Third Party Risk Management

Taking TPRM to the Top

Every financial institution has an internal culture related to third party risk management (TPRM). Some organizations move TPRM initiatives forward in the right direction. Others slog along with frustrated participants, unrealistic expectations, and wild assumptions.

What is your TPRM storyline?

  • A top down priority to Management. Smooth, steady, and effective.
  • A hit or miss scramble to put out fires and avoid exam/audit criticism.
  • A constant challenge for your team to engage the organization.
  • An exercise in futility similar to whistling in the wind.

As outsourcing continues to increase, mature, and become more complex in the financial services industry, the day-to-day TPRM storylines are not keeping pace. Many organizations still struggle to recognize internal pain points and resistance. Far too common are TPRM structures that create constant friction for the staff charged with the responsibility to manage vendor relationships and get the required work done.

Consider your organizational approach to TPRM. If you need to change the narrative, here are a few ideas:

  • Review and identify gaps and differences between your regulatory guidance and the reality of your TPRM practices. Don’t rely on scrutiny from your regulator to be the catalyst for change in a reactive culture. Communicate with advocates in your organization that understand the importance of TPRM and expand the conversation. Collaborate across lines of business to create a receptive dialog — especially at the top of the org chart. Present your management team or TPRM governing committee with your collective observations AND propose reasonable solutions. Proactively take steps that gain momentum and create opportunities for ongoing improvement.
  • Remove the side gig mentality that is often associated with performing TPRM work. When the front-line vendor relationship managers already have a full set of responsibilities that do not include TPRM activities, the conflicting priorities collide. The power to enforce effective TPRM is often lost when the very people tasked with the required work are not given appropriate training, enough time, or even performance credit for completing the expected work. Partner with your Human Resources team to institute top-down objectives and solidify the value of effectively executing TPRM activities across the institution.
  • Build a partnership with your internal audit team. By incorporating a single discovery question into every line of business audit, entrance meeting, and/or information request, a new chapter of TPRM is opened. Ask if the business unit or line of business manages a third party vendor relationship. If not, move on. But if the answer is yes, the audit should include an inquiry to the vendor management office (or the person responsible for organization wide TPRM oversight) to identify any missing, unresolved, or late TPRM requirements. Inclusion in the audit scope promotes regulatory compliance and accountability for required TPRM activities.

When your leadership, Executive Team, and Board of Directors talk about your TPRM program, is it a success story? Or does the discussion expose pain points and gaping holes that need to be filled?

Let’s improve your story. We can help you start a fresh conversation with your management team about TPRM. Consider our Letter to Executives.

Contact us to discover the best solution(s) to ease your burden and execute effective third party risk management. It does not need to be an endless uphill climb.