Emerging from the financial crisis, global regulators placed additional focus on the ways financial institutions use third parties to bring goods and services to the marketplace. In late 2013, the Federal Reserve Board issued its “Guidance on Managing Outsourcing Risk,” which proscribed how banks should manage their relationships with service providers, suppliers, affiliates, joint ventures and other related entities across various risk domains. The Office of the Comptroller of the Currency issued similar guidance, stressing the need for banks to practice effective risk management, whether the activities are performed internally or through third parties.
With the greater scrutiny and heightened expectations, one global bank engaged Protiviti to transform its third-party risk management (TPRM) program. In particular, Protiviti was asked to focus on developing enhancements that would not only meet regulatory expectations, but also would integrate with the bank’s end-to-end procurement and contracting process.
Working closely with the Head of Non-Financial Risk and the TPRM team, Protiviti aimed to bolster TPRM processes across the organization. The team placed particular emphasis on identifying opportunities where technology could support the efficiency of end-to-end processes and stakeholder interaction and engagement across the organization. The engagement required insight from and collaboration with key stakeholders in the procurement, compliance, legal, information security, business continuity management and line-of-business functions.
During the first step of the multiyear project, Protiviti reviewed the existing TPRM program and its execution, performing a gap analysis to identify improvement opportunities. Protiviti also provided guidance on the TPRM strategy, framework and processes that emphasized the roles of both the business owners of the vendors (the first line of defense) as well as that of a centralized function who works with vendors and the business to drive standardization, efficiency and visibility across the enterprise (the second line of defense).
As a next step, Protiviti designed a TPRM program that spanned the entirety of the function’s lifecycle, including the planning and due diligence required for third-party selection, contracting, monitoring and termination. The team developed a framework, policies and procedures to address all possible risk domains that could arise from third-party and outsourcing agreements, including compliance, concentration, reputation, country, operational, legal, strategic and financial, as highlighted in the regulatory guidance.
This phase also included the development of a technology road map and implementation plan for the bank. Specifically, Protiviti and key stakeholders addressed business and technical requirements needed to support the TPRM program, and evaluated market products that matched the bank’s current needs as well as those that would be required as the program matures. Protiviti built and implemented an interim technology solution while working with the bank to select and implement a longer-term solution.
Protiviti supported the bank’s effort to select and implement a fully automated TPRM solution that could support current processes and integrate with existing procurement, financial and GRC systems. Beyond providing guidance and support to help manage the project, important components of this phase included supporting data cleanup and migration of contracts and vendor profile information, as well as change management and training efforts across the organization.
Together, the bank and Protiviti developed the business and technical requirements, with industry and market insights delivered by both sides, to support the TPRM technology selection processes. Protiviti led the project management office (PMO) that oversaw the entire endeavor — its plan, timeliness, scope and design, scheduling, resources, risk management, and communication and change management. The team also coordinated and documented policies, processes, business rules, a data model and dictionary, and other design requirements across all stakeholder groups.
A specialized Protiviti team led the TPRM software development effort, from designing data models and risk-scoring methodology to defining user roles and establishing alerts and notifications. In addition to updating policies surrounding the existing TPRM framework, the team documented end-toend procedures and developed user guides. Finally, Protiviti conducted user acceptance testing as well as integration and performance reviews, organized training, and spearheaded the clean up and migration of existing vendor contracts and other information.
The TPRM function established by this effort continues to yield benefits for the bank following the implementation. Immediate benefits include the following:
In addition, the foundation and framework for sustainable TPRM practices has improved the bank’s ability to identify opportunities to consolidate spending and better leverage its vendor base. Ultimately, that could lead to cost reductions and an improvement of overall TPRM performance and vendor delivery.
Third-party relationships in the financial industry have become the norm today, thanks to a growing demand for digitalization and customer convenience. But complicated regulatory regimes, legacy systems and unclear personnel roles can paralyze even the largest banks when it comes to addressing third-party compliance weaknesses and process inefficiencies. To be sure, bringing systems, operations, processes and personnel up to speed to satisfy security and risk-management regulations in multiple jurisdictions can be difficult, and is most certainly time consuming. By working with an experienced partner and following a thoughtful road map to identify and close gaps and build streamlined and automated solutions to meet compliance needs, banks can nevertheless launch a successful TPRM project, even in the choppiest of waters.