Is Sr Management & Board Involved Enough In Vendor Management? Ask These Questions

A few weeks ago we discussed the importance of senior management and board involvement regarding vendor management. How do you know if you're following the OCC Bulletin 29-2013 guidance and OCC Bulletin 7-2017 supplementary examination procedures correctly? Ask these questions to help.

Board of Directors Requirements

• What guidance says: Ensure an effective process is in place to manage risks related to third party relationships in a manner consistent with the financial institution’s strategic goals, organizational objectives and risk appetite.
  
  • Ask yourself: Has your financial institution aligned your processes with an overall risk framework?
• What guidance says: Approve the financial institution’s risk-based policies that govern the third party risk management process and identify critical activities.
  
  • Ask yourself: Are your policy and program documents up to date and consistent with the guidance? Are your policy and program approved annually by the board?
• What guidance says: Review and approve management plans for using third parties that involve critical activities.
  
  • Ask yourself: Does the board have a plan for reviewing new and critical third parties?
• What guidance says: Review summary of due diligence results and management’s recommendations to use third parties that involve critical activities.
  
  • Ask yourself: Does the board require updated due diligence on a recurring basis for all third parties?
• What guidance says: Approve contracts with third parties that involve critical activities.
  
  • Ask yourself: Does the board have a process in place for reviewing and approving third party contracts?
• What guidance says: Review the results of management’s ongoing monitoring of third party relationships involving critical activities.
  
  • Ask yourself: Does the board have a documented monitoring program?
• What guidance says: Ensure management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring.
  
  • Ask yourself: Will the board notice and address, at a board level, significant concerns in your third parties?
• What guidance says: Review results of periodic independent reviews of the financial institution’s third party risk management process.
  
  • Ask yourself: Is third party risk part of your audit program?

Senior Management Requirements

• What guidance says: Develop and implement the financial institution's third party risk management process.
  
  • Ask yourself: Is senior management involved in the development and administration of third party risk?
• What guidance says: Establish the financial institution's risk-based policies to govern the third party risk management process.
  
  • Ask yourself: Is there a process or an existing protocol for third party risk that has been approved by senior management and the board?
• What guidance says: Develop plans for engaging third parties, identify those that involve critical activities and present plans to the board when critical activities are involved.
  
  • Ask yourself: Is there a documented set of steps to follow for boarding new third parties?
• What guidance says: Ensure appropriate due diligence is conducted on potential third parties and present results to the board when making recommendations to use third parties that involve critical activities.
  
  • Ask yourself: Is due diligence required prior to contracting a new third party?
• What guidance says: Review and approve contracts with third parties. Board approval should be obtained for contracts that involve critical activities.
  
  • Ask yourself: Are there contractual standards for third parties?
• What guidance says: Ensure ongoing monitoring of third parties, respond to issues when identified and escalate significant issues to the board.
  
  • Ask yourself: Is there a documented set of guidelines for ongoing monitoring?
• What guidance says: Ensure appropriate documentation and reporting throughout the lifecycle for all third party relationships.
  
  • Ask yourself: Is there clear adherence to the guidance to ensure that all third party activities are conducted continuously rather than a snapshot at a point in time?
• What guidance says: Ensure periodic independent reviews of third party relationships that involve critical activities and of the financial institution’s third party risk management process. Analyze the results, take appropriate actions and report results to the board.
  
  • Ask yourself: Is senior management holding audit accountable for reviewing third party risk management program activities?
• What guidance says: Hold accountable the financial insitution employees within business lines or functions who manage direct relationships with third parties.
  
  • Ask yourself: Is there sufficient training, particularly at the front line, to ensure everyone understands their role in third party risk management?
• What guidance says: Terminate arrangements with third parties that do not meet expectations or no longer align with the financial institution’s strategic goals, objectives or risk appetite.
  
  • Ask yourself: Are there clear provisions in every contract to dictate what steps and mutual responsibilities there are to terminate third parties?  Equally important, what happens to the data post-termination?
• What guidance says: Oversee enterprise-wide risk management and reporting of third party relationships.
  
  • Ask yourself: Is your third party risk management program a part of your institution’s overall enterprise risk program with fully developed standards?

You should be answering "yes" to all of these questions. If you have trouble responding to any of these, it’s time to give your third party risk program a full review and adjust where needed.