The overwhelming perception of a 3rd party risk management program is one of a compliance money pit whereby we do the minimum required and go down the compliance checklist to make auditors and examiners happy. I frequently speak, write and teach about driving business value from the 3rd party risk management framework and each stage of its lifecycle in order to raise awareness of the tangible and intangible benefits of investing in building a sound program. However, during the classes I teach and through my speaking engagements, one of the most frequent comments I receive is that obtaining executive sponsorship and enforcing governance of the program is one of the most difficult things to achieve. Most often it’s due to the lack of understanding of the business value of a 3rd party risk management program. Here’s another tool for building your business case for executive sponsorship, investment in the program and governance. Let me know what you think!
Basel ll and the upcoming Basel lll (scheduled effective date March 31, 2019) incorporate a financial institution’s Operational Risk profile along with its Capital Risk and Market Risk profiles to determine how sound its overall risk management practices are. Simply stated, and without going into detailed nuts and bolts, sound risk management practices result in a lower overall risk profile which results in lower Capital Reserves requirements. That could be many millions of dollars that a financial institution can free up for other purposes. So how does a 3rd Party Risk Management program contribute towards this?
Basel II defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” The range of operational risks include:
When it comes to any type of risk, we have options:
- Accept the risk
- Manage the risk by implementing controls
- Outsource the risk by:
- Insuring against an adverse event
- Engaging a 3rd party to perform the service/function
3rd Party Risk Management falls into the Operational Risk domain. When considering outsourcing a significant function to a 3rd party, Outsource Planning is the first activity that must take place. As we teach in our Certified Regulatory Vendor Program Manager Level ll Advanced (CRVPM) course, a sound planning process is required to identify risk inherent to the activity and understand the controls required to mitigate that risk. A sound planning process contributes to reducing Operational Risk which is a desired outcome for Basel ll & lll requirements.
Let’s take it a step further. As Basel ll requires in Principles for the Sound Management of Operational Risk, Section 54,
“Outsourcing policies and risk management activities should encompass:
(a) procedures for determining whether and how activities can be outsourced;
(b) processes for conducting due diligence in the selection of potential service providers;
(c) sound structuring of the outsourcing arrangement, including ownership and confidentiality of data, as well as termination rights;
(d) programmes for managing and monitoring the risks associated with the outsourcing arrangement, including the financial condition of the service provider;
(e) establishment of an effective control environment at the bank and the service provider;
(f) development of viable contingency plans; and
(g) execution of comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.”1
The above listed components are essential elements of a 3rd party risk management program and correspond to the following with which we are more familiar through FFIEC Guidance and its supervisory agencies:
- Outsource Planning (12 Steps)
- Selection/Due Diligence
- Data Ownership, Privacy/Confidentiality, Termination Rights
- Ongoing Monitoring and Periodic Review
- Implementation of Physical, Technical and Administrative controls
- Exit Strategy
- Comprehensive contacts terms and conditions including Rights and Responsibilities of both parties and Service Level Agreements (SLA’s)
Managing and assessing Service Level Agreements (SLA’s) as well as Key Performance Indicators (KPI’s), as can be done with our 3rd Party Toolbox suite of risk and performance scorecards, helps identify elevated risk early in the process and provides an opportunity to open a dialogue with your vendor. By documenting and assessing the vendor’s compliance with its contractually agreed upon SLA’s, you can determine its deviation from what was expected and discuss areas for improvement in order to minimize Operational Risk and maintain your path to achieving the strategic objective of outsourcing that function.
In conclusion, investing in the development of a sound 3rd party risk management program and lowering Operational Risk will contribute towards reaping the benefits of lower capital reserve requirements afforded your institution through Basel ll.
1 Copyright 2011, Bank for International Settlements