By Louis Berard, Senior Research Analyst, Global Supply Management -Aberdeen Group
On October 30, 2013, the Office of the Comptroller of the Currency (the “OCC”) issued an update OCC Bulletin 2013-29 regarding “Risk Management Guidance”. The goal of this update was to lend guidance to national banks and federal savings associations with assessing and managing risks associated with third-party relationships.
The OCC expects banks to practice safe or “effective risk management” regardless where the activity occurs, in-house or at a third-party. Banks, similar to suppliers, require diligence and on-going monitoring to meet or exceed regulatory compliance to remain being a Best-in-class organization.
Highlighted in a recent Aberdeen article, “Compliant Companies Lead the Way” here businesses, especially those in heavily regulated industries, have learned that it is better to report than not. Industries such as medical, government, financial, and consulting services have recognized the importance of regular spend reporting, frequent audits, and the integration of senior management participation throughout the planning process.
Organizations aligned with federal and regulatory policies reported their likelihood to be nearly double (86%-44%) that of unaligned companies regarding their strategic direction to mitigate compliance risk.
Compared to businesses that plan to align, those businesses that are already aligned:
- Have higher rates of compliance with minimal risk aversion (5x).
- Have a clearer value stream and ability to report on ROI more efficiently (2x).
- Have a stronger ability to analyze suppliers, allowing the business to determine whether the supplier is capitalizing on business opportunities or are a potential risk to the business (2x).
- Have more robust mechanisms to analyze historic data (3x).
You may ask, why would a non-banking supplier need to change or why should they care the way when it’s a banking issue? Banks, similar to suppliers, accept a certain level of risk, and depending on the third-party relationship, the life cycle and the supplier? Criteria you have, more or less risk is accepted. What the banking industry is telling us, simply, is the amount of risk should be commensurate with the level of risk and complexity of the third-party relationship.
What’s the plus side to this as a supplier? The OCC created a strong tool from this outcome, the OCC third-party risk management process, which follows the continuous life cycle approach. This process provides clearly defined steps allowing suppliers to mitigate or manage risk appropriately, and allows for alignment to the banking industry model. In following these guidelines, compliant businesses can have confidence in their approach to third-party risk management, a critical task as risk management becomes more of a focus not only for the OCC, but for the federal government as a whole.
When evaluating third-party suppliers there is a matrix of deliverables to qualify them for the opportunity to work with us. By simplifying this to industry buckets of Cost, Quality, and Delivery, let us allow these to be the spokes for the wheel. Then take Risk Management as the actual wheel, you then have these three essential drivers with more teeth to bite into the road toward meeting expectations on a balanced overarching process.
Access process link here
In closing, the OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships. For these reasons, the OCC has identified instances in which bank management has failed to properly assess and understand risk and the direct/indirect impact a lack of due diligence and continuous monitoring of third-party relationships can cause.
The steps defined by the OCC ultimately allow suppliers to work in a defined process that both the suppliers and the banking industry can follow, thus providing clear, common collaboration tools for success.