Third Party Risk Management

Reconnecting TPRM and BCP

C-suite decisions are made every day that impact the resiliency, deliverables, and connected activities that are performed by outsourced partners and internal stakeholders. Some decisions have the potential to de-rail the continuity of your operations and the effectiveness of your Third Party Risk Management (TPRM) program.

Planning for disruption of any kind requires both internal and external awareness. Comparing a financial institution’s TPRM program and Business Continuity Plan (BCP) standards may identify competing priorities within the organization. The results can be a catalyst to broad collaboration and reconnection, or simply lead to a colossal train wreck.

Do your TPRM and BCP programs connect — or collide?

  • Closely linking TPRM and business continuity adds value. Connecting the two programs can balance risk, minimize surprise when recovery hierarchy comes into play, and prevent a battle for resources. At the end of the day, resilience capabilities are about your business, your customers, your suppliers and partners, and your reputation to deliver on your promises.
  • Integrating BCP and TPRM eliminates conflicting data. We have seen institutions assign vendor criticality and inherent risk ratings in the TPRM program that do not match the same vendors in the BCP. This causes confusion and increased risk exposure. Continuity of operations depends on clear, current, and consistent data that can be trusted across the organization.
  • Effective inventory management warrants an in-depth comparison between your business impact analysis(BIA) requirements and the third party relationships in your TPRM program. Disparities become obvious when inherent risk ratings, Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO) are not aligned and validated. Remember, the significance of an outsourced service provider to your financial institution may not be reciprocated. Your institution may not be considered a significant client to the vendor (or may be one of many). Make sure you are on track to receive timely attention and adequate recovery of your corporate, operational, and technical functions. And clearly define the expectations in your contract and/or service level agreement.
  • Operating your business continuity and TPRM in silos can create disjointed and disconnected oversight programs that introduce risk to the organization. Internal and external interdependencies must be transparent and accounted for in TPRM and BCP policy, procedure, training, testing, and maintenance practices — across all lines of business. Stabilize your TPRM program and ensure the alignment of outsourced vendor criticality and inherent risk ratings by cross-referencing the data with established BCP standards and BIA results.
  • Review your TPRM and BCP programs and flag inconsistencies. Align and update the details as often as necessary to ensure successful execution in crisis. Document. Document. Document. Leave assumptions behind and pro-actively get the details right before you actually need to rely on them to recover. Unexpected decisions and changes happen every day, so maintain open lines of communication with strategic vendors to quickly navigate changes, identify negative trends, reduce surprises, and keep documentation current.
  • Test internally AND jointly with your vendors to ensure satisfactory results. Sure, tabletop testing has its place. But it is not comprehensive. Entrench real results into the planning process and remove assumption-based expectations. Examine the results. Define what worked well. Investigate what failed and apply lessons learned with every step. Train for awareness, but test for execution.
  • Like most scenarios, pandemic responses have been discussed as a component of business continuity for many years. However, recovery plans reach far beyond the standard option to allow employees to work remotely. Sending staff home with a laptop (or other mobile device) presents data access and production challenges. Potential data risks, gaps in procedure/deliverables, and supplier roadblocks must be evaluated, fully tested, mitigated, authorized, and documented.

The planning and third party selection phases of the TPRM lifecycle present an opportunity to evaluate multiple service providers for near term partnerships and future circumstances. For example:

  • A Request for Proposal (RFP) generally results in a contract being signed with the selected vendor. Often, a close runner up is identified as an alternate service provider. If it makes sense for vendors that are providing critical/core business functions, capitalize on the time and effort that has been invested in the RFP process. Consider entering into a formal letter agreement that designates the runner up as the financial institution’s alternate vendor of choice (BCP preferred provider).
  • If transitioning to “Plan B” is required in the future, this approach can speed up the due diligence process for the alternate provider, allowing them to step in quickly at an agreed upon price to resolve or reduce business disruption. During the upfront evaluation of vendors, you have their attention and they are vying for your business. The pain of business disruption can be lessened by leveraging that attention and building a contingency based relationship. Maintaining and periodically re-evaluating the relationship can reduce future surprises and reduce your burden during periods of operational recovery.

The various regulatory agencies have published an abundance of guidance regarding third party risk management, business continuity and disaster recovery planning, and the importance of managing the interdependencies. It can be overwhelming to assimilate the requirements into your organization. The good news is that we can help you.

Contact us to get your institution’s third party risk management program and business continuity plan integrated, on track, and headed in the same direction. There is a light at the end of that tunnel. Let’s make sure it’s not a train barreling towards you.