Outsourced Third Party Risk Management: Developing a Compliant Program
Third party risk management continues to be a top priority with the regulators, evidenced by the release of Interagency Guidance on Third Party Relationships: Risk Management, June 6, 2023. This comprehensive Guidance is intended to assist in identifying and managing risks associated with third party relationships and in complying with applicable laws and regulations.
Outsourced Third Party (Vendor) Risk Management continues to be a top priority with the regulators. Therefore, ensuring your Program is not only going to be effective but also meet their expectations needs to be a priority. When you outsource, you are placing your confidential customer information in someone else’s hands along with the availability and security of that information, but you still retain the responsibility for ensuring the integrity, confidentiality, availability, and security of the information making this a crucial part of your overall Information and Cyber Security Program.
The FFIEC issued Interagency Guidance on Third Party Relationships: Risk Management, June 6, 2023, which rescinded all previous Guidances issued by the Agencies addressing appropriate third party relationship risk management practices. This new guidance is intended to assist in identifying and managing risks associated with third party relationships and complying with applicable laws and regulations. In addition to the latest guidance, the FFIEC issued a revised Business Continuity Management handbook on November 14, 2019, that addresses Third Party Management, Third Party Capacity, Testing with Third-Party Technology Service Providers, and Cyber Resilience. The FFIEC Cybersecurity Assessment Tool (CAT) also includes declarative statements relating to Outsourced Third Party Risk Management practices. Your Outsourced Third Party Risk Management Program should address both Vendor and Third Party Service Provider relationships and activities including cloud providers, managed service providers, core banking and digital banking providers, and critical infrastructure providers like telecommunications, utility, and Internet service providers. Management of these relationships starts with proper strategic planning, performing due diligence prior to contracting, risk assessing each relationship to identify critical and significant relationships and those that present high risk no matter of their significance, reviewing contracts, and performing annual oversight.
What You’ll Learn
- FFIEC expectations for your Program
- Roles and Responsibilities
- Expectations for Planning, Due Diligence and Selection, Risk Assessing, Contracting, and Oversight
Who Should Attend?
Senior Management, Information Security Officers, Compliance Officers, Risk Managers, IT Managers, Operations Managers, and IT auditors should attend.
Presenter Bio
Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise.
As an auditor and consultant, Orr is dedicated to assisting financial institutions in implementing appropriate policies and controls to protect confidential information and comply with regulatory mandates and best practices. Her expertise as an auditor and former examiner provides her the knowledge and expertise to conduct comprehensive IT general control and data security reviews and assist banks in developing and updating policies and procedures and risk assessments, performing third party risk management, and facilitating testing and training. Orr is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC).
Registration Options
Live Access, 30 Days OnDemand Playback, Presenter Materials and Handouts $279
- Available Upgrades:
- 12 Months OnDemand Playback + $110
- 12 Months OnDemand Playback + Digital Download + $140
- 12 Months OnDemand Playback + CD + $140
- Additional Live Access + $85 per person