In April 2023, the Canadian Government Office of the Superintendent of Financial Institutions (OSFI) finalized the Third-Party Risk Management Guideline B-10, which addresses the operational and financial risks associated with vendor and supplier relationships.
Guideline B-10 sets expectations for federally regulated financial institutions (FRFIs) to manage risks associated with third-party arrangements. The Guideline states:
“OSFI expects the FRFI to manage the risks related to all third-party arrangements and emphasizes that the FRFI retains accountability for business activities, functions and services, outsourced to a third party.
“To that end, FRFIs are required to provide to OSFI, upon request, information related to their business and strategic arrangements with third parties, risk management, and control environments, to support supervisory monitoring and review work. OSFI expects to be promptly notified of substantive issues affecting the FRFI’s ability to deliver critical operations due to a third-party arrangement.”
The guideline also expands the definition of a third party to include more entities like independent professionals, brokers, and utilities, and recommends including all types of third parties in risk assessments.
Driving these new requirements is the shift from materiality to criticality – where a third party performs a function that is integral to the FRFI’s provision of a significant operation, function or service, requiring a dual-pronged approach where risk and criticality inform the nature and extent of due diligence activities.
To that end, the guideline also acknowledges that organizations must identify the type and level of risk arising from each third-party arrangement (including subcontracting arrangements), such that the FRFI can manage each third-party arrangement with the appropriate level of intensity. This will require an understanding of the risk and criticality of each third-party arrangement; and the size, nature, scope, complexity of operations and risk profile of the FRFI.
OSFI further acknowledges that the opportunity to manage third-party risk through terms of a contract may be limited in some cases, OSFI nonetheless expects the FRFI to manage risk, as appropriate, through monitoring, business continuity measures, contingency planning, and other resiliency mechanisms.
This post examines the third-party risk management requirements in OSFI Guideline B10 and identifies capabilities in the Prevalent Third-Party Risk Management Platform that can address the requirements.
Guideline B-10 presents six expected outcomes for FRFIs to achieve through effective third-party risk management. These outcomes are meant to contribute to the FRFI’s operational and financial resilience and help safeguard its reputation.
Six expected outcomes for FRFIs to achieve through managing third-party risk. Graphic adapted from OSFI Guideline B-10.
Supporting the six expected outcomes are 11 principles that OSFI describes as best practices for third-party risk management. The summary below maps Prevalent Third-Party Risk Management Platform capabilities to these 11 principles.
NOTE: This should not be considered comprehensive, definitive guidance. Consult your auditor for a complete list of requirements.
Principles 1 and 2: Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding.
Principle 3: Prevalent starts by centralizing and automating the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs). Our solutions also deliver business, reputational, financial, and data breach risk insights to inform and add context to vendor selection decisions. Prevalent then moves each selected vendor into contracting and/or onboarding due diligence phases, automatically progressing the vendor through the third-party lifecycle.
Principle 4: Next, Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties. From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments. Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.
Prevalent features a library of more than 750 pre-built templates for ongoing third-party risk assessments. These are integrated with native cyber, business, reputational, and financial risk monitoring capabilities, which continuously validate assessment findings and fill gaps between assessments. Built-in remediation recommendations ensure that third parties address risks in a timely and satisfactory manner.
Principle 5: As part of the inherent risk assessment and onboarding process, Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk. Suppliers discovered through this process are continuously monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening. This approach provides insights to address potential technology or geographic concentration risk.
The OSFI B-10 Third-Party Compliance Checklist
Learn how to meet third-party assessment and monitoring requirements in OSFI Guideline B-10.
Principle 6: Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts that set out the rights and responsibilities of each party. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding.
Principle 7: As well, Prevalent delivers a centralized, collaborative platform for conducting privacy assessments and mitigating both third-party and internal privacy risks to ensure that appropriate measures are taken to protect the confidentiality, integrity and availability of records and data.
Principle 8: Prevalent automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, recommending remediations, and generating reports for dozens of government regulations and industry frameworks. Prevalent automatically maps information gathered from control-based assessments to ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite, SOX, NYDFS, and other regulatory frameworks, enabling you to quickly visualize and address important compliance requirements.
Principle 9: Prevalent automates the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity – while automatically mapping results to NIST, ISO, and other control frameworks to ensure that third parties can deliver operations through a disruption and have activated a business continuity and disaster recovery plan.
Principle 10: Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.
Principle 11: Prevalent enables your team to rapidly identify and mitigate the impact of third-party vendor incidents that could impact operational and financial resilience by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.
As explained in Principle 1, Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience.
Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding.
The Prevalent Platform includes a large library of standardized assessments (including those for NIST and ISO best practices frameworks) and customization capabilities to assess third parties with flexibility. For third parties that submit a SOC 2 report instead of a completed third-party risk assessment, Prevalent enables you to map control gaps identified within the SOC 2 report, create risk items against the third party within a central assessment platform, and track and report against deficiencies along with other risks.
Regardless of the cybersecurity framework, Prevalent enables you to reduce assessment timelines and mitigate risks.
Prevalent can help organizations automate the assessment and continuous monitoring of third-party business and financial resilience to support compliance and conformity with OSFI Guideline B-10.
For specific guidance on how Prevalent can help address the requirements set forth in OSFI Guideline B-10, download the full OSFI compliance checklist or request a demo today.
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024