An intra-agency paper released a few weeks ago reminds financial services firms that third-party risk management is a critical component of operational resilience. Published jointly by the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC), “Sound Practices to Strengthen Operational Resilience” notes that this isn’t new guidance, but a consolidation of existing guidance to help firms address internal and external operational risks that threaten widespread disruption.
Like the more recent FSB discussion paper, this paper points to the potential increase in risk exposure created by a growing reliance on third parties among financial services firms. In fact, an entire section of the paper is devoted to guidance on mitigating the potential operational risks associated with third parties, many of which can be addressed with a robust third-party risk management application, including:
• The need to identify and analyze third parties that could impact critical operations and prioritize dependencies. In addition to segmentation, firms must take measures to fully understand, manage, and mitigates risks. Validate that third parties providing critical products or services will be operational during disruptions or able to recover from a disruption.
• Formal agreements that are managed and monitored for performance. Contracts should articulate clearly defined roles for configuration, management, and access rights. Firms should monitor compliance with these contract terms and have a process for quickly responding to non-compliance.
• Reports of systems, assessments, controls, and ongoing monitoring. These reports should be regularly reviewed to ensure processes and controls align to the current risk landscape and that third parties’ risk profiles haven’t don’t indicate signs that they are prone to disruption.
• Verification of sound TPRM practices and controls. Employ controls to verify that the third party has resilient operational processes that meet the firm’s internal standards. Firms should be able to demonstrate to management and regulators that the policies and frameworks they’ve implemented can identify and mitigate hazards.
• Address key third party concerns that could impact resilience. Across the third-party lifecycle, there are opportunities to flag potential weaknesses that could result in disruption, from due diligence and contract terms at onboarding, to ongoing monitoring, to off-boarding non-compliant third parties.
• Processes to manage the disruption of services. In addition to robust assessments and defined contractual terms to identify and mitigate risks, firms must have a plan for how they and their third party would respond in the event of a disruption.
• Identify alternate vendors. To maintain operations, firms must identify alternate third parties that meet the standard of substitutability for critical products and services and/or determine when a product or service could be provided with in-house resources, making sure those resources are at the ready.
While only one section of the joint guidance paper was devoted to third-party risk, every section of the paper has implications for TPRM:
• Governance – The paper stresses the need for an engaged board of directors to determine risk tolerance and provide resources for an effective, well-led program. The board is also responsible for creating a culture of effective risk management (reference DoD) cybersecurity awareness education especially for personnel.
• Operational Risk Management – It requires close engagement across all three lines of defense as they taking active roles to capture business processes and associated operational risks, including third-party risk.
• Business Continuity Management – Defined as “market- and enterprise-wide stresses and idiosyncratic risk that can imperil the continuity of a firm’s critical operational and core business lines, business continuity management encompasses overall response and of IT systems, many of which have third-party dependencies.
• Scenario Analysis – Often focused on internal systems, scenario analysis should account for the interdependency on third parties or third party systems.
• Secure and Resilient Information Systems Management – Even information systems that depend on third parties are subject to “robust risk identification, protection, detection, and response and recovery programs that are regularly tested” as part of an operational resilience program.
• Surveillance and Reporting – Processes should be in place to detect anomalous activity that could indicate potential disruption, assess the impact of that disruption, and take protective measures to prevent damage to the firm.
Since the pandemic, financial services firms as well as organizations in other industries are more keenly aware of operational risk and resilience and recognizing the potential exposure created by third-party relationships. Yet according to a survey conducted by Aravo and Compliance Week, roughly half of organizations don’t assess the operational risk associated with their third parties. In “Sound Practices to Strengthen Operational Resilience, regulators are sending a clear signal that they expect firms to include third parties when designing policies and control frameworks for operational resilience.
Share with Your Friends:
