Vendor risk management or, more specifically, third party risk management has received a great deal of attention over the past decade by all of the major regulators. We have seen a groundswell of new regulatory guidance, some more stringent than others.
The Fed Guidance – What’s Included
The Federal Reserve Bank (FRB or The Fed) guidance on outsourcing risk management is Supervisory Letter SR 13-19 referenced here, which was issued in December 2013, shortly after the OCC's landmark guidance Bulletin 29-2013. The Fed guidance does not delve as heavily into the actual risk assessment process but spends a great deal of time identifying contractual standards that should be included, which states the contracts should clearly define the rights and responsibilities of each party with a detailed overview to further explain the expectations.
In addition, the Fed identified concentration risk as an area of concern, which is a marked difference from most of the other regulatory guidance. Concentration risk is the aggregation of too much product or service with a particular provider or geographic region.
In terms of due diligence, which is another major focus in the guidance, the primary focal points are around business background and reputation, financial performance and operational controls.
The Fed – Final Takeaways
Unlike the other regulators' guidance, interestingly, the Fed guidance is notably silent on the topic of creating standards for termination and documentation requirements and the need for independent reviews. Even if regulated by the Fed, I’d encourage you to review OCC Bulletin 29-2013 for guidance surrounding these areas as it will be beneficial to include termination and exit strategies, documentation and independent review requirements in your overall program.
The approach to developing an effective vendor management program really should be with a holistic and scalable approach. Not every organization will have an abundance of resources, so an emphasis on highlighting and mitigating risk will give you the most bang for your buck.
Download our infographic to learn how to build an effective vendor risk management program.