Ever wish for a list of exactly what an examiner is looking for? When it comes to the Office of the Comptroller of the Currency and third-party vendor management, your wish has been granted with the OCC’s Bulletin 2017-7, Supplemental Examination Procedures for Risk Management of Third-Party Relationships, released on January 24.
The procedures aren’t filled with earth-shattering, unexpected surprises. After all, they are meant to supplement Bulletin 2013-29, aka Third-Party Relationships: Risk Management Guidance, released in 2013, which has pretty clear expectations. The biggest takeaway: document your processes and workflows, including who approved what.
The OCC released the procedures to ensure a bank’s exam is appropriate based on the risk and complexity of its third-party vendor relationships, including both the quantity and quality of the risk. The agency also wants to be sure there’s an effective risk management process throughout the life cycle of the third-party relationship.
Examiners aren’t necessarily meant to perform every objective and step listed in the procedures, only those appropriate for the institution. In words sure to warm the hearts of bankers everywhere, the agency notes, “Seldom will every objective or step of the expanded procedures be necessary.”
How does the agency determine which steps are necessary? It asks for and reviews a lot of documentation. Here’s the list:
But that’s not where the documentation ends. The exam procedures also emphasize control systems, defined as “the functions (such as internal and external audits, and quality assurance) and information systems that bank managers use to measure performance, make decisions about risk, and assess the effectiveness of processes and personnel.”
The OCC expects control functions to “have clear reporting lines, sufficient resources, and appropriate access and authority. Management information systems should provide timely, accurate, and relevant feedback.”
What does that mean for your institution? It means that your vendor management program is only as good as your documentation and workflows. If you can’t explain what happened and when, it may as well have not happened.
If your institution is still relying on manual processes to track this information, preparing for a third-party vendor risk management exam could be a real headache. It’s not just getting spreadsheets (both the digital ones stored online and the hard copies some employees use) all in one place. It’s digging through all those emails sent out to assign responsibilities and follow up on the results. It’s remembering who stopped by your desk to give you a verbal update.
[callout title="Request a Demo of Nvendor" link="https://ncontracts.com/demo/"]Get Your Vendor Management Processes
Under Control[/callout]
Don’t ruin a solid third-party vendor risk management program with loose documentation. Create automatic, centralized workflows that demonstrate to examiners that every task is accounted for. Not only will it make life easier come exam time, it will make your whole system run more efficiently and effectively.