Getting Started With Third-Party Risk Management: Two Key Questions


risk-manangement-12-22-15.pngBanks often outsource technology services to third-party vendors. In light of increased regulatory attention and third-party involvement in day-to-day business operations, many bank boards and senior management teams are considering their approach to developing a third-party risk management program. A thoughtful approach based on an initial assessment of the bank’s current state can result in better risk management and compliance that aren’t overly burdensome. Addressing two important questions will help begin the process of successfully launching an effective third-party risk management program.

Does our bank have a full inventory of its contracts and agreements?
While most banks have some type of contract management system, many typically use low-tech storage facilities—like databases of scanned copies or even hard copies in file cabinets—from which data can’t be extracted. Such storage facilities rarely contain complete records of all executed contracts, and even simple data like contract renewal notification and expiration dates are not tagged or automated. In such environments, contract terms and conditions don’t keep pace with changes to regulations and the business environment, and financial reporting and accounting concepts, such as unrecorded liabilities, contingencies, and financial commitments, exist but may not be understood or monitored.

To address such drawbacks, banks should do a complete inventory of critical relationships to ensure that they have a complete inventory of current contracts. The contracts should meet current regulatory and business requirements, and data within the contracts should be metatagged, meaning tagged with coding in a web page so it can found with a search engine. Banks should consider establishing standard, required contract terms and using technology to track compliance. Increasingly, contracts are being moved into third-party risk management systems for a “single-book-of-record” view and improved risk management beyond basic compliance.

How do we identify all relevant third parties and manage the overall effort?
The potential universe of third parties in an organization can seem endless—from global companies to intercompany affiliates to mom-and-pop providers. On top of that, the potential universe of third parties is never constant. Companies regularly are onboarding and terminating third parties and expanding or reducing third-party services. While it is important to build data and artifacts (certificates of insurance, documentation of financial viability, or Service Organization Control reports, for example) that support a risk assessment at the third-party relationship level, it is easy to lose sight of the entire population of third-party relationships. Depending on how a bank defines third parties, that population could include franchisees, external salespeople and debt holders, among others. This is one area of risk management where completeness counts.

To make such a project manageable, banks should create a strategy and roadmap to systematically identify third parties using an inclusive definition. Banks should invest in the initial data-gathering phase and make it an enterprise-wide endeavor. Effective sources of relevant information include surveys conducted by the various lines of business, contract facilities and databases, accounts-payable systems, and legal counsel. The process needs to be sustainable or the population soon will become invalid. Banks should conduct an initial review of third-party relationships by identifying categories and potential risk factors to assist with prioritizing the evaluation. The project strategy and roadmap should start with the third parties that pose a higher risk. The project roadmap should include necessary activities and the timing and resource needs related to existing and future third-party due diligence and assessments.

Moving Forward
As financial institutions work to effectively comply with the regulatory guidance and manage the risks associated with third-party relationships, creating a strategy and roadmap will help achieve compliance and avoid an overly burdensome process.

Are Your Board Communications Secure in a Changing Regulatory Landscape?


risk-assessment-process-7-15-15.pngAs recently as March 2015, Hillary Clinton’s use of private email on multiple devices while serving as secretary of state hit the media. Clinton commented, “. . . I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.”

Every board member can fall prey to the Clinton communication example—take the necessary steps to educate your board.

We continue to live in a changing business environment with a backdrop of increasing regulatory pressures and a heightened focus on improving board oversight and communication. Current guidance and regulatory policies and practices are designed to force improvement in risk management and compliance. Along with that comes the responsibility of how we securely communicate and exchange confidential information at the board and committee level.

Technology and security are playing an important role in this change as leadership demands more mobility, flexibility and speed. Armed with multiple mobile devices and an “on-the-go” attitude, some stakeholders, who may not have grown up in the world of IT, are constantly exposing company information to risk.

Practices for managing board communication suggest we may not be keeping up with the requirements for security and compliance.

Take into account the following:

The Organization

  • Think about how many board members are still receiving board and committee information in their personal email accounts. Then layer in the amount of changes and document version control that need to be communicated before the actual meeting. This information often is not encrypted.
  • Interactions with management and the board is continuous. Monthly, quarterly and annual meetings give the board and committee members an opportunity to review company performance, and provide a forum for governance. Information is still being printed, exposing huge amounts of confidential information as directors travel between meetings and between locations.
  • Unsecure dissemination of confidential documents from regulators, investors and management flows from administrators to the board.

The Individual

  • Critical documents are still being stored and shared on a variety of personal devices – computers, tablets and phones.
  • Directors and committee members are still sending their packets to their personal emails so they can print the materials, thereby breaching security.

What do you do?
Security issues continue to be on the front page of the news. How do you prevent a perfect storm from happening where directors with personal communication devices are not handling confidential information in a proper format? Below are four practical steps to address this.

Education: Board members should be educated on a periodic basis as to what their roles and requirements are, from a board and a bank perspective. If you are public, Securities and Exchange Commission regulations should also be reviewed often.

Process: To help prevent damage from occurring, it is also important to setup a process whereby the directors are getting the necessary information in a secure fashion. There should be sufficient documentation of the process in establishing and monitoring board members. Appropriate personnel, including risk-management and IT personnel, should have input.

Review: The risk department should conduct a review and test the entire process to ensure the loop is secure. This should include management, committee members and the entire board.

Evaluate: Evaluate the risk factors affecting the current process. How does it impact the organization overall?

As technology continues to evolve at breakneck speed, the race is on for leaders to move fast enough to deliver a secure environment. It is clear that not enough attention is being focused on the process that is necessary to foster this environment. Board members will need to think ahead before they communicate, and leaders will need to make sure director communications are secure. And there is no magic formula for creating this—it is an ongoing, “live” process that you will need to keep reviewing. While the process needs to constantly be monitored and refreshed, it also must reflect new behaviors and new preferences: look to the success of the Apple Watch. 

This real-time process will aim to keep you secure at all times. And that may end up in your favor as regulators may soon turn their focus to communication within the board room.