The optimist sees the glass as half full; the pessimist sees the glass as half empty; the engineer sees a waste of too much glass; the compliance officer sees it as potential shattering and injuring everyone.
It really is all about perspective and understanding one another’s point of view. Analyzing risk from several different perspectives is very important so that you have a fully framed and comprehensive view of the risks associated with doing business with a particular third party.
The Perspectives at Play for Third Party Risk
- The board members have a significant perspective and expect a well-managed program. They are ultimately responsible for risk management and must help set the tone from the top. This is not only a good business practice, it's firmly mandated by OCC and FDIC guidance - active board involvement is absolutely essential to a well-managed program.
- Your internal audit function has an important perspective, determining the effectiveness of the program. Have them formally review your program as part of their recurring audit work. If they can't or won't, see if your risk committee will authorize you to get external audit assistance.
- Your legal counsel has a unique perspective, helping to both represent the program and point out significant regulatory changes that may impact the program. They will absolutely be essential in helping to navigate changing guidance and how your program may intersect with other important legal requirements.
By fully identifying the risks, you can ensure that the appropriate controls can then be established to control those risks. Controlling the risks reduces exposure to the institution and can help minimize the chances of unwanted surprises. The investment of time and resource is well worth it.
So, is the glass half empty or half full? As for me, my perspective is simply add more ice cubes.