The latest edition of Guideline B-10: Third-Party Risk Management was released by the Office of the Superintendent of Financial Institutions (OSFI) of the Canadian government on April 24, 2023.
This comprehensive framework focuses on managing the financial and operational risks linked to supplier and vendor relationships. Furthermore, an overwhelming 98 percent of organizations have experienced security breaches within the past two years involving at least one third-party vendor with whom they maintain a business relationship.
Federally Regulated Financial Institutions (FRFIs) are Now Required to Comply With Guideline B-10.
The move which mandates FRFIs to adhere to the provisions outlined in Guideline B-10 signifies a pivotal regulatory shift that underscores the imperative for robust compliance measures and risk management protocols within the financial sector.
- All third-party agreements, including the contracting out of business operations, services, and actions, that carry risks need to be assumed by FRFIs.
“In this context, FRFIs are mandated to furnish, upon OSFI’s request, information pertaining to their business and strategic dealings with third parties, as well as details on risk management and control environments. This regulation’s goal is to make regulatory monitoring and easier review. Due to a third-party arrangement, OSFI expressly requires prompt notification of material difficulties that may affect FRFI’s capacity to provide essential operations”.
- The guideline extends the scope of definition of a third party to encompass other entities, such as private practitioners, utilities, and brokers. It also recommends the inclusion of all types of third parties in comprehensive risk
“The impetus behind these new requirements stems from a shift in focus from materiality to criticality. This change suggests that a third party that is essential to a FRFI’s ability to perform a major operation, function, or service needs to take a more nuanced approach, with risk and criticality working together to determine the kind and scope of due diligence efforts”.
- In light of this, the guideline acknowledges that organizations must discern the type and level of risk associated with each third-party arrangement, including subcontracting This makes it possible for FRFIs to control each configuration at the proper intensity level. To do this, it is necessary to comprehend the risk and criticality of every third-party arrangement, considering the FRFI’s size, nature, scope, operations complexity, and risk profile.
- Additionally, OSFI acknowledges that there may be situations in which managing third-party risk through contractual provisions is restricted. Notwithstanding this restriction, OSFI expects FRFIs to use resilience mechanisms such as business continuity plans, monitoring, and contingency planning to manage risk
This article explores the unique specifications of OSFI Guideline B-10’s third-party risk management guidelines. It also lists the features of the Beaconer Third-Party Risk Management Portal that are suitable for meeting these strict specifications.
Anticipated Results of Implementing TPRM
Guideline B-10 outlines 6 anticipated outcomes that FRFIs should attain by implementing robust third-party risk management. These outcomes aim to bolster the operational and financial resilience of FRFIs while safeguarding their reputation. The OSFI Guideline B-10 envisions six specific outcomes that FRFIs are expected to realize through the effective management of third-party risk.
Projected 6 Achievements According to OSFI Guideline B-10
The graphic representation is adapted from the content of OSFI Guideline B-10
Aligning Beaconer’s Potential With OSFI Guideline B-10 Principles
Underpinning the six anticipated outcomes are 11 principles defined by OSFI as optimal practices for third-party risk management. The capabilities of the Beaconer Third-Party Risk Management Platform are associated with these 11 principles in an upcoming overview.
DISCLAIMER: This overview may not cover all aspects; talk to your auditor for a comprehensive list of requisites.
Outcome 1: Clarity in Governance and Accountability Structures, Accompanied by Well-Defined Risk Strategies and Frameworks.
Principles 1: The FRFI is ultimately accountable for managing the risks arising from all types of third-party arrangements.
Principles 2: A framework for handling third-party risks ought to be established by the FRFI. This framework should clearly define roles, duties, procedures, and policies for recognizing, controlling, minimizing, keeping an eye on, and disclosing risks associated with engaging third parties.
Outcome 2: Identifying and Evaluating the Risks That Third Parties Present is the Second Outcome.
Principle 3: While signing a third-party agreement and on an ongoing basis afterward, the FRFI should recognize and evaluate the risks associated with it. Risk evaluations ought to be commensurate with how important an agreement is. To be more precise, the FRFI should plan for sufficient risk reduction and oversight, (re)assess the risk and criticality of the agreement and perform risk assessments before contracting a third party.
Principle 4: Prior to engaging into partnerships or other agreements with a third party, and in a manner commensurate with the degree of risk and importance of the arrangement, the FRFI should do due diligence.
Principle 5: Risk resulting from subcontractors agreements made by its third parties must be identified, tracked, and managed by the FRFI.
Outcome 3: Third-Party Risk Management and Mitigation in The Context of the FRFI’s Risk Tolerance.
Principle 6: The FRFI must enter into formal agreements that clearly define each party’s obligations and rights.
Principle 7: The confidentiality, availability, and integrity of information and records must be protected over the third-party agreement by the FRFI and the third-party, who should also put in place the necessary safeguards.
Principle 8: In order to help it monitor third-party effectiveness and risks, the FRFI’s third-party agreements must offer it with prompt availability of accurate and thorough information. Additionally, the FRFI need to be able to order or carry out an impartial inspection of a third-party.
Principle 9: The capability to provide operations despite interruption, including the upkeep, testing, and activation of business continuity and disaster recovery plans, should be included in the FRFI’s agreements with the third party. Plans for backups should be in place for the FRFI’s important third-party agreements.
Outcome 4: Monitoring and Evaluating the Performance of Third Parties While Taking Proactive Measures to Manage Risks and Accidents.
Principle 10: In order to confirm the third party’s capacity to fulfill its commitments and successfully control risks, the FRFI must maintain an eye on its third-party agreements.
Principle 11: To keep hazards within the FRFI’s risk appetite, both the FRFI and its third party should have procedures in place that are recorded for efficiently identifying, investigating, escalating, tracking, and remediating issues.
Outcome 5: A Range of Third-Party Relationships Can be Identified and Managed Thanks to the FRFI’s Continuous Third-Party Risk Management Program.
As we covered in First Principle, we work with your team to create a thorough third-party risk management (TPRM) program by utilizing a wealth of practical knowledge and tried-and-true methods.
Our professionals work with your staff to choose risk assessment instruments and questionnaires, create and implement TPRM policies and procedures, and enhance your program to handle third-party risk across its complete lifespan.
Outcome 6: Third-party technology and digital operations are distinguished by their transparency, dependability, and security.
Our TPRM portal has a variety of common assessments (like ones used by NIST and ISO) and can be adjusted to check third parties in different ways. If a third party gives a SOC 2 report instead of finishing a risk check, Beaconer lets you find any issues in the SOC 2 report. You can note risks about the third party in one place and watch for any other problems alongside different risks.
Irrespective of any security guidelines or regulations, Beaconer simplifies assessment Chronology and helps in mitigating all types of risks.
OSFI’s release of Guideline B-10 signifies a crucial step in enhancing third-party risk management for FRFIs in Canada. The framework, emphasizing the shift from materiality to criticality, urges nuanced risk assessment and control based on the essentiality of third-party relationships. OSFI recognizes the limitations of contractual provisions in managing risks, encouraging FRFIs to employ resilience mechanisms. Emphasizing transparency and security, Beaconer positions itself as a valuable tool for FRFIs navigating the complexities of managed third party risks, contributing to financial sector resilience and integrity.