Vendor management is a complex set of processes that requires the involvement of many people within an organization, including its board of directors and senior management. Not only is it a sound business practice, but it’s also a regulatory requirement. The OCC’s Bulletin 29-2013 is just one of the guidelines that emphasizes the need for senior management and board involvement within vendor management. However, it should be noted that this guidance could be replaced with the Proposed Interagency Guidance on Third-Party Relationships: Risk Management, which was jointly proposed by the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC).
The regulatory requirements aren’t limited to those. Two other regulatory guidelines that cover this requirement of board involvement can be found in the Comptroller’s Handbook’s series on Corporate and Risk Governance and the FDIC’s Guidance for Managing Third-Party Risk, which we’ll cover briefly in this blog.
Importance of Board and Management Involvement
The board of directors and senior management play important roles in an organization’s vendor management program. In a broad sense, both groups are expected to set the “tone-from-the-top” to ensure that the vendor management program performs effectively. Without the most senior levels of the organization establishing clear goals and strategies, there will likely be many issues down the line.
Here’s a brief description that outlines both parties’ responsibilities:
- Board of Directors: The board determines the mission and strategy of the organization and will review and approve the vendor management program. They should also be expected to periodically review the effectiveness of the program and remain aware of the organization’s critical third parties.
- Senior Management: This group will take on a more active role in developing and implementing the vendor management process. Senior management also has the important task of reviewing and approving third-party contracts.
What the Regulatory Guidance Says
Now that you have a better idea of how the board and senior management are involved in vendor management, let’s turn our attention to the guidance. After all, failure to remain in compliance with regulatory guidelines can lead to serious consequences.
The OCC Bulletin 29-2013 has this to say about oversight and accountability within risk management processes:
The bank’s board of directors (or a board committee) and senior management are responsible for overseeing the bank’s overall risk management processes. The board, senior management and employees within the lines of businesses who manage the third-party relationships have distinct but interrelated responsibilities to ensure that the relationships and activities are managed effectively and commensurate with their level of risk and complexity, particularly for relationships that involve critical activities.
The board of directors should specifically be responsible for the following tasks:
- Approving critical third-party contracts
- Identifying and reviewing ongoing monitoring results of critical activities
- Reviewing the results of periodic independent reviews of the organization’s vendor management process
- Approving risk-based polices that oversee the vendor management process
Additionally, senior management should perform these tasks:
- Establish the organization’s risk-based policies
- Develop the strategies for engaging third parties and identifying those involved in critical activities
- Review and approve third-party contracts; keep in mind that the board needs to approve contracts for critical third parties
- Terminate third-party relationships that don’t align with organization’s goals and objectives
Oversight is also a theme in the OCC’s Corporate and Risk Governance publication, which specifies that the board is responsible for overseeing senior management and provides leadership for the organization. Other duties include:
- Overseeing a compliance management system to ensure its effectiveness
- Establishing performance standards for senior management
- Ensuring that a system of internal controls is in place
- Understanding the framework of legal and regulatory requirements that are applicable to the organization’s activities
The FDIC gives guidance on the board of directors and senior management involvement in their publication on Guidance for Managing Third-Party Risk:
An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.
The guidance further states that the board should approve, oversee and review significant third-party relationships, while management should periodically review the third party’s operations to confirm consistency with the organization’s written agreement.
So, there’s no doubt about it – the responsibility of vendor management goes all the way up to senior management and the board.
A good starting point to ensure involvement is to make sure your organization has well-written governance documentation such as a vendor management policy, program and procedures.