Contributors: Neal W. Beggan, CISA, CRISC, CRMA, CMMC-PA | Principal, Risk & Accounting Advisory Services, Risk Advisory Practice Leader
Mike Dempsey, Senior Manager | Financial Services Advisory Leader, Risk & Accounting Advisory Services
On this episode of the Risk & Accounting Advisory podcast, we are tackling the topic of Third-Party Risk Management (“TPRM”) in our Risk-In-Review series. This series provides informative content in a five-question format. Future episodes will include topics like Sarbanes-Oxley compliance, ESG, IT, Enterprise Risk Management, Financial Services Consulting and much more.
We begin our discussion by defining TPRM as it pertains to an overall enterprise risk management framework. Then, we delve into the increased regulatory focus on TPRM due to external pressures like COVID-19, remote work environments, etc.
We also look the benefits and challenges of implementing or transforming a business’ TPRM framework. There are a myriad of considerations and barriers to understand, which all starts with clear roles and responsibilities, as well as engaging all levels of an organization, including Executive management and your Board. Each organization is unique and requires an integrated approach across all operational areas of the business.
Finally, we examine the impending TPRM guidelines set forth by Office of the Comptroller of the Currency and the recent bulletin released by the Consumer Financial Protection Bureau.
Cherry Bekaert’s Risk Advisory practice is focused on helping our clients protect value, power performance, and build resilience with mature internal controls. We do this by leveraging technology to mitigate financial, operational, and compliance risks using purpose-built risk management solutions that cost effectively diagnose, mitigate, and monitor risk.
If you would like to learn more about Third-Party Risk Management and how your business can implement a sustainable TPRM program to deliver on short and long-term goals aligning with regulatory expectations, reach out today.
View All Risk & Cybersecurity Podcasts
NEIL BEAN:
Hello and welcome to Cherry Bekaert's Risk and Accounting Advisory podcast series entitled "Risk in Review." My name is Neil Bean, firm leader of our Risk Advisory practice.
Today on this podcast series, we are going to dive into the topic of third-party risk and what it means for your organization. Joining me today is Mike Dempsey, a leader in Cherry Bekaert's Financial Services Advisory Group.
Mike, thanks so much for joining me today.
MIKE DEMPSEY:
Thanks, Neil. I am happy to be here today.
I spent a lot of time on this topic as an industry practitioner, regulator, former Federal Reserve team leader, and a consultant assisting many large, medium-sized, and small financial services firms with TPRM, or Third-Party Risk Management, transformation.
NEIL BEAN:
That is phenomenal. I cannot wait to unpack some of that.
Before we do, I will just give a quick reminder that this series, which we entitled the "Risk in Review" podcast series, is structured with five key questions around trending topics.
As always, we will have a subject matter expert, in this case, Mike, provide guidance on its importance for faster and more effective decision-making and connecting to your business operations and systems integration.
Let's get things kicked off, Mike. If you had to tell somebody in your own words, what is the definition of a third party, and what is Third-Party Risk Management as it pertains to an overall Enterprise Risk Management framework?
MIKE DEMPSEY:
That is a great question to start. A third-party relationship is very simply any business arrangement between one organization and another, whether by contract or otherwise.
It could be a vendor, a supplier, an internal affiliate, a joint venture, or a strategic provider. It covers anything from products, services, processes, intellectual property, and market presence.
It could be onshore, offshore, offsite, or cloud management. It is a very broad definition. Many organizations have traditionally focused just on vendor management, supplier risk, or outsourcing, but not the broadest spectrum of Third-Party Risk Management.
A vendor is one example of a third party, but Third-Party Risk Management goes even deeper and includes every single third party. This includes strategic alliance partners, government agencies, franchises, and charities to which you donate your time or money, as well as all your vendors.
Third-Party Risk Management starts with vendor risk, but it is the foundation on which the overall Third-Party Risk Management program is built. For any organization, Third-Party Risk Management is the process of identifying, monitoring, and managing or reporting third-party risks.
You may delegate a service to a third party, but you cannot outsource the risk or the associated responsibility for managing the risks and regulatory requirements. Additionally, the act of integrating a third party into your organization could create additional risks.
Consider country or geopolitical risks with offshore vendors and concentration risks. Third-party risk should be a core component of your overall ERM framework.
NEIL BEAN:
Phenomenal. Why now? Why is there an increased regulatory focus on Third-Party Risk Management for our clients?
MIKE DEMPSEY:
The regulators have been emphasizing this for the last nine years. There is a greater use of third parties today by businesses and financial services firms.
There is also an increased velocity of third-party risk incidents or events. The increased usage of virtual and remote work settings during the pandemic requires further clarity of roles and responsibilities in the management of third-party risks.
There is also an increased reliance by many firms on third parties, an extended supply chain geographically, and the integration of third parties into operational processes that impact customers.
There is also an increase in consumer protection regulatory requirements, particularly with the Consumer Financial Protection Bureau, or CFPB. Any direct and indirect consumer-facing vendors need to be closely monitored and mitigated as well.
To summarize, an effective and sustainable Third-Party Risk Management program requires a clear "hub and spokes" operating model and an integrated approach. This requires coordination across the three lines of defense, as well as support functions including compliance, business continuity, cyber, procurement, IT, legal, HR, finance, fraud, and operations.
There needs to be clear ownership and accountability at each step of the Third-Party Risk Management process. The objective for any financial services firm or organization should be to have an end-to-end Third-Party Risk Management process without those silos.
