Complying with OSFI Guideline B-10 for Third-Party Risk Management

In April 2022, the Canadian Government Office of the Superintendent of Financial Institutions (OSFI) issued a draft of Third-Party Risk Management Guideline B-10, which addresses the operational and financial risks associated with vendor and supplier relationships.

Guideline B-10 sets expectations for federally regulated financial institutions (FRFIs) to manage risks associated with third-party arrangements. It is applicable to all FRFIs, except for foreign bank branches and foreign insurance company branches. The Guideline states:

“The Office of the Superintendent of Financial Institutions (OSFI) expects that FRFIs practice effective risk management and retain ultimate accountability for all their business activities, functions, and services, whether they are performed in-house or through a third-party arrangement.

“To that end, FRFIs are required to provide to OSFI, upon request, information related to their business and strategic arrangements with third parties, risk management, and control environments, to support supervisory monitoring and review work. OSFI expects to be promptly notified of substantive issues affecting the soundness of the FRFI due to a third-party arrangement.”

The guideline also expands the definition of a third party to include more entities like independent professionals, brokers, and utilities, and recommends including all types of third parties in risk assessments.

Driving these new requirements is the shift from materiality to criticality – where a third party performs a function that is integral to the FRFI’s provision of a significant operation, function or service, requiring a dual-pronged approach where risk and criticality inform the nature and extent of due diligence activities.

This post examines the third-party risk management requirements in OSFI Guideline B10 and identifies capabilities in the Prevalent Third-Party Risk Management Platform that can address the requirements.

Five Expected Outcomes

Guideline B-10 presents five expected outcomes for FRFIs to achieve through managing third-party risk. These outcomes are meant to contribute to the FRFI’s operational and financial resilience and help safeguard its reputation.

Five expected outcomes for FRFIs to achieve through managing third-party risk. Graphic adapted from OSFI Guideline B-10.

Mapping Prevalent Capabilities to OSFI Guideline B-10 Principles

Supporting the five expected outcomes are 11 principles that OSFI describes as best practices for third-party risk management. The summary below maps Prevalent Third-Party Risk Management Platform capabilities to these 11 principles.

NOTE: This should not be considered comprehensive, definitive guidance. Consult your auditor for a complete list of requirements.

Outcome 1: Governance and accountability structures are clear with comprehensive risk strategies and frameworks in place to contribute to ongoing operational and financial resilience.

Principles 1 and 2: Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding.

Outcome 2: Risks posed by third parties are identified and assessed.

Principle 3: Prevalent starts by centralizing and automating the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs). Our solutions also deliver business, reputational, financial, and data breach risk insights to inform and add context to vendor selection decisions. Prevalent then moves each selected vendor into contracting and/or onboarding due diligence phases, automatically progressing the vendor through the third-party lifecycle.

Principle 4: Next, Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties. From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments. Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

As part of the inherent risk assessment and onboarding process, Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk. Suppliers discovered through this process are continuously monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening. This approach provides insights to address potential technology or geographic concentration risk.

Principle 5: Prevalent features a library of more than 120 pre-built templates for ongoing third-party risk assessments. These are integrated with native cyber, business, reputational, and financial risk monitoring capabilities, which continuously validate assessment findings and fill gaps between assessments. Built-in remediation recommendations ensure that third parties address risks in a timely and satisfactory manner.