Large Bank Supervision Forum eBook

Internal Use Only

Both the Board and Management are responsible for Oversight and Accountability . . .  The Board of Directors should oversee risk management implementation and hold management accountable: 1. Confirm that risks are managed consistent with strategic goals and risk appetite 2. Approve policies that govern third-party risk management

3. Approve (or delegate to committee that reports to the Board) contracts with third parties that involve critical activities 4. Review the results of management’s ongoing monitoring of third-party relationships involving critical activities 5. Confirm that management is taking appropriate actions to remedy performance deterioration, changing risks, or other material issues 6. Review results of periodic independent reviews of third-party risk management process

79

© 2023 – FinPro, Inc.

Internal Use Only

Management must execute and implement third-party relationship risk management strategies and policies 1. Develop and Implement third-party risk management process 2. Confirm appropriate due diligence and present to Board when third-party involves critical activities 3. Review and approve third-party contracts 4. Provide appropriate resources for third-party relationship 5. Confirm that third party complies with bank policies and reporting requirements 6. Ensure that third party is notified of any significant bank issues that may affect third party 7. Confirm that bank has appropriate internal controls and regularly tests controls for third parties 8. Confirm that CMS is appropriate for third party relationship 9. Ensure that third party regularly tests and implements agreed-upon remediation when issues arise 10. Escalate significant issues to Board in a timely manner

11. Terminate third party relationship that do not meet expectations 12. Maintain appropriate documentation throughout the life cycle

80

© 2023 – FinPro, Inc.