6 Core Elements of Effective Third-Party Risk Management

Managing third party risk is a top priority for financial institutions. As regulatory expectations continue to evolve, institutions need to remain diligent in developing a program that mitigates the risks posed from outside vendors and protects its data, operations, and finances.

FRB Regulatory Guidance in SR 13-19 states that an effective third-party risk management program should include six core elements. (Similar guidance and program requirements from the OCC can be found in the OCC Bulletin 2013-29.)



Risk Assessments

  • Consistent with the strategic direction and overall business strategy of the organization.
  • Analyze the benefits and risks of outsourcing.
  • Consider multiple qualified and experienced service providers.
  • Update risk assessments regularly.



Due Diligence and Selection of Service Providers

  • Due diligence and evaluations will vary depending on the scope, complexity, and importance of the outsourcing arrangement.
  • Engage technical experts and key stakeholders in the review and approval process.
  • Key components of the due diligence process includes a review of the service provider’s:
  • Business background
  • Reputation
  • Strategy
  • Financial performance and condition
  • Operations and internal controls.



Contract Provisions and Considerations

  • The terms of service agreements should be defined in written contracts that have been reviewed by legal counsel prior to execution.
  • Elements of the contract should include:
    • Scope
    • Cost and compensation
    • Right to audit
    • Monitoring of performance standards
    • Confidentiality and security of information
    • Ownership and license
    • Indemnification
    • Default and termination
    • Dispute resolution
    • Limits on liability
    • Insurance
    • Customer complaints
    • Business resumption and contingency plans
    • Foreign-based service providers
    • Subcontracting



Incentive Compensation Review

  • Ensure that an effective process is in place to review and approve any incentive compensation that may be embedded in the contracts.
  • Ensure an incentive compensation review is part of the ongoing due diligence process.



Business Continuity and Contingency Plans

  • Ensure each vendor has a documented DR/BCP plan.
  • Maintain an exit strategy, including a pool of comparable service providers, in the event that a contracted provider is unable to perform.



Oversight and Monitoring of Service Providers

  • Document a risk-based third party program that adheres to regulatory requirements.
  • Establish and monitor performance metrics for individual vendors.
  • Create a governance structure for appropriate executive and board oversight.
Download now

This information was developed by Emily Nachlas, Director of Enterprise Risk Management, IBERIABANK as part of a presentation during RMA’s Governance, Compliance, and Operational Risk Conference (GCOR) XIII on April 11, 2019.

About RMA

The Risk Management Association (RMA) is a not-for-profit, member-driven professional association serving the financial services industry. Its sole purpose is to advance the use of sound risk management principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk, operational risk, securities lending, and regulatory issues.

Membership in RMA

With your RMA membership, you benefit from the member-driven resources and industry information essential for managing today’s economic challenges. In addition to a free subscription to The RMA Journal® and discounts on all RMA events, products, services, and training, membership also provides countless networking opportunities and exposure to the industry’s key decision makers and managers.