Every compliance professional knows that managing third party risk can be a complex, difficult task. Now we have some fresh guidance from banking regulators on how to approach the subject — and regardless of your industry, the material raises great points to consider.
The guidance comes from the Office of the Comptroller of the Currency, the United States’ top regulator of community banks. The OCC published the document on March 5, structured in an easy-to-read Q&A format and titled, “Third Party Relationships: Frequently Asked Questions.”
Don’t let the bland title fool you. In fact, let’s start with that title, because the important concepts start coming at you right there.
The better your company is at managing third party risk, the more attractive your company will be as a business partner to other parties.
The key word in that title is relationships. The OCC could have chosen to call this guidance “Third Party Due Diligence” or “Third Party Risk Management” — but it didn’t. Instead, it emphasizes the ongoing nature of your interactions with third parties.
That’s an important concept to embrace in your oversight of third parties. You don’t perform one round of due diligence during onboarding and then let them go their merry way through your enterprise. Nor do you choke every third party risk out of existence; some risks, governed properly, are acceptable and worth the reward.
Your company has ongoing, evolving relationships with third parties. The risks within these relationships must be understood from the outset, monitored over time, and kept in check as potential problems emerge.
What does that mean in practice? The OCC guidance hits on a few important issues.
Begin Third Party Relationships With the End in Mind
The OCC begins with a stern warning: “Bank management should conduct in-depth due diligence and ongoing monitoring of each of the bank’s third party service providers that support critical activities.”
Now, any savvy compliance professional knows that already; strip the word “bank” from that sentence, and it’s a message we’ve all heard for years.
This guidance is so useful because it answers the next question: Conduct all that due diligence and monitoring... to do what, exactly? What should a company know about a third party by the end of that process?
The Office of the Comptroller of the Currency offers several points:
- Understand the risks a third party poses as clearly as possible, even if the party doesn’t provide all the information you’d want;
- Develop mitigating controls to reduce those risks to acceptable levels;
- Make thoughtful decisions about why to work with a particular third party even if they can’t offer all the assurance you want;
- Document your efforts to obtain information relevant to the first three bullet points.
You can’t obtain that information with a fixed, one-size-fits-all due diligence process for all third parties. You must take a risk-based approach to the task.
The OCC is explaining what a risk-based approach is — and the final result you’re supposed to achieve by using it — without uttering the phrase “risk-based approach.” Which is a good thing, because it’s a phrase used so often we can forget its true meaning.
How you design that risk-based approach to due diligence is another, bigger subject. But before you begin that journey, you need to understand the capabilities that due diligence function must be able to achieve. It’s those four points listed above.
Fourth Party Risk
Another menace for companies everywhere is fourth party risk — that is, the third parties of your third parties; this goes on down the chain to fifth parties, sixth parties, and so on.
Even sophisticated third party risk management systems struggle to quantify their fourth party risks, never mind those even further down the supply chain. Yet many types of risk (especially operational, security, or liquidity risk), can cause disruption further down the supply chain to swifty surge back up and put your company in crisis.
The OCC guidance has advice on that, too. It urges companies to include, as part of your due diligence on third parties, an assessment of how they perform due diligence on their third parties.
For example, you could ask your third party for a SOC 1 Type II report, which is an independent audit of an organization’s ability to monitor subcontractors. (That’s what the OCC calls fourth parties.)
That’s a wise step, but it only addresses fourth party risk in your due diligence onboarding. You still have fourth party risk beyond that first phase.
To improve your ongoing monitoring of fourth party risk, you should also ensure that contracts with your third parties require them to disclose certain details or triggering events to you, such as:
- Any breaches a subcontractor suffers that includes your data.
- The location of subcontractors processing your data.
- The names of subcontractors that have access to your company’s confidential data
- Whether subcontractors provide critical services to your vendor, especially if that vendor provides critical services to you.
So revisit your contract management systems or procurement policies and procedures to confirm that issues like this are standard clauses with all agents, resellers or other third parties you have.
Compliance is a Strategic Advantage
The OCC’s guidance about fourth party risk also has an important implication for compliance officers: The better your company is at managing third party risk, the more attractive your company will be as a business partner to other parties.
After all, fourth party risk is a giant pain in the neck. Suppose you’re choosing between two vendors where all other things are equal, but one can demonstrate adroit third party risk management and the other can’t — which one would you choose? You’d probably pick the one that was able to manage its third party risk, because by extension that reduces your fourth party risk.
Well, that’s just as true for every other company hunting for reliable business partners in this uncertain world.
So the next time someone asks why investing in compliance program capabilities is so important, cite this example. Strong due diligence capabilities aren’t just necessary for regulatory compliance or vendor risk management. They’re also a strategic advantage for your business.