Translating Policies into Processes – the Compliance Challenge

David England Blog

David England, Director –

Complying with OCC regulations on third-party oversight clearly represents a clear and pressing priority for banks and financial services firms. So how are they doing?

The good news is that vendor management and sourcing organizations have made significant progress in navigating the tortuous regulatory maze and developing internal policies that align with regulatory guidelines and requirements.

The real challenge, however, is to convert those policies into rigorous and sustainable processes that operate seamlessly and consistently across a number of business units. Specifically, the compliance oversight of any given third party provider must involve sourcing, procurement, legal, finance, contracting, IT, vendor and risk management and often multiple business units – groups that don’t necessarily make a habit of playing nicely together. The gray areas that mark the boundaries between these different units only complicate matters. How, for example, do you determine where sourcing’s responsibility ends and vendor management’s begins? Or, what does corporate vendor management own, compared to what IT or a business unit’s vendor management own? These specific questions only underscores the scope of the broader goal – which is to define all the activities that need to get done, get the right people in place within each department and business unit and then establish and maintain the necessary flows between those disparate organizations.

Achieving that broader goal of alignment, communication and process discipline requires a reconsideration of the traditional role of vendor management. Typically, the vendor management function enters the sourcing lifecycle post-contract, which means that the function most directly involved with ensuring oversight and compliance has had no involvement in determining or understanding what is to be overseen, or in creating a contractual construct to support vendor management oversight and compliance. Put differently, vendor management is playing catch up before the game even starts – and in today’ regulatory climate, that game is becoming increasingly tough with increasingly high stakes.

The solution, of course, is to involve vendor management earlier in the sourcing lifecycle so that the frameworks and communication guidelines essential to effective third-party oversight can be clearly defined and baked into the relationship, rather than tacked on as an afterthought.

For more on Alsbridge’s perspective on third-party governance, download this white paper.

1 thought on “Translating Policies into Processes – the Compliance Challenge

  1. Craig Nelson

    More and more companies and in particular financial institutions are seeing the importance of VM function continuity across the supplier management life-cycle. It often seems like common sense, but we are seeing many situations where the continuity has broken down due to internal fragmentation of processes and internal battles regarding who owns what in the process. This is leading to a bad outcome for everyone when the regulators come to visit. I know of several organizations who are facing MRAs resulting from OCC visits where the VM continuity could not be demonstrated.


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s