Over the past several years, third-party oversight (or vendor management) has grown exponentially in importance and as a subject of regulatory focus. In fact, regulatory agencies now scrutinize the service provider supply chain through every significant touchpoint—including fourth parties, fifth parties and so on. Even when an institution outsources some function to a service provider, they remain responsible for the protection of data and systems. And accountability for implementing effective third-party risk management falls squarely on institution’s Board of Directors and executive management.
But many institutions still look at “vendor management” as a necessary evil they must tackle to complete the compliance checklist and satisfy examiners and auditors. It’s perceived as a part-time job that focuses on a handful of significant service providers—but without concern for the hundreds or thousands of others engaged contractually, non-contractually, as affiliates or even via revenue/non-revenue generating referral relationships. All these factors expose them to multiple dimensions of risk. In sum, the depth and complexity of the entire third-party risk management process—inclusive of policy, procedure and people—is rarely understood in full, nor appreciated for the risk mitigation and business value it affords the institution.
There is good news, though: Leadership that fully understands the deep multiple dependencies, complexities and risks in the third-party supply chain can better leverage effective risk management and mitigation strategies. When leaders implement effective risk management practices, compliance with regulations for third party oversight is a natural biproduct: no longer the endgame of the program, it falls into place. Institutions can then focus on the value the program delivers as they effectively define and measure progress towards achieving it.
To mount an effective program, the institution must embrace it as the strategy that protects its long-term reputation and guards against the financial and operational impact that failing third party engagements represent. An adequately funded program isn’t a money pit but rather an investment in the tools, staff, supporting systems and processes required to evaluate and manage the risks third party relationships represent. Investment in such a program drives business value from the following key components that executive management must put in place:
- a formal third-party risk management program structure that is implemented, understood and embraced throughout the institution
- a supporting governance, risk and compliance (GRC) framework
- a defined third-party lifecycle
GRC Framework: Business Value
Many believe governance, risk and compliance frameworks require expensive enterprise software with customized interfaces for disparate systems and lengthy conversion times. But when adapting the concepts to third party risk management, a GRC framework simply requires a thought-out organizational structure that includes:
- executive sponsorship (endorsement and enforcement) at the senior-most levels of the institution
- policy and standards to identify, measure, monitor and control risks associated with outsourcing
- adequate staff, technology and tools to be effective and efficient
- internal checks and balances (lines of defense) to ensure that everyone does their job
- timely reporting to quickly address and effectively manage obstacles to achieving strategic goals (risk events)
In doing so, the institution realizes the business value of GRC, which:
- Enables business performance by integrating people, process and technology for greater efficiency through structured roles and responsibilities.
- Provides support for strategic priorities and checkpoints to measure progress.
- Identifies risk early in the process, allowing more time to develop better mitigation strategies.
- Transforms departmental silos into integrated, collaborative components that mitigate risk throughout the third-party lifecycle; better decision making creates greater value.
The framework includes these five components:
- Governance: An endorsement and enforcement of policy and program (from the top down) helps everyone understands roles, responsibilities and corporate expectations.
- Strategic goals: Define better, faster, cheaper, improved risk and compliance management, and new value creation opportunities to align supporting activities with their achievement.
- Dimensions of risk: Identify, measure, monitor and control the risk(s) inherent to the activity or service.
- Program structure/operating model: Identify and manage supporting functions required to achieve strategic goals and ensure proper investment in sufficient resources.
- Third party lifecycle: Manage risks throughout the five stages (from planning to exit); continuously monitor progress towards strategic goals.
Adequate staff, technology and tools: Whether your organization is large or small, avoid the temptation to treat the risk management program and participating staffers as obstacles to conducting business. Adequate staff, technology and tools are essential to deliver value from the program. Without them, institutions take shortcuts to meet deadlines, fall short on the skillsets needed to properly understand risk and mitigating controls, and expose themselves to risk events that block the achievement of strategic goals.
Having the right resources in place ensures that risks are properly identified, measured and efficiently communicated to the responsible parties—who can then make better-informed decisions. This removes bottlenecks and allows business to proceed within acceptable timeframes.
Lines of defense: By assigning a defined set of roles and responsibilities for each line of defense to manage across service providers and lines of business, your institution will realize a reduced cost of controls. That creates an operationally cost-efficient organization as you eliminate redundant efforts by multiple staff members and lack of effort due to role confusion. It also means a decreased cost of implement, manage and report on controls.
