Manage Tomorrow's Surprises Today

Steven Minsky

OCC Stresses Importance of ERM in Vendor Management

Vote 0 Votes
ERM Banks & Credit Unions

On October 30, 2013 the Office of the Comptroller of the Currency (OCC) published a bulletin to the CEOs and CROs of all national banks stressing the need for an enterprise risk management approach to vendor management. In the bulletin, entitled, OCC: Third-Party Relationships: Risk Management Guidance, the office recognizes, "integrating the bank's third-party risk management process with its enterprise risk management framework enables continuous oversight and accountability."

How does the OCC expect risk managers to accomplish this integration? The bulletin emphasizes a risk based approach to all third-party relationships that involve critical activities. In fact, the bulletin mentions the phrase "critical activities" over 25 times throughout the 10 page briefing. A quick scan through of this phraseology reveals the expectation of an in depth ERM process.

For starters, the bulletin calls for a variety of assessments: process assessments to determine critical activities; vendor assessments for due diligence; and control testing and monitoring to manage risks from third-party vendors. Each of these assessment types will require a defined and well-articulated criteria so that they are uniform throughout your organization, enabling executives to determine priorities and set objectives.

Additionally, a relational or taxonomy-enabled approach will allow your bank to report on how third-party relationships relate to your critical activities, such as bank function (payments, clearing, etc.), shared service (information technology), or strategic imperative (reputation, cash flow predictability). Tracking these relationships in spreadsheets or on homegrown systems can be laborious and complex, and an integrated platform for both ERM and Vendor Management can greatly streamline governance activities.

While the notice is tailored to national banks, it includes a note for community banks to "adopt risk management practices commensurate with their level of risk." The risk universe in a community bank is much different than for large, national institutions; however, that's not to say the methodologies will change. A community bank can use enterprise risk management to set priorities in its vendor management process, and shave hours off due diligence and compliance activities.

For more information on how a consolidated approach to third-party vendor management and enterprise risk management can save your bank time and money, watch our video on streamlining governance.

Enhanced by Zemanta

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at

Recently Commented On

Monthly Archives