Channel Your Inner Regulator to Improve Third and Fourth-Party Risk Management

3 minute read

July 2015

If you are like most banks and financial service companies, then chances are you outsource some element of your current daily business activities. Whether you use third- or fourth-parties for credit checks, server support or facility maintenance, these external relationships are vital to helping busy organizations streamline operations and take advantage of outside expertise. Unfortunately, what you don’t know about these business partners can hurt you and your Third and Fourth-Party Risk Management program.

Stay Ahead of Regulations for Third and Fourth-Party Risk Management

What’s the key to covering your back when it comes to third and fourth-party risk? According to a General Counsel News article by ProcessUnity’s VP of Field Operations, Sean Cronin, you need to think like the people responsible for keeping risk out of the industry: The regulators.

While channeling your inner regulator may not be easy, it’s vital for those of us who make our living in risk management.

Here are some other key tips Cronin lays out to help you think like an industry watchdog:

Today, both the Boards of Directors and Senior Managers at banks are personally responsible for ensuring the actions taken by their partners comply with the law. This individual liability is outlined in 2013’s OCC Bulletin 2013-29, which reads: “A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”

  • Regulator’s insight: Thoroughly inspect and assess every third- and fourth-party vendor, because you will be held accountable for their business practices.

Pay attention to the issue of continuous risk management. Most firms perform risk due diligence before initiating their contract with a third-party service provider. However, those thinking like their inner regulator understands that effective risk management requires ongoing follow-up. You want to develop a repeatable program for assessing risk to ensure the controls that were in place at the outset of your working relationship remain effective over time, and that adjustments are made to manage any new risks that arise.

  • Regulator’s insight: According to the General Counsel News article, “you don’t get what you expect, you get what you inspect.” Because business is fluid, your risk due diligence needs to consistently manage your potential threats in an automated, repeatable manner. 

Rely on cloud-based automation for real-time data and support. The less time your organization has to spend relying on manual tasks to control risk, the more time you will have to allocate resources on critical third and fourth-party risk management concerns, such as focusing on high-risk vendors or high-exposure activities. Cloud-based solutions are easier to deploy and more affordable to manage than comparative on-premise solutions. With minimal set-up and self-service vendor assessments, banks and other institutions don’t need to make large technology investments to get to cutting-edge, regulator-ready solutions and they don’t need to rely on their IT team’s availability to effectively support their third and fourth-party risk management practices.

  • Regulator’s insight: Regulators are looking for a few risk management keywords: proactive, consistent, and repeatable, to make sure your risk management processes don’t create cracks that risks could fall through. Automation will bring a new level of intelligence to your program, helping you find and assess trends among your third- and fourth-party vendors, reduce overall risk exposure, and identify the proverbial “needle in a haystack” that may help you prevent a serious breach.

Despite their preference for legalese, regulators are on your team. They have exactly the same goal as risk managers – to reduce third-and fourth-party risk exposure and protect vital company interests by strengthening third and fourth-party risk management. By understanding what activities our agency colleagues are trying to prevent, and what assurances they are looking for in your business processes, you will be well on your way to developing a best-in-class risk management program that will protect your firm as effectively as a regulator would.

For additional details on how to intercept risks before they become problems, download our whitepaper, Conducting Pre-contract Due Diligence in a Digitally Connected World.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit