Documentation is Key: Takeaways from the OCC’s Third-Party Vendor Risk Management Procedures

Ever wish for a list of exactly what an examiner is looking for? When it comes to the Office of the Comptroller of the Currency and third-party vendor management, your wish has been granted with the OCC’s Bulletin 2017-7, Supplemental Examination Procedures for Risk Management of Third-Party Relationships, released on January 24.

The procedures aren’t filled with earth-shattering, unexpected surprises. After all, they are meant to supplement Bulletin 2013-29, aka Third-Party Relationships: Risk Management Guidance, released in 2013, which has pretty clear expectations. The biggest takeaway: document your processes and workflows, including who approved what.

It’s About Quality

The OCC released the procedures to ensure a bank’s exam is appropriate based on the risk and complexity of its third-party vendor relationships, including both the quantity and quality of the risk. The agency also wants to be sure there’s an effective risk management process throughout the life cycle of the third-party relationship.

Examiners aren’t necessarily meant to perform every objective and step listed in the procedures, only those appropriate for the institution. In words sure to warm the hearts of bankers everywhere, the agency notes, “Seldom will every objective or step of the expanded procedures be necessary.”

The OCC Third-party Vendor Management Guidelines

How does the agency determine which steps are necessary? It asks for and reviews a lot of documentation. Here’s the list:

  • List of key persons, organizational charts, committees, and governance structures supporting the third-party risk management process
  • Policies and procedures
  • Board of directors or designated board committee meeting minutes
  • Inventory or database of third-party relationships (and related subcontractors) that indicates risk ranking (e.g., low, high, or critical) of each third-party relationship
  • A listing of each product, process, system, and service supported by a third-party relationship that shows which of these products, processes, systems, and services support critical activities
  • Sample of contracts or written agreements with third parties
  • Complaint log, and responses to complaints, related to third-party products, processes, systems, and services
  • Internally prepared reports (e.g., risk reports and incident reports)
  • Internal or external audit reports
  • Independent reviews of the bank’s third-party risk management process
  • Quality assurance, monitoring plans, testing plans, and related reports
  • Sample of independent reports on third parties involved in critical activities
  • Project plans and timelines
  • Training and awareness activities

But that’s not where the documentation ends. The exam procedures also emphasize control systems, defined as “the functions (such as internal and external audits, and quality assurance) and information systems that bank managers use to measure performance, make decisions about risk, and assess the effectiveness of processes and personnel.”

Expectations for Control Systems

The OCC expects control functions to “have clear reporting lines, sufficient resources, and appropriate access and authority. Management information systems should provide timely, accurate, and relevant feedback.”

What does that mean for your institution? It means that your vendor management program is only as good as your documentation and workflows. If you can’t explain what happened and when, it may as well have not happened.

If your institution is still relying on manual processes to track this information, preparing for a third-party vendor risk management exam could be a real headache. It’s not just getting spreadsheets (both the digital ones stored online and the hard copies some employees use) all in one place. It’s digging through all those emails sent out to assign responsibilities and follow up on the results. It’s remembering who stopped by your desk to give you a verbal update.

Don’t ruin a solid third-party vendor risk management program with loose documentation. Create automatic, centralized workflows that demonstrate to examiners that every task is accounted for. Not only will it make life easier come exam time, it will make your whole system run more efficiently and effectively.