Risky business: Vendor management
Many financial institutions (FI) turn to third-party vendors to support their day-to day-business for reasons ranging from headcount to lack of in-house expertise. Whether the work is done internally or externally, effective risk management is critical. The Office of the Comptroller of the Currency (OCC), and other regulatory and watchdog agencies and associations, have long been concerned though that the quality of risk management over third-party relationships may not be commensurate with the level of risk and complexity these relationships bring.
A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.
There are several ways your FI may be putting your institution and account holders at risk. For example:
- Failing to properly assess and understand the risks, including direct and indirect costs, involved in third-party relationships.
- Failing to perform adequate due diligence and ongoing monitoring of third-party relationships.
- Entering into contracts without assessing the adequacy of a third party’s risk management practices.
- Entering into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers, to maximize the third party’s revenues.
- Engaging in informal third-party relationships without contracts in place.
All illustrate the need for more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities like payments, clearing, settlements, and custody, and significant shared services like information technology.
An effective third-party risk management process follows a continuous life cycle for all relationships and incorporates these phases:
- Planning: Develop a plan to manage the relationship is often the first step in the third-party risk management process.
- Due diligence and third-party selection: Conduct a review of a potential vendor before signing a contract to help ensure that the bank selects a partner aligned with the bank’s appetite for risk.
- Contract negotiation: Develop a contract that clearly defines expectations and responsibilities to ensure the contract’s enforceability, limit the bank’s liability, and mitigate disputes about performance.
- Ongoing monitoring: A rolling assessment of the third-party relationship once the contract is in place is essential to mitigate risk in a timely manner.
- Termination: Develop a contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.
Other things to consider as part of an effective risk management process:
- Oversight and accountability: Assign clear roles and responsibilities for managing third-party relationships. Integrate the bank’s third-party risk management process with your enterprise risk management framework to enable continuous oversight and accountability.
- Documentation and reporting: Proper documentation and reporting facilitates oversight, accountability, monitoring, and risk management associated with third-party relationships.
- Independent reviews: Conduct periodic independent reviews of the risk management process to enable management to assess whether the process aligns with the bank’s strategy and effectively manages the risk posed by third-party relationships.
Compliance: A deciding factor
While some institutions may find meeting third-party vendor compliance difficult, and even onerous, it goes a long way in assuring account holders and prospects that your FI takes the safety and security of funds seriously. In fact, for many consumers and businesses, compliance can be a deciding factor when choosing an institution.
In Part 2 of this discussion, we’ll talk about Q2’s proactive approach to third-party vendor risk management, and offer a few tips to help your institution. We’ll also discuss the importance of providing, receiving, and retaining information for bank management — an area where Q2 can provide significant advantages to banks and credit unions.
Source: Office of the Comptroller of the Currency, 2013