Tracking the Trajectory of Third-Party Risk Guidance

The Federal Reserve, FDIC, and OCC have recently released interagency guidance on managing risks associated with third-party relationships.   

The proposed guidance offers a framework based on sound risk management principles and best practices that financial institutions supervised by the issuing agencies can use to address third-party risks.   

Regulator Guidelines for Third-Party Risk Management 

Stressing the importance of adequately evaluating and managing risks associated with third-party relationships, the guidance emphasizes some baseline assumptions and criteria, including: 

• The use of third parties may offer significant advantages and efficiencies but doesn’t preclude the need for sound risk management. Vendor, supplier, and other third-party partnerships may introduce new risks or increase existing risk exposure in categories such as operational, compliance, reputation, strategic, or credit risk. 
• An institution’s use of third parties does not lessen its responsibility to operate safely while complying with applicable laws and policies. 
• Financial services firms should adopt management processes appropriate to their organizational structure and sufficient for the risk levels and complexity of their third-party relationships. 

It also outlines the third-party risk management lifecycle and principles for each stage, including: 

• Planning and Assessment 
• Due Diligence and Third-Party Selection 
• Contract Negotiation 
• Oversight and Accountability 
• Ongoing Monitoring 
• Termination 

Moving Towards Third-Party Risk Integration 

Organizations need to be proactive in setting internal standards for robust risk management, building capabilities to anticipate emerging risks and address uncertainty.   

For institutions with a mature, integrated governance, risk, and compliance (GRC) management program, these guidelines are nothing new. But many organizations struggle to integrate their third-party management processes with other risk and compliance activities and data — which results in an incomplete understanding of risk exposure. 

Effective third-party risk management (TPRM) requires a strategy that aligns with objectives and connects business functions, processes, and information across the organization. This facilitates transparency and supports consistent policies and procedures.   

Benefits of Integrated Risk Management 

An integrated, technology-enabled TPRM framework facilitates: 

1. Lower costs. A united approach to risk management reduces the headcount, resources, and time required to maintain an effective program. Organizations that pursue digital transformation through GRC technology improve program visibility and efficiency by minimizing manual processes. 

2. Improved data accuracy. Consolidating risk data in a single system minimizes errors and duplication, helping risk managers identify, report on, and monitor areas of risk exposure. Reliable GRC information gives your executive team and board the intelligence they need to make decisions that support organizational strategy and objectives. 

3. Enhanced accountability. An effective third-party management strategy and system provides internal and external stakeholders, including regulators, with evidence of sound risk management practices.

An effective, efficient, and agile third-party risk management program needs to be a seamless part of your organization’s operations and embedded within your corporate culture. Developing an integrated approach requires significant effort across all organizational levels, as well as the three lines of risk management. For institutions that want to keep pace with regulatory requirements and gain a competitive advantage, the effort is a strategic investment in risk management maturity and operational resilience.