Director, Information Security
Peter Gregory is a director in Optiv's Office of the CISO. He is a leading security technologist and strategist with a long professional history of advancing security technology, compliance and risk management at all levels of corporate culture. He has published more than 40 books and authored more than 30 articles for leading trade publications in print and online.
OCC Updated Guidance on Third-Party Risk
Recently, the Office of the Comptroller of the Currency (OCC), released updated guidance for bank examiners as they scrutinize third-party risk programs in banks and other financial institutions. The OCC’s guidance emphasizes bank examiners’ inspection of banks’ third-party risk programs to ensure that they are effectively managing the risk related to their third parties throughout the lifecycle of third-party relationships, and that banks’ risk management programs are themselves effective in the context of third-party risk.
The updated guidance adds color to the OCC’s previous bulletin on third-party risk that was published in 2013. That bulletin superseded guidance published in 2001. This should make it clear that third-party risk is increasing in its importance and that the practice of third-party risk has changed significantly in the past fifteen years.
Look at how financial institutions process information today. Unlike two decades ago when nearly all processing was in-house and on-premise, information processing often includes third parties, whether for main account processing or for ancillary tasks that banks decide are too expense to duplicate in house. The result: third-party organizations routinely do heavy lifting for core functions as well as features that make customer experience richer and stickier.
The takeaway is this: third parties have as much to do with information processing as in-house services. The rigor required in managing third parties, including a deep understanding of risk issues and processes to address them, is commensurate to the proportion of work they perform for banks.
Organizations not regulated by the OCC should take notice of this development, for it is a reflection of the growing critical role that third parties play in virtually every organization. There is inherently more risk related to outsourcing information processing than in performing it in-house. While a bank can outsource parts of its operations, it cannot outsource accountability.
For organizations that do not have a mature risk management program, the increased risk associated with outsourcing information processing may represent a great call-to-action: business risks have gone up, and it’s time to develop not only an effective third-party risk program but also a risk management program.