Third Party Risk Management
Third-party risk management is worth doing well—not only to protect your institution’s reputation, resources, and customers, but also because third-party risk management is part of safety and soundness exams. The effectiveness of a third-party risk management program is seen as an indicator of overall management capabilities. The design of third-party risk programs varies across institutions.
There can be differences in:
In a recent interview for a technical blog, I mentioned that I heard keynote speaker former U.S. Attorney General John Ashcroft (at the 2016 Securities Industry and Financial Markets Association’s (SIFMA) Internal Auditors Society conference) reference that organizations should prepare to adopt what he called “anticipatory compliance.” This concept involves outsourcers being able to demonstrate that they are actively anticipating, studying and acting on perceived threats (cyber and otherwise) both internally and with their outsourced business partners.
Members of RMA’s Third-Party Risk Management Round Table are experienced leader-practitioners, individually and collectively creating emerging best practices in third-party risk management. As the round table’s facilitator, subject matter expert, and member of the Steering Committee, it’s exciting and rewarding for me to be integral to this evolution.
Data and analytics are fundamentally redefining applications today. In our daily lives, we use technology to help us make virtually every decision. And when you look at consumer applications—the Amazons, Netflixes, and Facebooks of the world—they’re all centred on data. You might not think of them as analytics applications that serve up a wealth of data to inform decisions, because the information is wrapped up in really slick user experiences. But in fact, they provide analytics information to you where you need it most.
Cyber-attacks have topped the list of biggest threats to business for the second year in a row, followed closely by data threats and an unexpected IT/telecoms outage – according to the fifth annual Horizon Scan Report published by the Business Continuity Institute (BCI) in association with BSI (British Standards Institution).
The basis upon which European businesses are able to send personal data outside of Europe – and, especially, to the United States – has recently been the subject of intense scrutiny and negotiation between the EU Justice Commissioner and the US Department of Commerce. The outcome seems to be that EU businesses are allowed to send data to the US, but it’s useful to understand the background and what has been agreed.
Two very different things set the backdrop to last week’s EU/US agreement.