I interviewed Jeannie Pumphrey who discussed Third Party Risk Management.






Third party risk management is managing the risk inherently introduced through the utilization of a third party in either the performance of services for a business or the outsourcing to a third party. Third party, as defined by the OCC, is any business arrangement between a bank and another entity by contract or otherwise. So, as you can imagine, this opens up a very broad definition. Sometimes you will hear them identified as a vendor, a supplier, counterparty, joint venture, and even or a parent or a subsidiary is considered a third party.


So when we talk about the risk introduced by a third party, we have to look all the way through their supply chain, because that risk also comes through fourth parties or what we would consider subcontractors. So the suppliers or third parties that our third parties use in performance of services provided to a company. As that service, that practice, has grown of outsourcing core business practices to third parties, so has the risk involved in the company receiving those. And some of those risks have materialized based on bad performance or failed performance, data and information breeches and just bad business practices as we've seen in the mortgage industry I'm sure everybody is familiar with.


So not only is management of third parties regulatory mandate, it's also a business imperative.


Who does it impact? It impacts, really, everyone in terms of suppliers, employees, stakeholders, and our customers. So when you think about, even from a brand or reputational risk, when you have one of those data breeches, it's going to impact all of those folks on a regular basis. So it's really everybody's responsibility, from an organizational perspective, to make sure that this is something that they keep top of mind when dealing with any external third parties.


Who needs to pay more attention to third-party risk management?


When we look across the landscape of the third-party risk management within industries, we really see that the financial services industry is probably leading in terms of they've been at this for quite a while. As I mentioned earlier, the GLBA probably prompted the majority of the third-party risk management obligations from a financial perspective. So when we think about who really needs to come up to speed and get with it, if you will, I'd say the laggards are the insurance and retailers.


Retailers, as we've seen in the industry, the breeches are there. They're dealing with customer information, customer financial data. And the insurance industry, because they're not regulated by the FRB or the OCC, have really not had as much movement as you would like to see within the third-party risk management space. I think there is an opportunity there for them to take some of the learnings that the financial services have had and kind of get up to speed very quickly, climb that ramp, and get a program that they could implement to help them in a relatively short period.


Another group, if you will, that we've seen in the industry are around the community banks and the mid-tier banks, because as some of them are regulated by the FRB or OCC, they were never really called out as key constituents of this regulatory guidance until December of 2013 with the latest OCC guidance. So they also have some room to move in terms of the maturity scale. And I think that we'll see that coming around from both regulators as well as the industry in the next year or so.


What do you see as the future of third-party risk management?


The future that I would see is really around continuous change, more regulatory influence, more stringent management on those third parties that are considered critically important to organizations. I foresee more internal and external audits, both to businesses themselves as well as their third parties. I see the sourcing and supply chain organizations stepping up to have a better understanding of supply chain internally in better management of their program, processes, and procedures on an ongoing basis. And I think that based on the guidance that came out recently by the CFPB and the FRB and OCC, I hope that these organizations are looking at scaling their programs based on the services provided by the third parties so that we stop seeing this one-size-fits-all approach that seems to fail more often than not and that the programs themselves are based on the risk involved with the delivery of services.And I that that's really where the industry needs to go in terms of third-party risk management and how to better manage that supply chain and those third parties.


Well thank you, Jeannie, for sharing today.


I appreciate it, Dustin. I appreciate your time. Thank you so much.



About Jeannie Pumphrey






Jeannie Pumphrey


Integrity, Excellence and Execution - Enabling Client Success


LinkedIn Profile