governance processes. The outcome is a complete inventory that has been prioritized in a way that produces logical sequencing to bring each category of non-vendor third-party relationship into the institution’s center-led third-party risk management program.
The keys to meeting the completeness test include the following:
- A complete inventory
- A repeatable process and controls
- A robust technology solution that warehouses a complete record of all in-scope relationships
- A relationship manager
- Actionable reporting
Risk-centric is another way of saying “systematic” and “risk-oriented.” Applying the concept to third-party risk management means:
- Implementing a systematic, disciplined approach to filtering and segmenting relationships by criticality or reliance according to the institution or business segment
- Realistically identifying inherent and residual risks
- Systematically and objectively assessing risks
- Mitigating and actively managing known or potential risks according to the likelihood of occurrence and the criticality of the relationship
- Imposing effective controls and oversight
All this activity should be designed with one primary intent: to prevent loss events — loss of the institution’s good reputation, loss of financial assets, loss of customers, loss of trust, and, at an extreme, loss of the license to do business. Risk-centric programs are intentionally “relationship neutral” in their design.
Repeatable, step-by-step processes to determine the level of criticality, identify risks presented by the third party, conduct due diligence, and manage and monitor relationships shouldn’t be left to individuals to figure out or change according to individual expertise or bias. Processes exist to deal with exceptions. In addition, risk-centric programs enable appropriate stakeholder engagement.
It’s not helpful to expect users in business segments to decipher technical risk language and concepts. Good programs are easy to engage with and generate consistent outcomes. A good test of whether a program is risk-centric is to examine potential or actual loss events that have been detected by the program. One easy test is to compare the outcomes of the risk assessment process and segmentation with regulatory findings for systemically important third parties.
If you provide your regulator with a list of your critical fintech (financial technology) relationships, your regulator will provide a copy of its findings for these third parties. Check to see if your program detected these deficiencies and how they were addressed internally. Set up a process to gather this information from regulators on a periodic basis. Another test is to ensure third-party issues and incident-management programs are robust and tightly coupled with the third-party risk management program. Incidents and issues should be cross-referenced with the risk profile for the corresponding third-party relationship. Any program deficiencies should be evident. The same is true for service-level agreements and compliance with contractual agreements.
Meeting the risk-adjusted test is an incredibly useful element of any effective third-party risk management program. Risk-adjusting the program means ensuring that the work effort and controls are commensurate with the criticality and risk of the relationship. Logically, no program should or typically does require the same amount of rigor and oversight for a mission-critical relationship as for a low-risk one.
The process of risk-adjusting the program often takes one of two paths. The first is to build out the program and processes, then implement a “one size fits all” for the vendor population. As relationships are on-boarded, the need to risk-adjust specific program elements quickly becomes evident — leading to development of risk-adjusted contract terms, due diligence, controls, and monitoring requirements. An example is to implement different contractual terms for business continuity management and testing according to the criticality of the relationship.
A second path for many institutions is to build the program and processes, then onboard tier 1 and tier 2 relationships. This allows internal experts, using live relationships, to consider how contract terms, controls, and monitoring requirements should differ according to criticality and risk. These requirements can easily be scaled down as lower risk-tiered relationships are on-boarded.
Regardless of which path is chosen, risk-adjusting the program is important. Wasting scarce resources, internally and within third parties, is just that — a waste. Business users actively or passively vote with their feet and may withdraw their support from proactively managing third-party risk. Increasingly, third parties opt out of unreasonably onerous requirements by withdrawing from the relationship or declining to bid on new business. Meeting the risk-adjusted test is just good business.
The practice of third-party risk management isn’t new, but neither is it mature. At most institutions, there is still plenty of room for improvement. It’s been three years since financial services regulators issued “new” guidance on third-party risk management. It’s time to take a closer look. As you assess your own institution’s efforts, ask pointed questions that will help determine whether your third-party risk management program is right-sized and adding business value.