In my role with Global SRN, I am leading a major market research program to identify the impact Intelligent Automation and Business Analytics is having on current TPRM operations. We are very pleased to share that in all we have 30 TPRM Executives from large global financial organizations, 13 TPRM community partners and 3 academic partners helping develop, distribute and interpret the research results.
As I speak with leaders in each of these areas of the TPRM community, a consistent theme has emerged: TPRM organizations are struggling to secure the skills necessary to support todays operations and are highly concerned about the ability to identify and attract the skills necessary to transform their operations to meet business and regulatory demands. The core issue being how to evolve a community of operational risk professionals from a ‘rule-based’ orientation to a ‘judgment-based’ capability.
With the adoption of Business Analytics and Intelligent Automation, TPRM leaders will require First Line of Defense teams that understand the dynamics of their assigned Line of Business combined with analytical skills to quickly identify patterns and irregularities to take proactive measures. With the population of FLOD associates today primarily having operational risk backgrounds, there is likely a significant re-alignment on the horizon.
TPRM Forum’s recent survey of TPRM leaders identified effective collaboration of FLOD operations with Vendor Management, Strategic Sourcing and Procurement as the leading area of focus for improvement. Alignment across the cross-functional teams has the potential to achieve comprehensive vendor life cycle management and evidence support. The issue though is how to centralize and coordinate activity.
Looking specifically at the ‘monitoring’ phase of Third Party Risk & Vendor Management, we quickly see there are a number of activities, if coordinated and managed centrally, will provide regulators and audit the evidence required to substantiate effective TPRM operations. It also drives a productive level of collaboration and in essence, bonds the teams.
Third Part Risk Management ‘Monitoring’ Life Cycle Phase includes, but is not limited to, the following activities:
Vendor Management Organization:
Contract Management – collection and maintenance of the Deliverable & Obligation tracker with a structured, formal calendar of events. Artifacts stored in central, accessible location. This could include annual Insurance certificate, SOC II Type II Audit, DR Annual Test Results, Policy revisions etc.
4th Party Management – definition and approval of 4th party sub-contractors and execution of proper onboarding and offboarding by the Third Party
Performance Management – SLA & KPI’s associated with the contracted services
Operational Service Management – onsite assessments of the technology services aligned to CMMi, ITIL, NIST or similar independent methodology
Third Party Risk Management – FLOD:
Third Party Classification
Ongoing, dynamic monitoring (Business dimensions)
RCSA management &/or coordination
Regulatory environment changes and Legal Impacts
Regulator response support
Centralized reporting/vendor profile
Contract Currency – Revision and Amendment Maintenance
TPRM Forum recommends consistent, ongoing collaborative sessions between parties to ensure activities and schedules are maintained and a central, accessible repository is continually updated. This is a great opportunity to work with your GRC platform team to ensure activities and artifact collection is incorporated into workflow with artifacts accessible through a central dashboard.