Effective Third Party Risk Management (TPRM) can be implemented and maintained with stepping stones. Lay them out. Consider each one carefully. Use caution to not be distracted by competing priorities (or external industry noise) that causes your organization to stumble or completely skip over critical steps. Stumble in a significant area — and you may not recover.
Now that you have paused and checked your footing and the direction that your organization is headed, dig into some specifics to turn those stepping stones into a bridge to third party risk management success.
TPRM Policy: Pull it out and take a fresh look! For each of the stated regulatory requirements, dig deep and determine:
- Are you actually doing what you say you are?
- How well are you doing it?
- Are you glossing over critical steps based on assumptions such as: Everyone knows that line of business ABC is doing XYZ.
- Due to assumptions, one business unit may assume another business unit is monitoring the common vendor relationship. And then, the vendor fails. Whoops! Finger pointing starts now…
- Is Internal Audit supporting the TPRM strategy?
- Every time a business unit is audited, simply ask the question, “Do you manage an outsourced vendor relationship?” If the answer is yes, the method is simple. Require evidence of ongoing monitoring and confirm the results with the vendor management office. Are assessments on time? Are there any outstanding/late requirements?
- Don’t let external regulators identify internal issues. Self-identify and correct them early and often. That way, everyone wins. Especially your customers. Focus on the basics, on what is most important, and the rest will fall into place.
- Does your policy meet your institution’s TPRM strategy and risk appetite? Is it adjusted as your TPRM program matures, regulations change, and as auditors/examiners make recommendations?
- A strong policy sets a high bar and gives you leverage going forward to strengthen procedure, process, and contracts. Enforcing TPRM requirements and implementing best practices becomes a huge challenge when the policy is not driving the intended actions across the enterprise.
Contractual Obligations: Build critical components into your contracts.
- Organizations that slip into the status quo of signing contracts and filing them on a shelf to auto renew will risk overpayment for vendor services they no longer want. Or worse, the contract requirements that are critical to the organization simply become requests that vendors can easily ignore.
- Consider the April 2, 2019, FDIC FIL-19-2019. The Financial Institution Letter (FIL) highlighted examiner observations related to technology service provider contracts. When contracts with third-party service providers lack sufficient detail and do not adequately address applicable risks, such as business continuity and incident response, the responsibility to assess those and subsequent risks and implement appropriate mitigating controls continues to rest squarely on the shoulders of the financial institution. Obtaining supplementary business continuity documentation from the service provider or modifying the financial institution’s own business continuity plan to address contractual uncertainties may be required to effectively monitor and mitigate the additional risk exposure caused by weak contractual agreements.
Fortrex is ready to help you check your footing, check your direction, and build your bridge to success! Contact us to discuss the best solution(s) for your situation – to ease the stress of TPRM and keep your institution compliant.