Only $35.99/year


Terms in this set (503)

An activity that could cause significant consequences if a Third arty fails to meet expectations; could have impact on the Outsourcer's regulatory obligations; significant violations of licensing terms caused by third parties; could have significant customer impacts; require significant investment in resources to implement the third-party relationship and manage the risk; or could have a major impact on an organization's operations if the organization has to find an alternate third party or if the outsourced activity has to be brought in-house. A critical activity could enable specific incremental oversight processes. Retrieved and adapted from OCC Bulletin 2013-29. The European Banking Authority (EBA) defines critical or important functions in section 29. Institutions and payment institutions should always consider a function as critical or important in the following situations: 34 a. where a defect or failure in its performance would materially impair: i. their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations; ii. their financial performance; or iii. the soundness or continuity of their banking and payment services and activities; b. when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; c. when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation 35 by a competent authority, as referred to in Section 12.1. Retrieved from: EBA Guidelines on Outsourcing Arrangements, February 2019.
The three lines of defense structure clearly defines organizational risk management responsibilities into three functional areas. In 2004, COSO (Committee of Sponsoring Organizations of the Treadway Commission) introduced this triple line of defense system. In practice, some knowledgeable observers suggest modification to the structure to add: an organization's Governing Board to have an active role in the third lines of defense; and also that corporate management be incorporated into the second line of defense. Some observers view the board as part of the audit line of defense, others have proposed the board as a fourth line. The structure defines risk management roles, internal compliance and control functions and audit roles. The structure consists of: operational or business units; risk and control functions; and internal audit. The lines of defense framework is generally depicted as follows: First Line of Defense: Business units assume ownership and responsibility for the design and application of risk assessment, control and mitigation. These components are embedded into the unit's decision making and operations at all levels. First line Enterprise Risk Management (ERM), including third party risk management (TPRM), resides here. To ensure that management appropriate to the organization is taking place throughout the vendor lifecycle procurement and an assigned vendor relationship manager should work with other members of the First Line of Defense. Second Line of Defense: Consists of the compliance oversight team, which may employ aspects of other control functions for support. Third Line of Defense: Generally viewed as the internal audit team, a function which must remain independent, and therefore cannot provide direct support to the other lines of defense in the chain. This function may be outsourced, which can add a level of complexity to third party risk management. One of internal audits critical roles is oversight of the first and second defense lines.
Monitoring occurs at specific points in time after an initial third party control assessment has been made. The timing of periodic assertion requests or periodic onsite assessments may be based on a number of factors, including: the outsourced product/service presents critical risk levels; industry regulators "encourage" onsite verification; the third party is not forthcoming in its declarations of controls; self-assessment assertions are not providing the outsourcer with an adequate sense of percentage risk relative to its own risk appetite; in response to a loss of proprietary information and/or financial impact; changes in system interconnectivity alters risk levels; documentation needs to be reviewed that cannot be shared off-site; that is, an assessor can only view the documentation on-site and is not allowed to take duplicates with them; there are material process changes at the third party that impact work done on behalf of the outsourcer; a security irregularity suggests that controls are not effective; appropriate continuous monitoring metrics are not available; verification of remediation activities of identified issues; and assurance the relationship is monitored on a proactive basis. Periodic ongoing monitoring generally lacks the timeliness and level of granular visibility required for proactive response to certain Issues that continuous monitoring can provide. Improved and more targeted threat intelligence capabilities are making near real time monitoring an essential component of TPRM programs. Sometimes, continuous monitoring outputs may trigger onsite assessments.