ERM should have oversight over the whole program from a policy oversight and reporting perspective. Clients could certainly experience significant benefits from that approach.
NEIL BEAN:
Let's talk about that for a second. If you had to enumerate the benefits that clients would receive from transforming and uplifting their Third-Party Risk Management capabilities, what would you say?
MIKE DEMPSEY:
That is one of the things we discuss at roundtables and conferences. The number one benefit for a firm is having a clear understanding of which third parties you do business with, as well as your fourth-party subcontractors, fifth parties, and sixth parties.
Services need to be ranked according to the appropriate level of risk with the critical services identified. You also want to have a greater consistency of practices across your organization with regards to the treatment of third parties.
Another benefit is having clear roles and responsibilities across the three lines of defense and risk oversight functions. It is a key benefit to achieving the right culture.
You need to have that top-down and bottom-up focus with clear accountabilities distributed and aligned. Finally, banks benefit from having a sustainable approach to board reporting with a comprehensive view of critical third-party strategy, trends, and issues.
NEIL BEAN:
Those are certainly some benefits to consider. In contrast to benefits, what are some of the challenges seen when companies are implementing a Third-Party Risk Management framework?
MIKE DEMPSEY:
There are many practical challenges. Third-Party Risk Management is a journey and a long-term roadmap for any organization.
An effective and sustainable Third-Party Risk Management program requires a clear operating model and an integrated approach. This requires coordination across the three lines of defense and clear ownership and accountability at each step.
Another question I get all the time concerns the role of ERM as a challenge. People ask if Third-Party Risk Management is the job of ERM.
ERM may be an integral stakeholder in coordinating Third-Party Risk Management, but the responsibility for initial and ongoing risk management should be shared throughout the organization with the relationship owners. This way, risks are monitored by individuals with proper expertise.
The three lines of defense model addresses risk management needs and regulatory requirements. You need to have a risk-based program incorporate a complementary suite of preventative and detective controls across those three lines.
Preventative and detective controls assist with the design and implementation aspects. We recommend customizing your Third-Party Risk Management program based on your portfolio of third parties and working across functions such as risk management, IT, compliance, legal, and accounting to tailor the controls to the needs of a particular business.
NEIL BEAN:
Oftentimes, all of the focus tends to be around benefits, and challenges get overlooked. Can you update us on the forthcoming Third-Party Risk Management interagency guidelines and the challenges that clients will face in meeting them?
MIKE DEMPSEY:
It is a big topic for our clients. OCC 2013-29 was drafted nine years ago and was historically the gold standard of interagency regulatory guidance for managing third-party relationships.
That later led to the Federal Reserve's SR 13-19 issuance on third-party relationships. We also have the FFIEC IT Examination Handbook, which has a section on technology service providers relative to third-party risk.
We cannot forget the CFPB, which released a bulletin on consumer-facing vendors in October 2016 called CFPB Bulletin 2016-02. The new interagency proposed guidance offers a framework based on sound risk management principles for banking organizations to consider.
This guidance covers all stages in the life cycle of third-party relationships. It takes into account the level of risk, complexity, size of the banking organization, and the nature of the third-party relationship.
There are cost-benefit concerns that have come up in the commenting process by many banks of all sizes. There is no one-size-fits-all approach to third-party risk.
We hope the final guidelines will be more principles-based to afford banking organizations the opportunity to take a risk-based approach in concert with their risk appetite, size, scale, and complexity.
There are also practical implementation challenges. For example, third parties are unlikely to provide information regarding proposed strategic business arrangements due to the non-public nature of those arrangements for public companies. Disclosure regarding such arrangements could be prohibited by confidentiality agreements.
NEIL BEAN:
One of the things that stuck out to me in your response was this concept that there isn't a one-size-fits-all approach. Can you provide some of the TPRM solutions that Cherry Bekaert offers and how they can help clients start their journey up this maturity curve?
MIKE DEMPSEY:
We assist our clients in the design, implementation, and transformation of sustainable Third-Party Risk Management programs. We deliver short-term and long-term outcomes in alignment with regulatory expectations and the value proposition of third-party risk.
Our approach is tailored to bring a unique value proposition. We use a maturity model from a gap assessment perspective that measures key program capabilities balanced with regulatory expectations and leading practices.
Regulatory gap, maturity, or current state assessments are usually our first step with a client. Then we focus on a prioritized roadmap to enable TPRM transformation as a phase two.
Optimizing the organizational model remains the most challenging aspect of program design. One final message for our audience is that you can outsource the activity to a third party, but you cannot outsource the risk.
NEIL BEAN:
That is absolutely right. It is that two-phased approach you talked about today.
If folks want to hear more information, we invite them to reach out. You can learn more about how your business can begin your Third-Party Risk Management journey by visiting cbh.com/risk.
Mike, this was the second podcast within the "Risk in Review" series. It has been extremely informative and fun.
Thank you for joining us today. I really appreciate it, Mike.
MIKE DEMPSEY:
Thanks, Neil. I appreciate it as well.
NEIL BEAN:
I also want to thank our audience for listening and ask that you stay tuned for more risk topics in the series. We will cover Sarbanes-Oxley compliance, ESG, information technology, Enterprise Risk Management, and many more.
Please like, share, and subscribe to the Risk and Accounting Advisory podcast. Thanks again for listening.
