Elevate your Third-Party Risk Management Program

2/21/2022 - By Jason Keith, CIA, CISA

Vendor Management, which is now trendily known as Third-Party Risk Management (TPRM), continues to get increasing regulatory attention as it should. Most of us in the banking space these days are increasingly outsourcing key operations to third parties. Peering ahead, it’s hard to imagine that changing. It looks like the next great wave to wash over TPRM could be decentralized finance (DeFi) and cryptocurrency integrations. These may even overtake traditional Fintech as banking’s biggest potential disruptor. With compliance, safety and soundness exams focusing on TPRM, it is time to consider how to evolve our programs.  

Here are five enhancements you should consider for your TPRM program:

  1. Institutions should begin evolving their TPRM activities from solely focusing on a technology orbit to an institution-wide approach. In the past, third-party oversight was primarily an IT-focused consideration. As a result, most third-party oversight programs tend to be performed by technology personnel Some institutions are supporting this through the creation of a TPRM committee generally comprised of management. This committee format allows the integration of multiple discipline areas. It’s increasingly important for compliance, risk, senior management, finance, operations and technology to work together in evaluating new and ongoing TPRM relationships. Committee members can then take responsibility for assessing strategic, reputational, operational, transactional, compliance, financial, business continuity and cybersecurity risk based on their area of expertise.   
  2. When considering new vendors, include documentation of a business case supporting the need for outsourcing. Consider moving past gathering due diligence documentation and perform an initial risk assessment to developing a comprehensive document that evaluates the need for a new vendor. After assessing the business need and impact on various bank areas, the committees can gather and evaluate what will be required in due diligence documentation and risks relative to a specific third party.  
  3. An often-overlooked consideration in regulatory guidance is the need to develop an exit strategy for third parties. Documenting how the institution could successfully manage an exit from the third party prior to entering a contract can have the positive effect of allowing the organization to identify potentially challenging concentrations of risk and facilitate contractual needs. 
  4. Reviewing System and Organization Controls (SOC) reporting is a given. The way those reviews are documented should be maturing in your organization. Consider adding a process that tracks the bank’s implementation and compliance with Complimentary Entity User Controls. Document the scope of services reviewed in SOC reporting and ensure it matches the established offerings provided to the bank. 
  5. Establish a process to evaluate and track vendor performance on an ongoing basis. Gather service level agreements (SLA) metrics and utilize your committee to oversee performance. If a vendor contract doesn’t have SLAs, find an internal metric by which you can measure their performance and evaluate performance regularly not only at the renewal of a contract. 


If you would like more in-depth discussions on how to evaluate and elevate your Third-Party Risk Management Program, contact our Financial Institutions team.

About the Author | Jason Keith, CIA, CISA

Jason is a technology risk consulting manager in the Information Technology Services practice of Saltmarsh, Cleaveland & Gund. He specializes in consulting highly-regulated industries such as financial institutions, healthcare organizations and the defense industrial base, providing information security assessments, vulnerability and penetration testing and other related information security compliance services. Jason has over 20 years of professional experience and has held several technology-focused leadership roles with previous organizations, including Vice President of Risk, Chief Information Officer and Chief Operations Officer. He also has a strong operational background from past experience serving as a Bank Director, Credit Administrator, Compliance Officer and Financial Advisor.

Related Posts