Third Party Risk Management
Third-party risk management is worth doing well—not only to protect your institution’s reputation, resources, and customers, but also because third-party risk management is part of safety and soundness exams. The effectiveness of a third-party risk management program is seen as an indicator of overall management capabilities. The design of third-party risk programs varies across institutions.
There can be differences in:
In a recent interview for a technical blog, I mentioned that I heard keynote speaker former U.S. Attorney General John Ashcroft (at the 2016 Securities Industry and Financial Markets Association’s (SIFMA) Internal Auditors Society conference) reference that organizations should prepare to adopt what he called “anticipatory compliance.” This concept involves outsourcers being able to demonstrate that they are actively anticipating, studying and acting on perceived threats (cyber and otherwise) both internally and with their outsourced business partners.