5 Things You Need to Know About OCC's Updated Guidelines for Third-Party Risk


On Friday, January 17th, Rsam held a webinar on the OCC’s updated guidelines for managing third-party risk assessment.  In case you missed the webinar and are wondering why everyone is talking about third-party risk management these days, here’s what you need to know:

OCC’s Updated Guidance
In a bulletin on October 30, 2013, the Office of the Comptroller of the Currency (the “OCC”) released updated guidance for how national banks and federal savings associations needs to assess and manage risks associated with their third-party relationships. The OCC introduced the concept of a “continuous risk management life cycle” that is commensurate with the level of risk and complexity of its third-party relationships.

New Complexities, Same Old Processes
So what’s driving the OCC to rethink its initial guidance on third-party relationship? In a single word – complexity!  The nature and complexity of third-party relationships has increased but the risk management processes for assessing and managing these relationships hasn’t matured commensurate with the risks organizations are embracing due to greater reliance on third parties for their critical processes

5 Things You Need to Know About Third-Party Risk
Need to update your third-party risk management process?  Looking to implement a continuous third-party risk management life cycle based on OCC the new guidelines?

Here’s what you need to know:

  1. Factoring Complexity of Relationship: Risk assessments must commensurate with the level complexity of the third-party relationship. Ensure the scope of the vendor assessment accurately captures ALL risk factors and critical activities associated with that third-party by including audits, interviews, contracts & SLA, etc.
  2. Continuous Monitoring: The OCC specifies that an effective third-party risk management process should follow a continuous life cycle for all relationships. Establishing an automated method for ongoing monitoring of the third-party relationship can ensure that third-party relationships are monitored on an ongoing basis.
  3. Oversight & Accountability: Integrate this step into the risk management process by providing easy access to key information (corrective action plans, exception handling, reviews, etc.) for various stakeholders / roles responsible for continuous oversight and accountability.
  4. Central Repository & Documentation: Maintain complete & proper documentation on all third parties including assessments, testing results, corrective action plans, contracts, SLAs, in one central location.
  5. Scorecards & Reporting: Create ongoing reports and scorecards of your vendors to provide transparency and visibility to senior management, board of directors, auditors, and regulators.