OCC Interagency Guidance on Third-Party Risk Management
Amidst government inefficiencies, it’s worth commending US banking regulators for their ongoing efforts to simplify and consolidate guidance and regulations related to third-party risk management. Earlier this year (June 2023) The Office of the Comptroller of the Currency (OCC) issued its final Interagency Guidance on Third-Party Relationships: Risk Management.
OCC Issues Simplified Risk Management Guidance
The great news is that the OCC, the Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve Bank (FRB) have combined three similar but different sets of guidance into a singular set for managing third-party risk at all types of banks in the US. The not-so-great news is that I suspect the guidance will become more of a singular checklist for banks to follow instead of improving the fundamental issues associated with third-party risk management.
For review, the new OCC interagency guidance is very similar to what the OCC released in 2013 and updated in 2017 and 2020.
The five-step methodology lends itself to checking the box. I can see (I have seen) rigid workflows that push people one by one through Planning, Due Diligence and Third-Party Selection, Contract Negotiation, Ongoing Monitoring, and, if needed, Termination.
Good organizations will understand quickly that this is not a check-the-box exercise but a framework that should permeate itself throughout the management and operations of the financial services institution. It manages risk by purposefully working through every part of the bank and every part of the relationship, identifying and managing every area where each organization can impact the bank so risks can be evaluated and managed. Good organizations will also recognize that the OCC’s statement regarding the levels of risk presented by third parties is different based on what the institution does and what the third party does, which does not mean you do not have to manage risk for low-risk vendors.
Common Weaknesses in Third-Party Risk Management Programs
While simplifying the regulatory landscape, this new OCC guidance does not address the complications of TPRM. In short, it does not ‘simplify’ much. I bookmarked an article (The Importance of Third-Party Vendor Risk Management Programs) several years ago written by Tony DaSilva. DaSilva is an S&R Subject Matter Expert at the Federal Reserve Bank of Atlanta. He talks about the importance of Third-Party Vendor Risk Management Programs, but I bookmarked his article because DaSilva noted the weaknesses in TPRM. Specifically, he saw these weaknesses from years of examining banks.
- Insufficient oversight by the institution’s board of directors
- Lack of a formal documented outsourcing policy
- Vague contract terms and requirements that lack specificity on a third-party vendor’s performance or contract terms that favor the service provider or third-party vendor
- Third-party vendor performance reviews conducted by inexperienced institution personnel
- Inadequate disaster recovery tests between a third-party vendor and the institution as well as tests that do not address a possible cybersecurity event
- Information security and cybersecurity procedures of the third-party vendor that are not adequately reviewed and assessed by the institution
- Inappropriate risk rating by the institution of its critical third-party vendors
I will argue that these weaknesses are prevalent throughout almost every institution in the US…in every industry. The real question is why these weaknesses and issues are so common. The problem starts with the lack of TPRM expectations at both the vendor and the bank.
Risk Framework Lacks Consistent Viewpoint
From the vendor’s point of view – this is frustrating because the framework is written from the risk assessor’s point of view (the customer’s point of view). These requests for “due diligence” and “ongoing monitoring” are often not covered in contracts…or if they are, they are not shared with the people who must respond to them. Vendors will work to please their customers if they are not in contracts – but not this hard. How assessment requests often look in practice is a sales rep or account manager at the vendor receives a request to complete a 200+ question questionnaire on things that the sales rep should not answer and likely doesn’t know who can answer. The spreadsheet is passed to one or more people who must complete it – often starting or ending up with the CISO. If it’s multiple people, the sales rep must assemble all the answers and return them to the assessor. Making this even worse, the sales rep insists this must be a top priority, and the experts must change their entire schedule to prioritize this request.
A worse variation of this scenario looks like this. Instead of receiving a spreadsheet, the sales rep must sign into a portal – but the sales rep cannot answer the questions, and the experts cannot access the portal. I knew a CISO at a fintech company that served half of the banks in the US. There are just over 4,200 banks in the US, so he receives about 2,100 of these requests annually. Some banks made the demand more and some less frequently. With 250 business days in a year, the CISO is asked by his reps over eight times a day to complete assessments. Sometimes, it was completing a spreadsheet, and sometimes it was filling in forms in a vendor portal. This assessment request volume and supporting processes are killers to time and budgets. The cost is too much to support every request in the manner requested. The fintech’s CISO solution was to create a generic “customer assurance packet” with some standardized assessments, SOC2 reports, certifications from standards organizations, and some policies. The customer assurance packet would be the only response from the vendor to the 2,100+ banks he served. You don’t have to have 2,100 customers for a version of the customer assurance packet to be your response to third-party assessments. I have seen companies with as few as 50 customers respond this way, and I am certain the floor is lower than that. Fifty assessment requests mean you are likely dedicating 20% of your time to answering assessments.
