Regulators have been evaluating third party security and relationships within financial services organizations for several years; however, organizations lacked clear guidance on how to appease regulators. That changed this past June with a release of Federal Deposit Insurance Corporation (FDIC) guidance for managing third party risk.
The FDIC has been active in reviewing financial service organizations risk management practices, along with third party security risk, as part of their ongoing normal examination process. Their examination and third party risk assessment includes identifying how the organization assesses, measures, monitors, and controls risk in these extended enterprise relationship.
The common practice of assuring that an indemnity agreement is in place is clearly not enough. An indemnity agreement does not and cannot adequately cover an organizations strategic, operation, and reputation risks. Further, compliance risk is something that cannot be covered in an indemnity agreement. If a financial organization is out of compliance as the result of activities of a third party it is the financial service organization that is held accountable.
Responsibility for managing third party risk is a top-down effort. FDIC guidance clearly states that responsibility falls on the shoulders of the executive management and board of directors.
The current guidance from the FDIC requires that financial organizations have a four-fold process in managing risks in third party security and relationships:
Third party risk assessment: The financial organization is to have a defined approach and process for identifying risks in new and existing third party relationships.
Due diligence in selecting third party relationships: After identifying risk, the organization has to demonstrate that they have a due diligence process in place to select the right third party relationship that minimizes their exposure to risk.
Contract structuring and review: Further, financial organizations are to have a thorough contracting process in place to protect the organization from risk and ensure that the proper controls are in place in the relationship to manage risk and comply with regulations.
Oversight: Finally, the organization is to have board oversight of risk in third party relationships, as well as ongoing assurance by management that risk, controls, and compliance to contractual requirements is in place within these relationships.
Best practices for success with third party security
To meet these four requirements, here are some leading practices in financial services firms:
Adoption of a risk assessment methodology: The foundation for any risk management process is a sound risk assessment methodology that outlines the risk identification, assessment, measurement, and monitoring process. Some have turned to the COSO Enterprise Risk Management Framework (.PDF), but many find the approach to be confusing and difficult to apply. The Australia/New Zealand Risk Management Guideline 4360:2004 (.PDF) provides a very flexible risk framework that can be applied to a range of risk management areas -- it is also the basis for a new international ISO standard, ISO 31000, which will be released in draft form to the public in early 2009.
Application of a standard for measuring risk in third party relationships: Not all third party relationships have the same risk profile and impact on a financial organization operation. This requires that some process be in place for the financial service organization to measure the level of risk in proposed, new, and existing third party relationships.
Implement a software platform to manage risk: Managing risk across a web of business relationships is difficult and it is impossible without the use of technology. Leading organizations, within financial services and in other industry verticals, are adopting platforms to manage risk and compliance across their business relationships. Implementation of these platforms include the ability to communicate contracts, policies, procedures and controls; train third party personnel on requirements and expectations; provide a platform for third parties to conduct a self-assessment of their compliance to contracts; and, supply auditors the information they need to independently assess third party relationships. As business partner relationships exist in great numbers and diversity, one option is to implement Software as a Service (SaaS) platforms to manage risk and compliance in the extended enterprise.
Consider the BITS shared assessment program: Finally, financial service organizations should carefully evaluate the ability of BITS/Financial Services Roundtable shared assessment program to ease the burden of contractual and regulatory compliance audits on third party relationships.
About the author:
Michael Rasmussen (firstname.lastname@example.org) is with Corporate Integrity, LLC. Michael is the authority in understanding governance, risk and compliance (GRC). He is a sought-after keynote speaker, author and collaborator on GRC issues around the world and is noted for being the first analyst to define and model the GRC market for technology and professional services. Corporate Integrity, LLC is a strategy & research advisory firm providing education, research and analysis on enterprise governance, risk management and compliance.
This was first published in August 2008