On April 27, the Office of the Superintendent of Financial Institutions (OSFI) released its Draft Guideline B-10 - Third-Party Risk Management (the ‘Draft Guideline’) to gather feedback on its expectations for managing risks related to outsourcing and third-party arrangements.
The Draft Guideline updates the existing OSFI Guideline B-10 – Outsourcing of Business Activities, Functions and Processes by expanding its application scope to include a wide range of third-party arrangements.
These proposed changes will help FRFIs achieve five expected outcomes when managing their third-parties risk.
Clear governance and accountability structure supported by comprehensive risk management strategies and framework that contribute to ongoing and financial resilience.
The FRFI is ultimately accountable for all business activities, functions, and services outsourced and for managing the related risks.
The FRFI should establish a third-party risk management framework for identifying, managing, mitigating, monitoring, and reporting on risks relating to the use of third parties.
Effective identification and assessment of risks posed by third-parties.
Before & thereafter entering a third-party arrangement, the FRFI should identify and assess the risks of the arrangement by conducting risk assessments (for third-party selection…).
The FRFI should undertake due diligence (DD) prior to entering contracts or other forms of arrangement. ongoing DD should be conducted depending on the level of risk and criticality of the arrangement.
The FRFI should assess, manage, and monitor the risks of subcontracting arrangements.
Management and mitigation of the risks posed by third-parties by taking into consideration the firm risk appetite framework.
The FRFI should enter into written arrangements that set out the rights and responsibilities of each party.
Throughout the duration of the third-party arrangement, the FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data.
The FRFI’s third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks.
The FRFI’s agreement with the third party should encompass the ability to deliver operations through a disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans.
Continuous monitoring and assessment of third-parties performance. Risks and incidents are proactively addressed.
The FRFI should monitor its third-party arrangements to verify the third party’s ability to continue to meet its obligations and effectively manage risks.
Both the FRFI and its third-party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to ensure ongoing operational and financial resilience and maintain risk levels within the FRFI’s risk appetite.
Dynamic risk management program to be dynamic. It must actively capture and appropriately manage various third-parties arrangements.
FRFIs must be able to manage risks in situations where no contracts or standardised contracts support the arrangement.
Comments must be submitted to firstname.lastname@example.org until July 27, 2022.
The final Guideline is scheduled to be available in fall 2022.