Channel Your Inner Regulator to Improve 3rd and 4th Party Risk Management
If you are like most banks and financial service companies, then chances are you outsource some element of your current daily business activities. Whether you use 3rd- or 4th-parties for credit checks, server support or facility maintenance, these external relationships are vital to help busy organizations streamline operations and take advantage of outside expertise. Unfortunately, what you don’t know about these business partners can hurt you and your Vendor Risk Management program.
What’s the key to covering your back when it comes to 3rd and 4th party risk? According to a recent General Counsel News article by ProcessUnity’s VP of Field Operations, Sean Cronin, you need to think like the people responsible for keeping risk out of the industry: The regulators.
While channeling your inner regulator may not be easy, it’s vital for those of us who make their living in risk management.
Here are some other key tips Cronin lays out to help you think like an industry watchdog:
- Today, both the Boards of Directors and Senior Managers at banks are personally responsible for ensuring the actions taken by their partners comply with the law. This individual liability is outlined in 2013’s OCC Bulletin 2013-29, which reads: “A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
Regulator’s insight: Thoroughly inspect and assess every third- and fourth-party vendor, because you will be held accountable for their business practices.
- Pay attention to the issue of continuous risk management. Most firms perform risk due diligence before initiating their contract with a third-party service provider. However, those thinking like their inner regulator understand that effective risk management requires ongoing follow up. You want to develop a repeatable program for assessing risk to ensure the controls that were in place at the outset of your working relationship remain effective over time, and that adjustments are made to manage any new risks that arise.
Regulator’s insight: According to the General Counsel News article, “you don’t get what you expect, you get what you inspect.” Because business is fluid, your risk due diligence needs to consistently mange your potential threats in an automated, repeatable manner.
- Rely on cloud-based automation for real-time data and support. The less time you’re your organization has to spend relying on manual tasks to control risk, the more time you will have to allocate resources on critical vendor management concerns, such as focusing on high-risk vendors or high-exposure activities.
Cloud-based solutions are easier to deploy and more affordable to manage than comparative on premise solutions. With minimal set-up and self-service vendor assessments, that means banks and other institutions don’t need to make large technology investments to get to cutting-edge, regulator ready solutions and they don’t need to rely on their IT team’s availability to effectively support their risk management practices.
Regulator’s insight: Regulators are looking for a few risk management keywords: proactive, consistent, and repeatable, to make sure your risk management processes doesn’t create cracks that risks could fall through. Automation will bring a new level of intelligence to your program, helping you find and assess trends among your third- and fourth-party vendors, reduce overall risk exposure, and identify the proverbial “needle in a haystack” that may help you prevent a serious breach.
Despite their preference for legalese, regulators are on your team. They have exactly the same goal as risk managers – to reduce third-and fourth-party risk exposure and protect vital company interests. By understanding what activities our agency colleagues are trying to prevent, and what assurances they are looking for in your business processes, you will be well on your way to developing a best-in-class risk management program that will protect your firm as effectively as a regulator would.
For additional details on how to intercept risks before they become problems, download our whitepaper, Conducting Pre-contract Due Diligence in a Digitally Connected World.