The OCC’s guidance published in Bulletin 2013-29 set the gold standard for third party relationships. It takes a logical risk-based approach with the goal of protecting your institution from unmitigated risk.
The OCC recognized that institutions had not adopted the same level of vendor risk oversight to these third parties as they would have done for their own internal processes. The idea that the ultimate responsibility of outsourcing risk remained with the institution was somewhat of a learning process. The OCC approach is heavily focused on risk management disciplines and many, if not all regulators, recognize that there is now a heavy reliance on third party service providers who play critical functions to an organization. Third party risk management is a key guidance issue that the regulators, both from a federal and state examination level, are keenly aware of.
The OCC updated the bulletin with 2017-07 which went into more detail and expanded examiner requirements. While the 2013 guidance is now five years old, it seems to be standing up well to the current third party risk management landscape. While a new update may have taken some time to get published as an OCC bulletin, considering that the original third party relationship guidance from the OCC dates all the way back to the year 2000 and 2001, this tells us that third party risk management is not a new discipline but instead had not been given the true attention that it deserved. Given the almost daily news reports of data privacy breaches, managing a robust vendor lifecycle will put you at the top of the class come examination time.
Review the lifecycle of third party risk management below and some consideration points. It’s recommended to audit against this lifecycle and compare to your existing program as you can quickly identify program gaps to focus on.
The OCC Risk Management Lifecycle
- Planning – It’s important to have your policy, program and procedures defined and in place. Outlining the vendor oversight process is imperative to a successful program.
- Due Diligence and Third Party Selection – You should be vetting a vendor prior to entering the contractual relationship. This helps identify any risk posed, before the contract is executed.
- Contract Negotiation – Discuss expectations with the vendor and clearly define them in the contract. Per the guidance, the ensures contract enforceability, limit the bank’s liability and mitigates disputes about performance.
- Ongoing Monitoring – Continued due diligence must be performed to prevent exposure to unwanted risk. This can help remediate undisclosed risk such as a change in executive leadership, pending litigation or a data breach. It is a very important part of the lifecycle.
- Termination – With a lifecycle, you potentially will have an end to the relationship for various reasons. Transition and exit strategies should be determined as it’s important to understand the notice periods and process for return of assets.
In addition to the five phases of the lifecycle, the guidance recommends you keep the following three items in mind:
- Oversight and Accountability – Understand who is performing the relevant oversight of the third parties. Assign roles and responsibilities as deemed appropriate.
- Documentation and Reporting – Have a good method in place for maintaining documentation and reporting. It’s a best practice, and recommendation form the OCC, to provide this information to senior management and the board to keep them involved.
- Independent Reviews – Conduct independent reviews of your risk management program. You can involve your audit teams for this as well. This will help identify any gaps or any changes that need to be made.
It’s clear that examiners compare notes. Whether or not your examiner is the OCC, this is generally considered the most requiring guidance so if you follow these vendor risk management steps, you are setting your organization up for success.
Do your peers take the same lifecycle approach to vendor risk management? Learn about the current landscape of vendor risk management, aka third party risk management when you download our whitepaper.