TPRM programs in the financial services industry are made to find balance between the demands of regulatory compliance and meeting stakeholder expectations. It’s no hidden secret that the financial services industry is one of the most mature and heavily regulated industries in third-party risk management. My name is Dan Gibson and I am Vice President of Strategic Accounts here at Aravo. Having journeyed with Aravo for over 11 years, partnering with some of the largest and most complex organizations in the world on the development of their TPRM programs, I am acutely aware that there are always conversations that even our most mature clients need to have. Particularly, how to look beyond compliance to make your stakeholders happier and build a more resilient business.
I had the opportunity to sit down with Michael Rasmussen, founder of GRC2020 to discuss growing regulations and specifically, ESG. Michael is undoubtedly one of the most knowledgeable individuals in not only GRC, but also third-party risk management. Michael and his team support organizations with a variety of market research, benchmarking, training, and analysis on all things GRC.
One of the things discussed in our interview was the new interagency guidance on TPRM for financial services organizations released on June 6th. This year, the OCC, FDIC, and Board of Governors of the Federal Reserve System released their final, joint guidance on Third-Party Relationships: Risk Management.
Michael: I find the OCC guidance itself to be prescriptive with a lot of checklists organizations can follow in order to get their “get out of jail free” card. However, the interagency guidance bringing in the OCC, FDIC and Federal Reserve Board is much more principles or outcome-based. Making this quite interesting, the guidance specifically says that the final guidance offers the agency’s views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in lifecycle of third-party relationships. The key thing about principle or outcome-based regulation is that they are not as prescriptive, and so there’s a lot of room for interpretation. This means that although it is agile and flexible for organizations to approach; it is also agile and flexible for the regulators to enforce as well.
Flexibility in enforcement means that they don’t have to go by a checklist to tell an organization if they are doing something wrong. An organization can be judged on whether or not they are achieving the principles of the guidance. With this in mind, there is potentially greater risk, as well as greater agility. The guidance covers the entire third-party risk lifecycle from the planning to the initial due diligence, selection of third parties, contract negotiation, ongoing continuous monitoring and due diligence, all the way to the termination; while also giving the iterative approach to this life cycle and all those stages. This requires strong documentation and reporting all the way up to the board on third-party risk management, the oversight and accountability. In addition, organizations must provide assurance through independent reviews as well. These are very challenging times for financial services due to the very broad scope. Organizations need to be more diligent in how they cross their T’s and dot their I’s since the guidance is not telling you exactly how to do this in all areas.
Keep in mind, the guidance applies to all third-party relationships, so it is again very broad. Any business arrangement between a banking organization and another entity by contract or otherwise falls into this scope. Be sure that you really have defined your process and approach and that you execute on that process and approach consistently across your organization.
Dan: I whole-heartedly agree. The word that stuck out to me in the guidance was “flexibility”, which I was not expecting to see as allowing flexibility does leave things up for interpretation and can create challenges in the future.
Michael: If they embrace this and are committed to it, they will have a lot of agility. However, if some think that because it is less prescriptive they can do less, then that can cause a significant amount of risk exposure. I believe the larger financial services firms are going to find it easier to adapt with their abundance of structured processes in place. Smaller, state regulated banks will find that they have more work to do on their third-party risk management program.
Dan: This is always a hot topic for us here at Aravo, specifically within the technology that we provide to help our clients manage their third-party relationships. It is about finding the right balance. Over the years we have spent quite a bit of time discussing with you Michael, the idea of maturity and understanding, from this maturity standpoint, where these organizations are. Should they really be taking more of a prescriptive approach and deploying something straightforward and proven? Or, for more mature banks, should they simply be taking their foundational principles and plans that have been tested and work towards aligning their program with their business? I don’t know that there’s a right or wrong answer, but it will be interesting to see how larger financial institutions take this guidance and run with it to develop their programs. At the same time, we’ll see how smaller, regional banks continue to embrace best practices to develop something more specific to their business.
Dan: I wanted to explore with you what is probably the hottest risk domain that we are focused on with our clients today: ESG. Europe appears to be is leading the charge in ESG. We saw the German Supply Chain Act come out earlier this year. Based on that guidance we are now seeing initiatives like the EU Directive in Corporate Sustainability Due Diligence, mandating all of the companies within the EU to establish due diligence principles and procedures around ESG.
Michael: Definitely, and in one respect even more so because cybersecurity regulations are part of the G in ESG. Then you add the rest of the G, the E, and the S; it’s expansive. The challenge of ESG in the United States is that too many think that ESG is about climate change. While climate change is a significant risk and it is a significant piece of ESG, it is only part of the E. I see a lot of misconception in the United States where only a small fraction of ESG is being considered. In the E alone, outside of climate change you have air and water waste pollution, and PFAS (forever chemicals). Think of 3M and their current $10 billion lawsuit.
Let’s take a look at the S in ESG. You have human rights, privacy, child labor, forced labor, working hours, and wages.
Unpack the G and you have anti-bribery and corruption, which includes the US Foreign Corruption Practices Act, the UK Bribery Act, Sapin in France, and more. You have internal controls over financial reporting and IT security. There is a lot there and there is a lot happening.
In Europe, you’ve got the trifecta. You have the EU CSRD, the Corporate Sustainability Reporting Directive; the EU CSDDD, the Corporate Sustainability Due Diligence Directive; and the EU CSRS, the Corporate Sustainability Reporting Standard. All three work together, and they impact 50,000 firms. Many US firms that have operations in Europe have to respond to the EU laws and the EU CSDDD on the vendor third-party relationship that is modeled after Germany’s LKSG, the German Supply Chain Due Diligence Act. I have spoken with firms in Australia that have to respond as well. Germany’s law has a global impact and now you have the EU CSDDD requiring each of the 27 member countries to pass a law similar to Germany’s.
Dan: I find it interesting that a lot of these regulations are still under development. There is a lot going on to make sure that these countries are thinking about things the right way.
Michael: ESG is not about compliance, it is about doing the right thing. In all his wisdom, Ted Lasso stated, “doing the right thing is never the wrong thing.” At the end of the day, ESG is about doing the right thing for the environment, the right thing on the social, and the right thing on the governance piece. We need to embrace it by clearly defining what our ESG-related objectives are. Only in that context can we understand what our risks are. If organizations take a risk-based approach to ESG, they are putting the cart before the horse. I was interacting with Bosch in Germany and with 400,000 employees, they are the first manufacturing company of their size to be carbon neutral. That was their objective. We define objectives for the E, the S, and the G; then we build our programs and manage our risks to those objectives. That is how ESG is done. It is not about checking compliance boxes. It is about defining your environmental, social, and governance objectives, and then determining how to achieve those objectives and address the risks in achieving them.
This interview has been edited for length and clarity.
Share with Your Friends:
