6 Core Elements of Effective Third-Party Risk Management
Managing third party risk is a top priority for financial institutions. As regulatory expectations continue to evolve, institutions need to remain diligent in developing a program that mitigates the risks posed from outside vendors and protects its data, operations, and finances.
FRB Regulatory Guidance in SR 13-19 states that an effective third-party risk management program should include six core elements. (Similar guidance and program requirements from the OCC can be found in the OCC Bulletin 2013-29.)
1st
CORE ELEMENT
Risk Assessments
Consistent with the strategic direction and overall business strategy of the organization.
Analyze the benefits and risks of outsourcing.
Consider multiple qualified and experienced service providers.
Update risk assessments regularly.
2nd
CORE ELEMENT
Due Diligence and Selection of Service Providers
Due diligence and evaluations will vary depending on the scope, complexity, and importance of the outsourcing arrangement.
Engage technical experts and key stakeholders in the review and approval process.
Key components of the due diligence process includes a review of the service provider’s:
Business background
Reputation
Strategy
Financial performance and condition
Operations and internal controls.
3rd
CORE ELEMENT
Contract Provisions and Considerations
The terms of service agreements should be defined in written contracts that have been reviewed by legal counsel prior to execution.
Elements of the contract should include:
Scope
Cost and compensation
Right to audit
Monitoring of performance standards
Confidentiality and security of information
Ownership and license
Indemnification
Default and termination
Dispute resolution
Limits on liability
Insurance
Customer complaints
Business resumption and contingency plans
Foreign-based service providers
Subcontracting
4th
CORE ELEMENT
Incentive Compensation Review
Ensure that an effective process is in place to review and approve any incentive compensation that may be embedded in the contracts.
Ensure an incentive compensation review is part of the ongoing due diligence process.
5th
CORE ELEMENT
Business Continuity and Contingency Plans
Ensure each vendor has a documented DR/BCP plan.
Maintain an exit strategy, including a pool of comparable service providers, in the event that a contracted provider is unable to perform.
6th
CORE ELEMENT
Oversight and Monitoring of Service Providers
Document a risk-based third party program that adheres to regulatory requirements.
Establish and monitor performance metrics for individual vendors.
Create a governance structure for appropriate executive and board oversight.
This information was developed by Emily Nachlas, Director of Enterprise Risk Management, IBERIABANK as part of a presentation during RMA’s Governance, Compliance, and Operational Risk Conference (GCOR) XIII on April 11, 2019.
About RMA
The Risk Management Association (RMA) is a not-for-profit, member-driven professional association serving the financial services industry. Its sole purpose is to advance the use of sound risk management principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk, operational risk, securities lending, and regulatory issues.
Membership in RMA
With your RMA membership, you benefit from the member-driven resources and industry information essential for managing today’s economic challenges. In addition to a free subscription to The RMA Journal® and discounts on all RMA events, products, services, and training, membership also provides countless networking opportunities and exposure to the industry’s key decision makers and managers.