A third-party risk management framework is the processes and controls used to identify and manage risks associated with outsourcing to a third-party vendor or service provider. In highly regulated industries such as community banking, building a third-party risk management framework is an integral component of any risk management system.
The banking industry is unique because in a third-party relationship, highly sensitive information, including intellectual property, customer data, operations, finances are frequently shared between the community bank and the third-party vendors or service providers. Without a robust third-party risk management framework in place, the quality of the bank’s risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.
4 Steps to Build a Third-Party Risk Management Framework For Community Banks
There are many instances where a community bank might choose to partner with a third-party vendor or service provider. A community bank might partner with a third-party vendor to outsource entire banking functions such as tax, legal, compliance, audit, or information technology operations. Additionally, the community bank may outsource entire lines of business and/or products. Typically, a community bank might partner with a third-party to perform multiple activities, often to the extent that the third-party becomes an integral component of the bank’s core business operations.
However, choosing to party with a third-party organization requires an investment in due diligence and monitoring activities to ensure selection and effective oversight of an appropriate partner. There are three major activities, including:
- Due diligence assessment pre-contracting to ensure the vendor has the capability, as well as the processes in place to not only perform the function contracted, but to also comply with applicable laws and regulations.
- Ongoing monitoring through performance scorecard to ensure vendors are performing to established KPIs.
- On-site assessment to audit the vendor’s controls and processes to ensure controls are operating effectively.
An effective third-party risk management program incorporates the following mission-critical phases and objectives:
When you work with a third-party, it’s important to take the time to develop a plan to manage the relationship. This is especially important when considering contracts that involve critical activities. The planning phase should be designed to ensure the degree of planning is commensurate with the level of risk and complexity of the third-party relationship.
Your framework will consist of gathering business requirements, outlining strategic objectives, identifying the risk inherent in the activity, and developing a sourcing strategy. Sourcing strategy requires making a determination whether the contract should be single/sole source or competitive. It would help to establish dollar thresholds of when competitive bidding would be required. For example, you may require competition when the total value of the contract is over $300,000. a consolidated and aggregated view of your bank’s risks.
2. Due Diligence Assessment
Perform due diligence on the potential third-party before selecting the third-party and signing a contract to gain an understanding of risk(s) associated with the relationship . This helps ensure that the bank selects an appropriate third-party and understands and controls risks associated with the third-party relationship.
The degree of due diligence should align with the level of risk and complexity of the third-party relationship. More extensive due diligence is essential when a third-party relationship consists of core business operations.
On-site visits may be useful during due diligence to comprehend the third-party's capacity and operations thoroughly.
Depending on the criticality of the activity, the bank should consider the following risk dimensions when conducting due diligence reviews:
- Operational Competency
- People Competency and Reputation
- Legal and Regulatory Compliance
- Financial Viability
- Information Security
- Risk Management
- Business Continuation
3. Contract Negotiation
Develop a contract that clearly states the expectations and responsibilities of the third-party. This helps ensure the contract's enforceability, limits the bank's liability, and mitigates performance disputes. Senior management should get board approval of the agreement before execution when the relationship will involve critical activities.
A bank should look at existing contracts regularly, especially when they involve critical activities. This task will help ensure they continue to address critical legal protections and risk controls. Contracts should address, among others, the following:
- Scope and Nature of Arrangement: Describe the activities the third-party should perform, whether they are on or off bank property, and mention the terms controlling the use of the bank's facilities, information, personnel, systems, and equipment, and access to customer’s data. When multiple employees are used, describe in detail their responsibilities and reporting lines.
- Performance Measures or Benchmarks: Describe performance measures that highlight both parties' responsibilities and expectations, including compliance with regulatory rules or standards.
- Responsibilities for Providing, Receiving, and Retaining Information: Make sure the contract mandates the third-party to deliver and keep timely, accurate, and comprehensive data, like records and reports, allowing bank management to monitor service levels, performance, and risks.
4. Ongoing Monitoring
Perform ongoing monitoring of the third-party relationship once the contract is in place. This helps management understand the third party’s operations and ongoing ability to meet contract requirements.
Ongoing monitoring should include on-site assessment of vendors that are considered critical from a legal and compliance dimension. OCC expects ongoing monitoring to cover the due diligence activities.
In addition to the above, proper documentation and reporting facilitates third-party relationship oversight, accountability, monitoring, and risk management.
Download Your Free Guide
Community banks take, face, and respond to risks every single day as they pursue their business objectives. With the right guidance, you can elevate your risk management to a strategic level. Appropriate planning helps ensure that what is being planned is appropriately safe, sound, and compliant.
Please join us on Tuesday, April 20th from 12:00-1:00 PM EST for an in-depth webinar on the steps to build and conduct an effective compliance risk assessment.