Throughout the years, U.S.-based agencies have typically led the way when it comes to third-party risk management (TPRM) regulations. As of May 1, 2023, Canadian Federally Regulated Financial Institutions (FRFIs) are now expected to comply with the TPRM guidelines published by the Office of the Superintendent of Financial Institutions (OSFI). The aptly-titled Third-Party Risk Management Guideline is well-organized and follows many of the same principles that have been previously established by U.S. agencies such as the FDIC and OCC.
Regardless of where your organization is based, it’s worth your time to understand some of the key takeaways.
5 Key Takeaways from the Third-Party Risk Management Guideline
Like most other TPRM guidance, the OSFI emphasizes that organizations are held accountable for the business activities that are outsourced to a third party. This means that organizations are also responsible for implementing an effective third-party risk management program.
Here are some of the key takeaways from the guideline:
- Outcomes – FRFIs are expected to achieve six specific outcomes from their TPRM activities:
- Governance and accountability structures are clear, with comprehensive risk management strategies and frameworks in place.
- Risks posed by third parties are identified and assessed.
- Risks posed by third parties are managed and mitigated within the FRFI’s risk appetite framework.
- Third-party performance is monitored and assessed, and risks and incidents are proactively addressed.
- The FRFI’s third-party risk management program allows the FRFI to identify and manage a range of third-party relationships on an ongoing basis.
- Technology and cyber operations carried out by third parties are transparent, reliable, and secure.
- Framework – The FRFI should create a third-party risk management framework that provides an organization-wide view of third-party risk. The framework should also span the lifecycle of third-party relationships, from the initial sourcing and due diligence to an exit strategy.
- Risk-based activities – The guideline includes a section on taking a “risk-based approach” to TPRM activities like risk assessments, monitoring, and reporting. In addition to the level of risk, the OSFI provides useful criteria for determining a third party’s criticality:
- the severity of loss or harm to the FRFI if the third party or subcontractor fails to meet expectations due to insolvency or operational disruption;
- substitutability of the third party, including the portability and timeliness of a transfer of services;
- the degree to which the third party or subcontractor supports a critical operation of a FRFI; and
- the impact on business operations if the FRFI needed to exit the third-party arrangement and transition to another service provider or bring the business activity in-house.
- Subcontractors – Fourth and nth parties are often overlooked in TPRM, but the OSFI gives special attention to subcontracting risk. FRFIs should identify certain details about their third-party’s subcontractors, such as quantity and criticality, the effectiveness of their TPRM program, and concentration risk.
- Absence of contract – One notable highlight in the guideline is the mention of third-party relationships that don’t involve written contracts:
- The absence of a written arrangement, formal contract, or agreement does not imply the absence of a third-party arrangement and third-party risk.
3 Tips to Comply With the Guideline
It can be challenging to know what to do next whenever new regulations are published, especially when the guidelines are lengthy and complex. Additionally, it's not uncommon for regulations to be updated later.
Here are some tips that can help you stay in compliance:
- Follow the third-party risk management risk lifecycle – The six outcomes listed in the guideline are closely aligned with activities in the TPRM lifecycle. Identifying and assessing risk, monitoring third-party performance, and establishing proper governance and accountability are all part of a robust TPRM program.
- Compare your program – Do a side-by-side comparison of your current TPRM program with the OSFI guidelines. This can help identify any gaps in your program and gives you more information to align your processes to current regulations.
- Maintain good reporting and documentation – Make sure that any changes you make to your TPRM program are formally documented and reported to the appropriate risk committees and stakeholders. This ensures consistency throughout your program and will help keep you organized when and if any regulatory updates are released.
Regulatory compliance may take some time and effort, but it’s a necessary task for many organizations. When followed correctly, TPRM guidelines will help protect your organization from third-party risk and can even support resilience throughout your operations.