2019 Non-Vendor Risk Management Survey

The survey was conducted by The Risk Management Association between February and April 2019. Most of the questions were multiple choice with many opportunities to provide comments. Some questions were open text and designed to provide information and insight about the current status and emerging practices for "non-vendor" third-party relationships, across a range of RMA member institutions. 

A total of 74 responses was received, covering a wide range of financial institutions from four asset sizes: less than $10 billion, between $10 and $50 billion, $50 to $100 billion, and over $100 billion, including community, regional, super-regional and money center banks, investment banks and insurance companies, and Financial Market Utilities headquartered in the United States, Canada, and Europe. These groupings will enable further analysis by asset size and subject matter for future articles in The RMA Journal.

The first iteration of this survey was designed in 2015 by the RMA Third-Party/Vendor Risk Management Steering Committee. Updates to the 2019 survey were possible with the help of: Ron Ausemus (Texas Capital Bank), Matthew Buskard (Fifth Third Bank), Carol Haeberle (Prudential), Debbie Manos-McHenry (Huntington Bank), and Linda Tuck Chapman (ONTALA Performance Solutions Ltd). The definitions for "vendor" and "non-vendor," as well as a sample of 20 categories of non-vendors, have been developed by the Third-Party Risk Management Round Table Steering Committee with the help of the working group participants. 

The 2014, 2015, 2017, and 2019 RMA Third-Party/Vendor Risk Management surveys were conducted at the request of RMA Third-Party/Vendor Risk Management Round Table members. The 2015 survey was designed as an update and expansion to similar content in the 2014 RMA survey. Practices are rapidly evolving due to increased regulation of the Board and senior management due to significant changes mandated by the OCC and FRB in updated regulatory guidelines (OCC 2013-29 “Third-Party Relationships” and Fed- SR 13-19/CA 13-21 “Guidance to Managing Outsourcing Risk”) and CFPB expectations relating to vendors and other third parties. The 2014 and 2017 surveys focused on the third-party programs, while the 2015 and 2019 surveys focused more on “non-vendor” practices. 

Please note the use of the terms “vendor” and ‘non-vendor” third party throughout this survey. This is an important distinction in identifying in-scope relationships and potential differences in how institutions identify, assess, monitor, and control risks throughout the lifecycle of different types of third-party relationships, create and record documentary evidence, and provide risk reporting. 

The following areas were addressed in this year’s survey:

  1. Non-Vendor Third-Party Risk Management Program.
  2. Governance, Procurement, Contracting, and Reporting.
  3. Tools and Technology.
  4.  Insight and Advice.

You may view the Executive Summary of the 2019 Non Vendor Third Party Risk Management Survey (PDF) by clicking on the aforementioned link.

For questions please contact Sylwia Czajkowska, Associate Director/OpRisk, (215)446-4071, sczajkowska@rmahq.org.