By David Medrano and Kirby Chatterley
Amidst the myriad of guidance, standards and practices that are considered with managing and assessing Third-party Service Providers, a newly published interagency joint guidance has emerged to better support organizations with their programs. Although the approach and risk-based methodology will still vary from organization to organization, this newly published guidance can help these organizations move in the right direction.
Purpose of the New Guidance
The primary regulatory bodies overseeing the financial services and banking sector have consolidated approaches, considerations, and recommendations into one comprehensive guidance for Third-Party Risk Management. This guidance is a culmination of the approach that has been provided by Federal Bank regulatory agencies, replacing the different agencies’ specific approaches and considerations. Although this guidance may not apply to all industries, the approach and methodology can be used to better mature any Third-Party Risk Management Program.
Key Revisions within the Guidance
The joint guidance has multiple updates to consider, however the message remains the same: a risk-based approach to managing third-party relationships is more important now than it has been before. Without going through all updates, here are some key considerations:
Subcontractor/Nth Party Relationships
Many organizations use a tiering methodology to determine which of their third parties are considered critical. Some organizations go beyond this and assign this “criticality” to subcontractors. Although the importance of analyzing fourth-party relationships is still a key point, the use of “critical subcontractor” is no longer referenced within guidance. Maintaining an inventory of subcontractors is essential, and if criticality is applied, its benefits should be evaluated, guiding subsequent actions.
Contract Management and Board Oversight
Contracts are an important part of any Third-Party Risk Management program. Contracts are common with nearly all Third-Party Risk Management programs, ensuring that expectations such as performance, security controls, etc., are clearly defined. Previous guidance set expectations to require board approval for critical third-party contracts, prior to execution of such contract. This has been revised to limit the expectation that the board is to approve these contracts. Under the new guidance, a board must be made aware of the program, determine the level of input that is needed and, if necessary, consider subcommittees.
Ongoing monitoring is a continuously evolving process. Many organizations adopt a reassessment cadence, in addition to business review processes, to ensure third-party service providers are actively monitored. Now, more than ever, ensuring an appropriate ongoing monitoring program is becoming much more difficult to manage due to an increase in outsourced activies. An approach that some organizations are adopting is supplementing their ongoing monitoring activities by using third-party content and monitoring providers to actively monitor their higher risk third parties. This new joint guidance acknowledges this approach, and although specific providers or scope are not provided, this new language should be considered as a key area of note. With the number of third-party tools available, it is important to evaluate the capabilities that these tools offer to ensure an organization is made aware of any new risks that appear during the relationship.
Although there are many other key updates to this joint guidance, it is important to remember the following:
- An appropriate third-party risk management program is Important to managing risks;
- The approach must be risk based and should be customized to each organization;
- Execution should be consistent; and
- Senior Management oversight is critical.
It is important to be aware of changes to regulations, standards, and best practices. In addition, a thorough analysis of how a program compares to these new approaches is highly recommended. Many of the updates found within the guidance are driven by organizational/subject matter expert feedback. Although much of this guidance does not change the core of the Third-Party Risk management expectations (E.g., Planning, due diligence, contract negotiation, etc.,), the updates should be analyzed to ensure programs meet an optimal level of maturity. Some subject matter experts and third-party risk practitioners recommend conducting this type of analysis (a) when a material change to guidance is published or (b) on an annual basis.
How MorganFranklin Can Help
MorganFranklin can help your company implement a third-party/vendor risk management program that best fits your needs. With experience from certified third-party risk experts and our flexible delivery models, MorganFranklin can help you implement a mature third-party risk lifecycle, GRC system/tool (automate your program and start a process at the push of a button), as well as supplemental process (e.g., key risk indicators, exit strategy considerations, maturity model analysis).