Third-Party Risk Management

More Efficient. More Effective.

Third-Party Risk Management

More Efficient. More Effective.

ORM helps To Avoid vendor management Pitfalls.

CFPB to Hold Financial Institutions and their Service Providers Accountable

CFPB Compliance Letter to Banks and Nonbanks

The Problem with Existing Third-Party Risk Managment Technology

FFIEC Requirements: Planning/Risk Assessment

Regulatory Criticism:

  • Fails to assess the inherent risk of the outsourced activity;
  • Fails to identify the specific strategic, compliance, operational and IT risk associated with critical outsourced activities;
  • Fails to identify the expected controls needed to mitigate the specific risks associated with the critical outsourced activity

FFIEC Requirements: Due Diligence & Selection

Regulatory Criticism:

  • No integration of expected controls, including 4th Party, into the due diligence other than IT control questionnaires (e.g., SIG)

FFIEC Requirements: Contract Structuring

Regulatory Criticism:

  • No integration of expected controls into SLA’s
  • No integration of performance level standards with tolerance
  • Fails to detect and prevent contract weaknesses from being executed

FFIEC Requirements: Monitoring & Oversight

Regulatory Criticism:

  • No integration of monitoring activities with risk assessment
  • Fails to integrate inherent and residual risk by risk component across the enterprise (e.g., what is the inherent and residual risk of Regulation Z associated with all outsourced activities in addition to a specific partner)

FFIEC Requirements: Documentation & Reporting

Regulatory Criticism:

  • Fails to produce comprehensive risk analysis reports at enterprise, department, regulatory component, outsourced activity, and partner levels.

FFIEC Requirements: Termination & Contingency Planning

Regulatory Criticism:

  • Fails to identify weaknesses in the transition plan and triggered events

FFIEC Requirements: Independent Review

Regulatory Criticism:

  • Fails to provide comprehensive risk management data and analytics to evidence effective third-party risk oversight

FFIEC Requirements: Planning/Risk Assessment

ORM Solution:

  • Customizable scorecards objectively assess the inherent risk of the outsourced activity;
  • Embedded risk and control mapping tool, with an integrated Compliance Library, enables quick identification and assessment of the specific strategic, compliance, operational and IT risks associated with critical outsourced activities; as well as…
  • Identify and assess the expected controls needed to mitigate the specific risks associated with the critical outsourced activity

FFIEC Requirements: Due Diligence & Selection

ORM Solution:

  • ORM determines due diligence requirements, inclusive of expected controls; and, initiates a secure, interactive session with the prospective parter
  • As it conducts the interview, ORM instantly analyzes the partner’s responses and probes deeper for additional information or materials as if a PMO expert was conducting the interview

FFIEC Requirements: Contract Structuring

ORM Solution:

ORM Control Tools identify:

  • SLA gaps related to the absence of expected controls;
  • Ensure performance level standards align with risk tolerance
  • Detect and prevent contract weaknesses

FFIEC Requirements: Monitoring & Oversight

ORM Solution:

  • Automated ORM monitoring tools and attributes are mapped to risks and controls to provide an automated, real-time assessment of risk, including;
  • Inherent and residual risk by risk component across the enterprise

FFIEC Requirements: Documentation & Reporting

ORM Solution:

  • ORM automatically generates comprehensive risk analysis reports at enterprise, department, regulatory component, outsourced activity, and partner levels.

FFIEC Requirements: Termination & CP

ORM Solution:

  • ORM Controls Tools identify weaknesses in the transition plan and triggered events

FFIEC Requirements: Independent Review

ORM Solution:

  • ORM provides comprehensive risk management data and analytics to evidence effective third-party risk oversight

With results measured in weeks rather than months, the ORM solution with our project leadership will help your business by:

  • Fully automating the on-boarding process and monitoring of partner performance
  • Using intelligent and interactive questionnaires and tools that proactively initiate contact with partners and work with them directly in performing due diligence and monitoring that employs the logic of subject matter experts to virtually eliminate PMO/partner ping pong and save thousands of hours
  • Automating the risk assessment and third-party risk management process and reporting
  • Enabling the business to be examiner-ready at all times.

What’s more…

  • ORM Interactive tools can be customized as easily as editing a Word document
  • System-to-system integration is not required; ORM operates with simple data feeds and input, and can utilize data already gathered from third parties saving valuable time and resources
  • ORM system will be up and running within a few days of executing a license agreement