The Corporate Challenge of Third-Party Risk Management Staffing for Program Execution

risk Brian Jackson/Adobe Stock

Spend Matters welcomes this guest post from Jeannie Pumphrey, senior director at Alvarez & Marsal.

Third-party risk management (3PRM) continues to be one of the top three risk-related topics discussed in the boardrooms and amongst executive management teams in the financial services industry.  As corporations tackle the task of segmenting their provider base and identifying and managing the risk inherent to the use of third parties, lack of clarity regarding appropriate program ownership, accountability and responsibility forms a common challenge.

The Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board (FRB) have been tightening requirements on the use and management of third parties since the early 2000s. The latest bulletins, issued in October and December 2013, contain the most prescriptive guidance to date. In addition, the Consumer Financial Protection Bureau (CFPB) re-released minimum guidelines expected with regards to service provider oversight as late as October 19, 2016.

The table below outlines the high level activities included in the above bulletins:

OCC 2013-29 FRB SR 13-19 CFPB 2016-02
Planning Risk assessments Due diligence
Due diligence Due diligence and selection Requesting and reviewing the service provider’s policies, procedures, internal controls and training materials
Contract negotiation and management Contract provisions and considerations Contract expectations
Ongoing monitoring Incentive compensation review Establishing internal controls and ongoing monitoring
Termination Oversight and monitoring Taking prompt action to address fully any problems up to and including termination
Business continuity and contingency

As one can see, much overlap exists for activities monitored across these regulatory bodies, and as many financial institutions have dual reporting requirements, the agencies collaborate quite extensively during audits.

Although ownership and accountability for an organization’s 3PRM program ultimately resides with the Board of Directors and Executive Management, the OCC specifies execution responsibilities into three lines of defense (LOD). Due to the variation in business models, the OCC does not specify what functions of the organization fall into each LOD. The table below outlines the primary goal of each LOD and the key players within the 3PRM lifecycle based on leading practices within the financial services industry as observed by Alvarez and Marsal.  

Depending on the size and complexity of an organization, these roles can shift to meet regulatory compliance. The lines of defense can get blurred due to reporting relationships or responsibilities within the organization. Nonetheless, in order to maintain integrity within the LODs, organizations should strive to eliminate conflicts of interest. For example, engaging Corporate Compliance to be part of a project team who will select a third party creates a conflict of interest from a compliance oversight perspective and blurs the LODs. If this situation were to occur, Corporate Compliance would be assuming the role of the first LOD, while also being responsible for activities in the second LOD. In working with clients, A&M recommends avoiding this type of conflict. Corporate Compliance should set the standards for a third-party risk manager to follow when selecting a third party, but avoid significant involvement in selection activities in order to maintain an independent viewpoint.

In our experience, program execution is the predominant stumbling block for all organizations from regional to top-tier financial institutions, as cross-organizational support, like the compliance/selection example above, is commonplace in most corporations. Strategic sourcing organizations have historically assumed responsibility for adherence to requirements and performance management regarding third parties. Thus, their primary role seats them squarely in the first line of defense. Although these organizations have  developed and refined their processes for the planning, sourcing, selection, onboarding and performance management of third parties, as noted in Wayne Weil’s recent article on Spend Matters, they are not generally equipped or staffed to execute and assume the responsibility required to manage third-party lifecycles with the breadth, due diligence and expertise demanded by current regulatory guidance.   

As organizations experienced failures in their 3PRM programs, a review of the process highlighted compliance inadequacies with regards to an over-reliance on strategic sourcing organizations in instances where they are neither staffed nor qualified to perform third-party risk management. With the decentralization of 3PRM outside of strategic sourcing, corporations faced the challenge of identifying resources within their existing organizations to fill the gaps. The challenge for many organizations in the execution of the 3PRM program is driven by resource requirements and costs to the corporation as the LODs struggle to meet both the day-to-day job requirements and the activities required to execute evidence-based 3PRM programs. Third-party risk management is still viewed as a back-office function rather than a core business driver, and staffing models rarely allow for adequate allocation of resources for LOD roles necessary to perform thorough third-party risk management.

We recommend a different approach to building a case for adequate staffing. To address the cost/benefit quandary, organizations should assess the cost associated with not performing methodical 3PRM. Poor performance from a third party can increase the potential of financial, operational and reputational risk. The financial risk can manifest itself through a number of avenues including loss of customers; additional fees to redundant third parties; cost to the corporation to onboard replacement third parties; legal fees; and penalties for regulatory non-compliance. Given that approximately 60% of a corporation’s revenues depend on the use of third parties, and given the risk associated with poor 3PRM, corporations can justify additional staffing to support their programs.

Once a case has been made, organizations must determine how to allocate resources properly to address known challenges. The staffing challenges faced by the first LOD appear to be driven by the third-party segmentation models and definitions, or lack thereof, as defined by the third-party risk management organization and the allocation of the “right” ratio of third-party risk managers to third parties. The second LOD faces challenges of supporting the requirements that are introduced by the first LOD. Typically, they do not, and should not, have a voice in the selection of the third parties outside of defining the requirements a third party must adhere to. Yet they are tasked with providing staff to support the additional workload without the ability to forecast the third-party population.

To manage second-LOD staffing challenges, A&M clients are creating “SWAT” teams made up of existing resources that are temporarily assigned 3PRM responsibilities in lieu of their day jobs for a defined time period. The SWAT approach reduces third party oversight cycle time as employees are not simultaneously juggling their corporate responsibilities and the 3PRM oversight requirements. Rotating the employees on a quarterly or semi-quarterly basis builds cross capacity and contributes to the consistency of third-party risk management compliance across the corporation, accomplishing one of the tasks that the regulators are expecting of corporations.  

The staffing challenges that companies are facing are real and painful, and there is not a one-size-fits-all answer. The one consistent message delivered by the regulators is that the LODs must take responsibility and accountability for their role in managing third party risk. Developing a simple and clear 3PRM framework where all stakeholders understand the end-to-end activities and responsibilities of managing risk is in the best interest of the corporation and will yield the most successful 3PRM program execution.

Share on Procurious

Discuss this:

Your email address will not be published. Required fields are marked *