April 24, 2023 saw OSFI issue its final Third-Party Risk Management Guideline B-10, setting out risk management expectations for Federally Regulated Financial Institutions (FRFIs). Foreign bank branches and foreign insurance company branches are excluded. Adherence is required by May 1, 2024.
Understanding the Risk and Criticality of all third-party arrangements is key with the Guideline to be applied in a proportionate manner.
What changed?
expanded scope: now applies to all third-parties not just outsourcing arrangements.
widened risk lens: now focuses on third-party and related risks not just outsourcing risk
enhanced risk focus: new emphasis on Governance and Risk Management programs not just contractual provisions.
Take action:
Inform the Board and Senior Management about the changes and required preparation.
Establish a Third-Party Risk Management Framework (TPRMF) with an enterprise-wide view of exposures to third parties. Align with your company’s risk appetite and risk management frameworks.
Include the lifecycle of third-party arrangements, from sourcing, due diligence and monitoring to potential exit.
Plan to review and update your TPRMF on a regular basis to ensure it remains relevant and appropriate. Make continuous improvements.
If you would like to discuss approaches and how we might assist you in complying with the new Guideline, please reach out.