Getting Started With
Third-Party Risk Management:
Two Key Questions
By Michele Sullivan
B
anks often outsource a
variety of essential services to
third-party vendors. In light of
increased regulatory attention and
third-party involvement in day-to-day
business operations, many bank boards
and senior management teams are
considering their approach to developing
a third-party risk management
program. A thoughtful approach based
on an initial assessment of the bank’s
current state can result in better risk
management and compliance that aren’t
overly burdensome. Addressing two
important questions will help begin
the process of successfully launching a
third-party risk management program
that is both compliant and effective.
Does our bank have a full inventory
of its contracts and agreements?
While most banks have some type
of contract management system,
many typically use low-tech storage
facilities-like databases of scanned
copies or even hard copies in file
cabinets from which data can’t be
extracted. Such storage facilities
rarely contain complete records of all
executed contracts, and even simple
data like contract renewal notification
and expiration dates are not tagged
or automated. In such environments,
contract terms and conditions don’t
keep pace with changes to regulations
and the business environment, and
*
financial reporting and accounting
concepts, such as unrecorded
liabilities, contingencies, and financial
commitments, exist but may not be
understood or monitored.
To address such drawbacks, banks
should do a complete inventory of critical
relationships to ensure that they have a
complete inventory of current contracts.
The contracts should meet current
regulatory and business requirements,
and data within the contracts should
be metatagged, meaning tagged with
coding so it can be detected by search
functionality in software. Banks should
consider establishing standard, required
Banks should do a complete inventory of critical relationships to ensure that they have a
complete inventory of current contracts. The contracts should meet current regulatory and
business requirements, and data within the contracts should be metatagged, meaning tagged
with coding so it can be detected by search functionality in software.
14 www.wib.org Western Banker
contract terms and using technology
to track compliance. Increasingly,
contracts are being moved into thirdparty risk management systems for
a “single-book-of-record” view and
improved risk management beyond basic
compliance.
How do we identify all relevant
third parties and manage the
overall effort?
The potential universe of third parties
in an organization can seem endless –
from global companies to intercompany
affiliates to mom-and-pop providers.
On top of that, the potential universe
of third parties is never constant.
Companies regularly are onboarding and
terminating third parties and expanding
or reducing third-party services.
While it is important to build data and
artifacts (certificates of insurance,
documentation of financial viability, or
service organization control reports, for
547083_Horgan.indd 1
example) that support a risk assessment
at the third-party relationship level, it is
easy to lose sight of the entire population
of third-party relationships. Depending
on how a bank defines third parties, that
population could include franchisees,
external salespeople and debt holders,
among others. This is one area of risk
management where completeness counts.
To make such a project manageable,
banks should create a strategy and
roadmap to systematically identify
third parties using an inclusive
definition. Banks should invest in the
initial data-gathering phase and make
it an enterprisewide endeavor. Effective
sources of relevant information include
surveys conducted by the various lines
of business, contract facilities and
databases, accounts-payable systems,
and legal counsel. The process needs
to be sustainable or the population
soon will become invalid. Banks should
conduct an initial review of third-party
relationships by identifying categories
and potential risk factors to assist
with prioritizing the evaluation. The
project strategy and roadmap should
start with the third parties that pose
a higher risk. The project roadmap
should include necessary activities and
the timing and resource needs related
to existing and future third-party due
diligence and assessments.
Moving Forward
As financial institutions work to
effectively comply with the regulatory
guidance and manage the risks
associated with third-party relationships,
creating a strategy and roadmap will help
achieve compliance and avoid an overly
burdensome process. ●
About the author: Michele Sullivan is a
partner with Crowe Horwath LLP and can
be reached at +1 574 235 6824 or michele.
[email protected].
8/16/11
5:18:54
Western Banker July/August
2016
15PM