What is Third Party Risk Management (TPRM) as per OSFI Guideline B-10?

Overview

Financial institutions rely on external service providers to support various business activities and functions, ensuring smooth and continuous operations. These external suppliers can be beneficial to the organizations, however, there are always risks associated with the external arrangements, which can compromise the Operational Resilience of Financially Regulated Federal Institutions (FRFIs). Therefore, FRFIs are required to identify, manage, mitigate, and monitor Third Party risks.

The OSFI Guideline B-10 outlines measures for managing risks related to third-party relationships. The guideline is applicable to all Canadian FRFIs.

What are Third Party Services?

Third-party services are those taken by FRFIs from external providers, either on a contractual or non-contractual basis, to streamline their business operations. These services may include, but are not limited to:

• Outsourced business functions

• Consultants from other corporations

• Basic services like power supply, telecommunications, etc.

• Digital and physical infrastructure, such as specialized applications and systems

• Services provided through partnerships

• Cloud service providers, data centers, etc.

What is Third Party Risk?

Any risk arising from third-party arrangements can be categorized as third-party risk. The following are examples of such risks:

• Supplier bankruptcy

• Business disruptions at external providers

• Unforeseen risks or disasters (e.g., environmental incidents)

• Problems with subcontractors

• Data loss

• Data breaches

  
  

What is the Outcome of implementing OSFI Guideline B-10 for TPRM?

After applying the TPRM guidelines, FRFIs can expect to achieve the following:

• A comprehensive TPRM framework that outlines governance, accountability, and responsibility structures

• Identification and assessment of third-party risks and their criticality

• Effective risk controls and mitigation strategies

• Continuous monitoring of third-party risks

• Properly managed third-party relationships

• Reliable and transparent technology and cybersecurity operations for third-party services

What is the Governance Structure of Third Party Risk Management?

FRFIs are responsible for establishing a governance framework that includes policies, procedures, and accountability structures for identifying, assessing, mitigating, monitoring, and reporting risks related to third-party services. This framework should clearly outline the responsibilities associated with TPRM.

What are the key steps for Third Party Risk Management?

The process of TPRM starts with the identification of the underlying risks associated with the external arrangements. Risk assessment process is started before initiating outsourcing of services to the third parties, and it is continued throughout the lifecycle of a TPRM. All sorts of risks such as concentration risks, subcontracting risks etc. are considered before and after entering into contracts with the third parties. As a requirement of Risk Management, the FRFIs sign written contracts with the Third Parties to establish responsibilities of each party during events of risks. These contracts also mention the responsibility of Data Security and Integrity. The third parties are responsible for establishing Business Continuity Plans and Tests for business functions related to the FRFI. With these contracts, the FRFIs get the rights for information and auditing. As a backup plan, the FRFIs are required to establish Contingency plans and exit strategies in case Third Party services are ceased. The whole TPRM process is continually monitored and timely reported.

The following are the detailed steps for TPRM:

1. Risk Identification and Assessment

   1. Types of Risks

      A comprehensive and scalable risk assessment should identify the types of risks involved, ensuring that the level of risk management matches the criticality of the risk.

   2. Due Diligence

      FRFIs must conduct due diligence—often in the form of a questionnaire—before entering into contracts with third parties, assessing the criticality of the risks they bring.

   3. Concentration risks

      Excessive reliance on a specific third party creates a concentration risk, making the institution vulnerable to a single point of failure. These risks must be acknowledged and addressed.

   4. Subcontracting risks

      When third parties depend on their own external providers, subcontracting risks arise. FRFIs must ensure these risks are adequately managed.

   
   

2. Formal Agreements

   1. Defining Roles and Responsibilities

      A formal contract, such as a service level agreement (SLA), should be put in place to clearly define the duties, responsibilities, and rights of both the FRFI and the external service provider.

   2. Data Protection Measures

      Third-party providers are responsible for implementing stringent security measures to ensure that the FRFI’s data remains secure, confidential, and unaltered.

   3. Access to Information and Audit Rights

      FRFIs must be provided with access to critical information and given the authority to conduct audits, ensuring that the third-party operations are aligned with expectations and risk management standards.

   4. Business Continuity and Disaster Recovery Plans

      Third-party vendors must maintain and regularly test their Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) to ensure seamless service delivery during disruptions. These plans should be continuously reviewed and updated.

      
      

3. Contingency and Exit Strategy Planning

   For critical third-party services, FRFIs must establish backup plans. These plans should include playbooks for both stressed and non-stressed exits, with documented contingency strategies that address unforeseen circumstances, such as third-party insolvency.

   
   

4. Monitoring and Reporting

FRFIs should continuously monitor third-party capabilities to ensure they meet expectations and that their associated risks remain within the institution’s risk appetite. The level of oversight should match the criticality of the service. Written agreements should clearly outline the FRFI’s rights to investigate, track, analyze, and report incidents and risks.

How to manage Technology and Cyber Risks in Third Party Arrangements?

Third-party services that involve technology and cyber operations pose significant risks to FRFIs. OSFI advises that both FRFIs and third parties maintain transparent, secure, and compliant technology and cyber operations.

To mitigate these risks:

• Clear roles and responsibilities must be defined for establishing technology and cybersecurity controls.

• Both parties should maintain compliance with established industry standards.

• For cloud services, FRFIs must ensure adequate controls for data protection and container handling.

• Any concentration risks in these arrangements should be acknowledged and mitigated.

#ThirdPartyRiskManagement #TPRM #OSFIGuidelineB10 #FinancialRiskManagement #OperationalResilience #OutsourcingRisks #DataSecurity #GovernanceAndCompliance #RiskMitigation #BusinessContinuity #CyberSecurity #VendorRisk #VendorRiskManagement #FRFICompliance #ServiceLevelAgreements #RiskAssessment #RiskManagement #DisasterRecovery #BusinessImpactAnalysis #BCP #BIA #DRP

Learn More:

• What is Operational Resilience as the Bank for International Settlements (BIS)?

• What is Operational Resilience as per OSFI Guideline E-21?

• How to implement Operational Resilience? OSFI E-21 Roadmap

• Third Party Risk Management Guideline - OSFI Guideline B-10

• Operational Risk Management and Resilience - OSFI Guideline E-21