David England, Director –
Complying with OCC regulations on third-party oversight clearly represents a clear and pressing priority for banks and financial services firms. So how are they doing?
The good news is that vendor management and sourcing organizations have made significant progress in navigating the tortuous regulatory maze and developing internal policies that align with regulatory guidelines and requirements.
The real challenge, however, is to convert those policies into rigorous and sustainable processes that operate seamlessly and consistently across a number of business units. Specifically, the compliance oversight of any given third party provider must involve sourcing, procurement, legal, finance, contracting, IT, vendor and risk management and often multiple business units – groups that don’t necessarily make a habit of playing nicely together. The gray areas that mark the boundaries between these different units only complicate matters. How, for example, do you determine where sourcing’s responsibility ends and vendor management’s begins? Or, what does corporate vendor management own, compared to what IT or a business unit’s vendor management own? These specific questions only underscores the scope of the broader goal – which is to define all the activities that need to get done, get the right people in place within each department and business unit and then establish and maintain the necessary flows between those disparate organizations.
Achieving that broader goal of alignment, communication and process discipline requires a reconsideration of the traditional role of vendor management. Typically, the vendor management function enters the sourcing lifecycle post-contract, which means that the function most directly involved with ensuring oversight and compliance has had no involvement in determining or understanding what is to be overseen, or in creating a contractual construct to support vendor management oversight and compliance. Put differently, vendor management is playing catch up before the game even starts – and in today’ regulatory climate, that game is becoming increasingly tough with increasingly high stakes.
The solution, of course, is to involve vendor management earlier in the sourcing lifecycle so that the frameworks and communication guidelines essential to effective third-party oversight can be clearly defined and baked into the relationship, rather than tacked on as an afterthought.
For more on Alsbridge’s perspective on third-party governance, download this white paper.