How Mirato Supports Compliance with the New Interagency Guidance on Third-Party Relationships.

The Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency recently issued joint guidance on managing risks associated with third-party relationships. The final guidance includes all banking organizations supervised by the agencies regardless of size or complexity and prescribes principles for sound risk management practices for all stages of third-party relationships.

The guidance emphasizes four key areas:

1. A Flexible risk-based approach, robust methodology and comprehensive oversight.

2. Board Oversight

3. Due Diligence & Collaborative Efforts

4. Managing Subcontractor Risk

If you are unfamiliar with Mirato, Mirato’s TPRM Intelligence Platform and Questionnaire Killer are advanced Artificial Intelligence solutions designed, built, and trained specifically to complete your TPRM assessments using your unique risk model and the information you already collect. 

Mirato solutions validate your controls with a complete audit trail and replace continuous monitoring with continuous assessment. Mirato makes no decisions but provides machine insights that help humans make better decisions faster.

Here is a summary of the requirements of the new Interagency Guidance and how Mirato’s AI-powered technology can help Financial Services Firms meet them.

Interagency Guidance Requirements as Supported by Mirato

1.  Less prescriptive More flexible risk-based approach: The guidance emphasizes that organizations should take a more risk-based approach when assessing traditional and nontraditional third parties, identifying their unique activities and associated third-party relationships, and applying a robust methodology to determine which areas necessitate comprehensive oversight.

Most firms are already overburdened, resource-constrained, and unable to manage risk for all traditional vendors effectively, let alone nontraditional third parties like affiliates, affinity relationships, agents, brokers, dealers, etc. Managing capacity is a constant challenge, limited by the time and bandwidth of risk experts, often resulting in backlogs, regulatory or even financial penalties.

Mirato eliminates the need for risk assessors to search through documents (SOC Reports, Penetration Testing reports, Policies and Procedures, BC/DR Plans, ISO, DPA, Insurance, etc.) to confirm evidence for risk controls.

Instead, they begin with a view of which controls are supported and which are not, starting their assessments with an already pre-assessed, evidence-based, control-centric report.

This can double (or more) the capacity of assessments completed by existing risk SMEs, improve quality and consistency, and enable risk experts to focus all their time on strategic risk management decisions instead of sifting through hundreds or thousands of pages to validate controls.

Another advantage Mirato provides is identifying all evidence from a single or multiple sources. This fortifies controls understanding by leveraging converging evidence, thereby bolstering their visibility. Simultaneously, it exposes controls that may be compromised due to conflicting evidence from various sources, signaling an elevated level of risk.

Mirato also enables the comprehensive assessment of all third-party entities as prescribed in the new guidance. Even nontraditional third parties can be thoroughly scrutinized without an increase in human resources. This capability optimizes the review process and enables full inclusion of the broader range and expanding definition of third parties while maintaining operational efficiency.

Supplementing existing programs with Mirato increases accuracy, quality, consistency and completeness. These collectively foster a more robust methodological framework and comprehensive oversight program where the overall efficacy of controls is elevated, resulting in a thorough and dependable control structure.

2.   Board Oversight: In addition to original guidance, the Board should be aware and approve of contracts involving higher-risk activities, more frequent periodic board reporting on third parties, and results of related lifecycle activities.

It takes weeks of manual effort to generate reports to satisfy the current cadence of monthly governance, quarterly executive and risk committees, and annual board meetings. The information presented is often stale when senior stakeholders review these reports.

Mirato enhances the efficiency of collecting, analyzing, and generating risk reports, addressing increased oversight requirements for already burdened companies. This facilitates the more frequent and accurate production of these reports, supporting organizations in meeting their obligations.

By providing “on demand,” in-depth insights into existing risks, fluctuations, and patterns, Mirato analytics gives senior risk executives an instant, dynamic and comprehensive understanding of what is happening within their organization. This empowers them to demonstrate a heightened grasp of risk dynamics and a proactive risk management approach when interacting with regulators.

Mirato allows faster and more comprehensive scanning of extensive contract inventories to pinpoint and address critical threats like cybersecurity and data privacy issues. Mirato can also quickly re-assess documentation after changes in risk criteria, regulatory demands, risk thresholds, or program modifications, ensuring ongoing risk assessment.

Accomplishing this rapidly and at scale is a vast improvement over the conventional labor-intensive and costly method of deploying numerous analysts or outsourced evaluators to sift through contracts whenever a new factor emerges. Mirato streamlines the process significantly.

3.   Due Diligence & Collaborative Efforts: The guidance emphasizes the importance of managing risk based on each third-party relationship or service provided and applying specific controls and requirements accordingly, including when using assessments and risk information from consortiums, industry reports and external data providers. 

Although consortiums, data feeds and outsourced assessments provide valuable information, analyzing and correlating this information uniquely to the specific risks identified for each third party at the relationship level is still a tedious, time-consuming, and painfully manual effort.

Optimized for each client, Mirato consumes any available outsourced assessments, consortium, and subscription data and then interprets that information uniquely using each firm’s bespoke risk control framework to validate the specific controls they require for every relationship.   

By combing through all the available documentation and reading each page millions of times, Mirato surfaces up to 55% more evidence from the same documents the consortiums use to generate their reports. This increases the value of those services and reduces the manual evidence review, due diligence questions, and controls validation required to fill that gap today.

This new ability to constantly read and understand all information as quickly as it becomes available or changes turns continuous monitoring into continuous assessment, reducing the frequency and quantity of periodic reviews and the need for expensive outsourced risk assessment services to address backlog or overflow.

4.   Managing Subcontractor Risk: Overseeing third parties’ TPRM program and preparing for potential risks (concentration, cascading, Single Point of Failure, geographical) from subcontractors, ensuring they manage these relationships safely and in accordance with applicable laws and regulations.

Another symptom of limited time and resources is that most firms struggle to manage their third parties effectively, let alone their 4th parties.

Mirato more accurately and comprehensively identifies and inventories all fourth parties hidden within TPRM documentation than current manual approaches. Once exposed, the advanced analytical and correlation functions clearly visualize the interrelated and cascading effects caused by any single point of failure.

Mirato’s “Risk Aggregator” provides a detailed map of fourth party and concentration risk, illustrating which third parties, business units, geographies, engagement types, service lines, and relationship managers are affected by any third or fourth party disruption. This is difficult, if not impossible, for most firms to create today.

Summary

The Interagency guidance pressures every financial services firm to improve their TPRM programs in several key areas. Most firms are already understaffed, underfunded, and unable to operationalize effective risk management, even without these additional requirements.

Mirato’s AI-powered TPRM technology is a force multiplier that increases capacity and effectiveness, making compliance with Interagency Guidance more attainable and sustainable without program changes or additional human resources.

Mirato makes no decisions. Validating the output from Mirato is done by reviewing the complete audit trail provided, just like validating the work of human assessors.

Mirato empowers your risk experts to make better decisions faster and focus all their time and effort on risk management, not data administration.