I know it seems like third party risk management is getting more attention than it needs. I say that having been involved with various facets of vendor management for much of my 28 years in banking. I’ve seen it pulled from the sleepy shadows of being a “necessary evil” to the headlines of everyone’s concerns.
Ever more so, third party risk management discussions are now necessary within senior management and board meetings to ensure everyone is on the same page. And now I’ll explain why.
3 Reasons Why Third Party Risk Discussions Needed In Meetings
- Regulators Require It - In short, particularly for the national institutions and investment community, the regulators demand that third party risk responsibility sits with senior management and the board. The bulletins from the Office of the Comptroller of the Currency (OCC) – which are gold standard for third party risk guidance – are pretty explicit in these expectations. Reference Bulletins 29-2013, 7-2017, and 21-2017 for specifics.
- Examiners Expect It - At one of my prior institutions, in this case, one that was an FDIC bank rather than OCC regulated, the examiners specifically sought proof that third party risk management was getting adequate discussion at the board and senior management level. Fortunately, we had a rigorous practice of providing monthly updates at risk committee meetings and quarterly written and oral reports to the audit committee of the board.
- It’s a Best Practice - Over and above the regulatory expectations, it simply makes good business sense to keep the board and senior management informed. After all, as a very practical matter, you need their help in setting 'tone from the top' when it comes to compliance expectations. You also need their help when matters need to be escalated with third parties and certainly, if you need to quickly take action to sever a relationship with a third party, you’ll need their approval and involvement.
Best Practices in Keeping Senior Management and the Board Informed
Here are a few best practices for your mission of keeping senior management and the board informed:
- Ideally, you want the head of third party risk management to work closely with senior management and the board to establish a recurring set of meetings so they know what to expect and when.
- There should be written submission of what is to be covered in the meeting, following an agreed upon format, accompanied by an oral report – that way it can easily be evidenced in the senior management and board meeting minutes and with accompanying documentation.
- Be certain to call out any particular areas of concern during meetings or just in written format, such as third parties upcoming for contract renewal or third parties with drastic changes in their risk level.
- Seek their review and approval of any proposed third party risk management policy or program changes.
Keeping your board and senior management team informed helps you do your job more efficiently and helps to protect your institution and your consumers.