Informed/improved risk management and decision-making: Common terminology consistently determines and communicates risk to management; consistent methodology improves risk reporting to committees, senior management and the board—and fuels informed decision.
Focused risk management efforts: Used across the enterprise, consistent terminology, methodology, risk categories and ratings help focus resources where risks are highest and demand the most attention rather than on lower risk, lower impact areas. This yields greater value delivery from risk mitigation and cost-efficient operational management activities.
Effective budget management through effective contract management: Proper management of contract cancellation deadlines by the first line of defense can bolster the institution’s bottom line and save millions of dollars that it might otherwise have to pay if it missed cancellation deadlines and were contractually committed to a service provider it no longer cares to do business with.
Planning: All regulatory agencies require financial institutions to plan the outsource of significant functions; the Office of the Comptroller of the Currency provides well-defined steps. Too many institutions fail to follow a formal planning process and lose the value it would provide by helping to:
- determine whether outsourcing a function aligns with strategic goals
- identify risks inherent to the proposed function being outsourced to a service provider, to develop risk mitigation strategy requirements
- minimize impact to other projects, staff, customers, and budget
- understand the total ownership cost over the term of the service for cost containment and predictability purposes
- identify legal, compliance and technical complexities to create a realistic project plan, allocate appropriate staff, meet timelines and avoid cost overruns
Due diligence/selection follows the planning component. A request for proposal process might take place or there might be known service providers an institution would consider working with. Taking the time to conduct thorough due diligence before signing a contract reaps huge business benefits, as it:
- assesses the adequacy of a third party’s controls to mitigate identified inherent risk
- builds competitive advantage
- presents new value-creation opportunities by assessing the full capabilities of the third party
- provides operational cost efficiencies in vetting a third party through defined lines of defense
- identifies concentration risk to better understand business resilience in case of disruptions
Contracting provides tremendous business value and is probably the most important component of the risk management lifecycle. Federal Financial Institutions Examination Council guidance states, “The contract is the most important control in the outsourcing process.” A properly structured contract provides:
- maximum flexibility to address business change
- reduced business costs by defining all fees up front
- mitigation of multiple risk dimensions by defining the responsibilities of both parties
- measurable, acceptable service levels to evaluate the service provider
- minimum unanticipated budget impact
Ongoing monitoring and periodic review. After signing a contract with a third party, they will most likely assure you they’re the best service provider you’ll ever do business with. While we always want to believe it, it’s also why we put commitments in writing. Measuring the vendor against them helps to:
- measure progress towards strategic goals
- provide real-time, actionable intelligence to decision makers and risk managers
- re-examine risk events to pinpoint lessons learned for early future detection
- minimize disruptions by providing an early warning to take proactive action
- identify key risk indicators to monitor
- consolidate third parties. By tracking and comparing similar providers, the institution only retains the better performers--and can also provide price advantages by expanding services to them.
- reduce disruptions by determining whether an exit plan needs implementation.
Exiting the relationship. This last stage of the lifecycle should mark the first component of the planning stage: That is, think about how to exit a relationship before you even enter it. All too often a service provider relationship takes an unexpected turn for any number of reasons and the institution must scramble to find a replacement. Exit/transition teams must usually deploy in a hurry, utilizing resources needed in other areas and on other projects. Any scramble often drains the institution of negotiating power; when a deal must be done quickly, the best pricing is never obtained. Having an exit strategy in place long before any vendor selection:
- keeps the institution on track to achieve its strategic goals but smoothly transitioning from one service provider to another
- allows the institution to adapt to changing economic conditions, third party conditions and evolving business requirements
- identifies and mitigates multiple dimensions of risk
- minimizes disruptions and resulting financial and operational impact
Third party risk management programs represent a key component in achieving strategic goals and mitigating risk. Any program is doomed to fail without leadership’s endorsement and application, so management leads by example—not by skirting the process and thinking it’s above the law. A successful program demands the proper people, process and technology to transcend departmental silos and transform them into an integrated, collaborative environment that drives value for the institution. Mastering the art and science of third party risk management can propel financial institutions into first place performance.
Want more Banking Strategies? Sign up for our free newsletter!
Mick Kless is Founder, President and CEO of the Compliance Education Institute and Managing Director of its Advisory Services Group. He brings more than 35 years financial services experience and deep vendor management expertise to the industry.
If you enjoyed this article, check out: Spotting jackpotting: Five myths of ATM security, dispelled and Podcast: Building a compliance culture that wins.