The vendors that sent the request now have a problem they were not expecting. These problems include but are not limited to:
- Using only the information returned by vendors in the requested format (your spreadsheet or your portal) and ignoring the rest. You might get 10% of your responses.
- Guestimating the riskiest vendors (vs. the ones with the highest residual risk) and manually transferring the information they sent to your toolset.
- Being so overwhelmed with documentation that you do not have time to create issues or findings
The next wave of issues looks like this:
- Experienced risk managers quit because they want to do more than manage spreadsheets and perform “swivel chair risk management,” where you copy information from one source and paste it into your toolset
- Lack of time to perform other activities, such as following up on issues, creating awareness, and prepping for incidents, prevents any risk awareness or risk management
- Poor internal audit reviews and poor examination reviews
Specialization Increases Needs for Supplier Risk Management
As technologies change, customer expectations change, banks look to control more costs, and the outsourcing trends will only expand, which means the need for third-party risk management will only grow. Even the solutions put in place today do not adequately address the issues. Third-party surveillance tools cannot tell you what is important to you or map items to your controls. Assessment-sharing solutions might not provide the information YOU need. And what if you are assessing a giant company like Amazon, Microsoft, or Finastra? Getting an assessment from an assessment-sharing solution designed for Finastra’s Canadian Student Lending division would be terrible if you want to manage risk around your instance of Finastra’s Fusion-Phoenix core system.
Without a solid capability to find out and act on activities or processes your third parties manage in a manner outside your risk tolerance, you will realize every weakness DiSilva mentioned. Poor oversight will be performed by boards – because they don’t have the risk awareness they need. Your risk management program’s quality will worsen as talent moves away from TPRM. Then, guessing and workarounds will lead to inaccurate risk ratings.
AI-Driven Automation Improves TPRM
Orchestrated processes using a combination of AI technologies can solve these TPRM issues to better manage risk. The right combination of AI (such as document understanding, NLP, and generative AI) and process orchestration will become the digital workforce for risk management. Imagine an AI-powered workforce multiplier receiving the documentation your vendors send in any format. Then, AI reads the documentation, completes your assessment, identifies answers outside your risk tolerance, creates issues or tickets in your ticketing system, and ties those issues to your operational controls. It also finds all the questions you asked, and their assurance packet and vendor still need to be answered. Imagine all this happening in minutes instead of weeks. Vendors will be happier to work with you. You will quickly assess more third parties for risk and, more importantly, provide greater awareness of risks and the impact that might fall on your critical banking operations.
Automation Improves Risk Awareness at Lower Costs
With comprehensive data processing using an AI orchestration tool that integrates with your current TPRM or GRC platforms and processes, your risk managers can do the work they love and have been trained to do…risk management. Risk managers can provide real value by making data-driven risk decisions or providing risk insights. Risk managers now have time to work with business managers and procurement managers for better contracts. Executives and board members now have greater risk awareness – meaning they can provide the right level of oversight. I did not say that AI takes over your risk management decisions. That is still the realm of risk managers. Responsibly used, AI orchestration platforms prepare all the information for risk managers in minutes instead of months.
Until ChatGPT exploded on the scene, I am unsure if anyone would believe the above is possible. While ChatGPT cannot do this AI Orchestration itself or even provide the amount of AI needed to manage the assessment process, it – or other generative AI technologies – can be incorporated into AI orchestration platforms like Krista. AI orchestration platforms like Krista are designed to manage any process in your organization.
- Integrate on the fly with documents from your vendors
- Incorporate information from your risk management tools to identify inherent risk
- Select the right assessment to complete
- Read the vendor documentation and answer the assessment
- Write the findings/issues in your ticketing systems or GRC platforms
- Link the findings to controls
- Document every step along the way to provide transparency to vendors, auditors, managers, and assessors
- And…know when it’s not smart enough to answer the question and then reach out to a person for help
Additionally, Krista can use (and swap out when outdated) any AI technology and can change ChatGPT for Bard and incorporate your data scientists’ models all in minutes.
Krista has been specifically configured to assist in managing several areas of risk management, including the assessment process. No code configuration can extend the assessment process into procurement, issues management, offboarding, or any other operation in your organization. If you can put your process in a swim lane chart, you can have Krista automate it with or without AI. Krista works with your toolset, so there is no need for the painful rip and replace of systems. Krista was designed to be like the BASF commercials from long ago. We don’t make the GRC/TPRM you like to use; we make the GRC/TPRM you like to use better.
Most of the time, regulations, including third-party risk management, expand in this case, they contract just a bit, but the problems stay the same. AI orchestration platforms are today’s answers to an agile approach for effective and efficient third-party risk management, helping you build a more compliant and resilient bank, all while building better relationships with your risk managers and vendors.