Large Bank Supervision Forum eBook

Internal Use Only

Key Stages of the Risk Management Life Cycle . . .

Planning

Due Diligence &

Termination

3 rd Party Selection

Ongoing Monitoring

Contract Negotiation

Oversight and Accountability

Source: FRB, FDIC, and OCC

73

© 2023 – FinPro, Inc.

Internal Use Only

Planning should be performed BEFORE entering into a third-party relationship . . . 1. Risk : identify and assess the risks and appropriate risk management practices 2. Strategic Purpose : does the strategic purpose fit into the bank’s overall goals, objectives, and risk appetite 3. Complexity: what is the anticipated activity volume, need for subcontractors, need for new technology, and impact for foreign-based activities 4. Cost/Benefit Analysis: include all direct costs, indirect costs, and termination costs 5. Organizational Impact: assess the impact to other initiatives, such as large technology projects, organizational changes, M&A, or divestitures 6. Employee Impact: assess the impact when activities currently conducted internally are outsourced 7. Customer Impact: assess the impact if third-party will have access to customer PII, consider the marketing strategy (joint vs. franchise), and how to handle customer complaints 8. Information Security: will third-party have access to bank systems? 9. Oversight: how will bank select, assess, and oversee the third party 10. Risk Management Impact: assess Board and Management skills, Policies and Procedures, Risk Management and MIS, and Internal Controls 11. Contingency Plans: if needed, can activity be transitioned to another third party or in-house?

74

© 2023 – FinPro, Inc.