Third Party Risk Management

A Never-Ending Cycle of Starts and Stops

The perfect ending to a Third Party Risk Management (TPRM) lifecycle is to stop, look back, reassess, and immediately start again — with lessons learned in hand, a set of carefully realigned goals, and a new challenge-based approach to move above and beyond what has already been achieved.

Outsourcing in 2020 has demonstrated the acute need for financial institutions to maintain effective policies, strengthen internal procedures and practices, and continuously evaluate what actually works (versus wishful thinking) at the end of each stage of the TPRM lifecycle. During this pandemic, Business Continuity Plan (BCP) scenarios that worked on paper and tabletops have been called into action, implemented, reviewed, tossed out, updated, and/or completely revised due to failure. Vendors have stepped up, offered help, adjusted strategies to meet new demands, stumbled over themselves, run to hide, or stopped meeting performance standards altogether.

Multiple regulatory agencies1 provide guidance, methods, concepts, and important considerations to assist financial institutions with structuring a TPRM lifecycle. For example:

  • Planning
  • Risk assessment
  • Financial projections / cost benefit
  • Due diligence
  • Contract structuring
  • Ongoing risk measurement, monitoring, and control
  • Contingency/Resiliency/Termination strategies and interdependency testing
  • Documentation and Reporting
  • Independent review

Stage gates play an important role in the TPRM process. Without an effective lifecycle that includes starts, stops, valuable hindsight, appropriate recalibration, and engagement with critical outsourced partners, TPRM program maturity and ongoing monitoring are simply words. Repetitive actions become robotic routines. Over time, they are habitually followed in order to check a box and get on to the next task. Applying the value of lessons learned, identifying new security threats, protecting against increased risk exposure, investigating adverse trends, evaluating and complying with new/emerging regulations, and consistently practicing effective risk management — will not happen.

To emphasize the significant change that a short period of time can bring, consider the bullet list again from the perspective you had in late 2019. And then again, with your viewpoint as we continue to navigate the current pandemic. And what will these require of your organization 12 months from now?

TPRM is a never-ending cycle of starts and stops. An effective lifecycle can ensure your TPRM program can successfully handle any situation. If you need a hand, an advisory advocate, or a technology solution to structure and manage your TPRM/Contingency/Resiliency lifecycle, we are ready to help. Contact us today to learn more.

1 Office of the Comptroller of the Currency (OCC); Federal Reserve Board (FRB); Federal Deposit Insurance Corporation (FDIC); National Credit Union Administration (NCUA)