Vendor management is a complex set of processes that requires the involvement of many people within an organization, including its board of directors and senior management. Not only is it a sound business practice, but it’s also a regulatory requirement. The OCC’s Bulletin 29-2013 is just one of the guidelines that emphasizes the need for senior management and board involvement within vendor management. However, it should be noted that this guidance could be replaced with the Proposed Interagency Guidance on Third-Party Relationships: Risk Management, which was jointly proposed by the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC).
The regulatory requirements aren’t limited to those. Two other regulatory guidelines that cover this requirement of board involvement can be found in the Comptroller’s Handbook’s series on Corporate and Risk Governance and the FDIC’s Guidance for Managing Third-Party Risk, which we’ll cover briefly in this blog.
The board of directors and senior management play important roles in an organization’s vendor management program. In a broad sense, both groups are expected to set the “tone-from-the-top” to ensure that the vendor management program performs effectively. Without the most senior levels of the organization establishing clear goals and strategies, there will likely be many issues down the line.
Here’s a brief description that outlines both parties’ responsibilities:
Now that you have a better idea of how the board and senior management are involved in vendor management, let’s turn our attention to the guidance. After all, failure to remain in compliance with regulatory guidelines can lead to serious consequences.
The OCC Bulletin 29-2013 has this to say about oversight and accountability within risk management processes:
The bank’s board of directors (or a board committee) and senior management are responsible for overseeing the bank’s overall risk management processes. The board, senior management and employees within the lines of businesses who manage the third-party relationships have distinct but interrelated responsibilities to ensure that the relationships and activities are managed effectively and commensurate with their level of risk and complexity, particularly for relationships that involve critical activities.
The board of directors should specifically be responsible for the following tasks:
Additionally, senior management should perform these tasks:
Oversight is also a theme in the OCC’s Corporate and Risk Governance publication, which specifies that the board is responsible for overseeing senior management and provides leadership for the organization. Other duties include:
The FDIC gives guidance on the board of directors and senior management involvement in their publication on Guidance for Managing Third-Party Risk:
An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.
The guidance further states that the board should approve, oversee and review significant third-party relationships, while management should periodically review the third party’s operations to confirm consistency with the organization’s written agreement.
So, there’s no doubt about it – the responsibility of vendor management goes all the way up to senior management and the board.
A good starting point to ensure involvement is to make sure your organization has well-written governance documentation such as a vendor management policy, program and procedures.