ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø

Under a risk-based approach, companies will be expected to establish strategic plans for managing third-party and provider risks, focusing on due diligence, oversight, and governance throughout the relationship lifecycle. 

Regulators will assess:

Strategic Plan

A strategic plan to direct the TPRM program for all party and provider relationships, including the allocation of resources, establishment of infrastructure, implementation of technology controls, and enhancement of organizational capabilities. Third-party relationships / arrangements are reevaluated through ongoing monitoring to discern whether they continue to align with the company’s strategic plan/goals.

Relationship Lifecycle

Consistent management of risk across the company and throughout the relationship lifecycle, irrespective of the type of relationship or activities involved. Key features include:

• An assessment of risk for each third-party relationship (during planning, due diligence, selection, contract negotiation, and monitoring), tailored to the specific size, complexity, and risk profile of the company and the nature of the relationship with the third party.
• Ranking of each third-party and provider arrangement based on the risk posed to the company, with parties and providers involved in “higher riskâ€� and “critical activitiesâ€� (as defined by the company) subject to more rigorous oversight.
• Alignment with procurement and vendor management activities for risk management consistency.

Governance

The proliferation of available consumer data, the volume of Clear oversight and accountability mechanisms regardless of how TPRM and governance processes are structured (e.g., dispersed across business lines or centralized under specific function(s)). Regulators will look for key governance practices (commensurate with size, risk, and complexity) including:

• Delineation of roles, responsibilities, performance metrics, and standards for the Board and management.
• Board approval of the TPRM program, risk appetite, disruption tolerances, and, in some cases, the selection of third parties supporting “higher riskâ€� and “critical activities.â€�
• Board participation in the strategic plan.
• Periodic independent audits of the TRPM program.
• Documentation/reporting channels both within the company and to/from third parties.

• Centralize Oversight and Governance: Firms should utilize a multidisciplinary approach to risk management of parties/providers (“TPRMâ€�) by adopting a “hub and spoke modelâ€� to facilitate comprehensive identification and mitigation of risks and enable independent oversight of the TPRM function. The TPRM function would act as a hub with a central leadership team responsible for setting policies, standards, reporting and risk appetite of its operation, and would be supported by subject matter experts from relevant risk domains (e.g., privacy, cyber, BC, DR, etc.) to provide insights and execution while coordinating across the business line “spokes.â€� Alignment and integration with procurement and vendor management practices to drive consistency in execution is key.
• Employ a Risk-Based Approach: Adopting a risk-based approach is paramount to drive efficiency across the relationship lifecycle. This approach involves focusing efforts on third parties/ providers that pose the highest risk to the company, based on factors such as data access, service criticality, operational resiliency, and regulatory impact.
• Enrich data associated with service: In order to adopt a risk-based approach, it is important to gather the right data about the service up front in terms of how the service will be delivered and controlled (e.g. What process steps will service support?; What products are dependent on party/provider for delivery?; What controls at the third party will manage risk and compliance requirements? Are subcontractors involved in delivery? Will Artificial Intelligence be used in delivery of service?)
• Develop Strong Ongoing Monitoring: To ensure that party/provider risk is accurately measured and mitigated, firms need to perform ongoing monitoring of party/provider risk profiles and contract performance. Risks assessments should incorporate a comprehensive inventory of risks based on direct experience, market developments, and/or strategic business changes, and be conducted during the contracting phase and refreshed on a regular basis. (For example: Develop cloud governance programs aligned with cybersecurity strategies. Tailor security measures to address the unique risks of multi-cloud environments and enhance monitoring of cloud-based incidents.)
• Ensure TPRM meets or exceeds global and jurisdictional regulatory expectations: The location of a party/provider (and supply chain providers) does not relieve the company of its responsibility for compliance with all applicable laws and regulations, including ensuring that the party/provider also meets those obligations.