Review of regulatory compliance oversight requirements for any organization can be a great refresher for the C-Suite and a reminder to better understand the purpose of, and requirement to implement, a robust third party risk oversight program.
The C-level executive needs to understand that while services and processes may be outsourced, the ultimate risk of engaging a vendor remains with the organization receiving that service. Think of the risk as an anchor or simply a cost of doing business.
Third party risk management should be viewed as the version 2.0 where all facets of vendor strategy come together. The risk in third party risk management is an ever-present risk, not just to the end consumer but for your overall brand and business model.
Third party vendors are now deeply intertwined within a financial operation. This is evidenced by the numerous data breaches in years past where the name recognition of the organization which experienced the data breach is easily referenced despite such breaches being traced back to a third or fourth party. Reputational risk is measured in time and money and both are valuable resources.
Purpose of the Third Party Risk Manager
As internal compliance and risk managers prepare for their own examinations with regulators, the purpose of the third party risk manager is to apply a similar approach to the vendors which process or have access to consumer non-public information.
Keep in mind, in reviewing the organization, an examiner’s interest is in protecting customers and ensuring that organization is adhering to and working within all federal consumer protection laws. It’s this framework that boils down the importance of your organization’s compliance framework and overall business operations.
Third Party Risk Management Objective
The purpose or objective of running a third party risk management program is to demonstrate from a regulatory approach that any vendor has been vetted, managed and corrected to ensure that the solution provider may not fall foul of any federal consumer protection laws. In addition, ongoing management of your vendor panel offers strategic and competitive advantages.
As stated by the CFPB guidance, the examiner must review and assess the ability to: detect, prevent and correct practices presenting a significant risk of violating the law and causing consumer harm.
These same practices can be implemented by your internal team or outsourced knowledgeable vendor management servicer in terms of pre-contract due diligence, performance and contract management, policy and procedure review, onsite audits and noting corrective actions with enforceable action dates.
By adopting these best practices, not only will your fellow board members be able to demonstrate to the regulatory agencies your commitment to third party risk management, but your operation will have made significant strides in mitigating the impact of third party risk to your operation, executive team and shareholders.
Evaluate your vendor's regulatory risks ahead of time. Download this infographic to get started today.