A global bank partners with Protiviti to manage third-party risk
Transform the bank’s third-party risk management (TPRM) programme and identify opportunities for enhancement.
Design and implement an automated TPRM programme, including an operating model, policies, frameworks, procedures, and enabling technology.
Improved and streamlined processes throughout the third-party management function that provide deeper insight into performance, risk and compliance.
Emerging from the financial crisis, global regulators placed additional focus on the ways financial institutions use third parties to bring goods and services to the marketplace. In late 2013, the Federal Reserve Board issued its “Guidance on Managing Outsourcing Risk,” which proscribed how banks should manage their relationships with service providers, suppliers, affiliates, joint ventures and other related entities across various risk domains. The Office of the Comptroller of the Currency issued similar guidance, stressing the need for banks to practise effective risk management, whether the activities are performed internally or through third parties.
With the greater scrutiny and heightened expectations, one global bank engaged Protiviti to transform its third-party risk management (TPRM) programme. In particular, Protiviti was asked to focus on developing enhancements that would not only meet regulatory expectations, but also would integrate with the bank’s end-to-end procurement and contracting process.
Working closely with the Head of Non-Financial Risk and the TPRM team, Protiviti aimed to bolster TPRM processes across the organisation. The team placed particular emphasis on identifying opportunities where technology could support the efficiency of end-to-end processes and stakeholder interaction and engagement across the organisation. The engagement required insight from and collaboration with key stakeholders in the procurement, compliance, legal, information security, business continuity management and line-of-business functions.
Getting Started: Gap Analysis and Third-Party Risk Management Framework Development
During the first step of the multiyear project, Protiviti reviewed the existing TPRM programme and its execution, performing a gap analysis to identify improvement opportunities. Protiviti also provided guidance on the TPRM strategy, framework and processes that emphasised the roles of both the business owners of the vendors (the first line of defense) as well as that of a centralised function who works with vendors and the business to drive standardisation, efficiency and visibility across the enterprise (the second line of defense).
As a next step, Protiviti designed a TPRM programme that spanned the entirety of the function’s lifecycle, including the planning and due diligence required for third-party selection, contracting, monitoring and termination. The team developed a framework, policies and procedures to address all possible risk domains that could arise from third-party and outsourcing agreements, including compliance, concentration, reputation, country, operational, legal, strategic and financial, as highlighted in the regulatory guidance.
This phase also included the development of a technology road map and implementation plan for the bank. Specifically, Protiviti and key stakeholders addressed business and technical requirements needed to support the TPRM programme, and evaluated market products that matched the bank’s current needs as well as those that would be required as the programme matures. Protiviti built and implemented an interim technology solution while working with the bank to select and implement a longer-term solution.
Solution Design and Implementation
Protiviti supported the bank’s effort to select and implement a fully automated TPRM solution that could support current processes and integrate with existing procurement, financial and GRC systems. Beyond providing guidance and support to help manage the project, important components of this phase included supporting data cleanup and migration of contracts and vendor profile information, as well as change management and training efforts across the organisation.
Together, the bank and Protiviti developed the business and technical requirements, with industry and market insights delivered by both sides, to support the TPRM technology selection processes. Protiviti led the project management office (PMO) that oversaw the entire endeavor — its plan, timeliness, scope and design, scheduling, resources, risk management, and communication and change management. The team also coordinated and documented policies, processes, business rules, a data model and dictionary, and other design requirements across all stakeholder groups.
A specialised Protiviti team led the TPRM software development effort, from designing data models and risk-scoring methodology to defining user roles and establishing alerts and notifications. In addition to updating policies surrounding the existing TPRM framework, the team documented end-toend procedures and developed user guides. Finally, Protiviti conducted user acceptance testing as well as integration and performance reviews, organised training, and spearheaded the clean up and migration of existing vendor contracts and other information.
The TPRM function established by this effort continues to yield benefits for the bank following the implementation. Immediate benefits include the following:
- An enhanced risk assessment methodology and supporting technology, both of which are in alignment with regulatory expectations
- Upgraded monitoring templates and issue management protocols
- Support for the transition of assessment methodologies for the information security team
- Improved data integrity across various stakeholder groups
- Compressed due diligence timelines as a result of the process efficiencies achieved through the system integrations
- Enhanced end-to-end controls and reporting around the TPRM process
In addition, the foundation and framework for sustainable TPRM practises has improved the bank’s ability to identify opportunities to consolidate spending and better leverage its vendor base. Ultimately, that could lead to cost reductions and an improvement of overall TPRM performance and vendor delivery.
Third-party relationships in the financial industry have become the norm today, thanks to a growing demand for digitalisation and customer convenience. But complicated regulatory regimes, legacy systems and unclear personnel roles can paralyse even the largest banks when it comes to addressing third-party compliance weaknesses and process inefficiencies. To be sure, bringing systems, operations, processes and personnel up to speed to satisfy security and risk-management regulations in multiple jurisdictions can be difficult, and is most certainly time consuming. By working with an experienced partner and following a thoughtful road map to identify and close gaps and build streamlined and automated solutions to meet compliance needs, banks can nevertheless launch a successful TPRM project, even in the choppiest of waters.
• Improved monitoring and issue management
• Improved data integrity
• More efficient due diligence process
• Enhanced controls and reporting