When it comes to TPRM and the review of a third-party's operational controls, there are standard methods and best practices that can be applied regardless of industry.
These would include the completion of an internal inherent risk assessment to determine the types and amounts of risk that exist with the specific product and service and therefore the relationship. The inherent risk assessment should result in a risk rating and a determination of whether the product or service is critical to the organization or not. The risk rating and criticality should inform the scope of due diligence.
Due diligence is the process of evaluating the identified risks and then requiring the third party to provide documented evidence that they have the appropriate risk management practices and controls to effectively mitigate those risks. Due diligence usually requires that the third party complete a questionnaire about their risk management practices and controls, and then provides documentation in support of their answers on the questionnaire. That documentation can include things like financial statements, SOC reports, policies, training logs, cybersecurity plans and, testing results, etc. A credentialed subject matter expert should review the third party's information and documents and provide a qualified and documented opinion regarding the sufficiency of those controls.
Because insurance is regulated at the State and sometimes local levels, the requirements for which relationships are in or out of scope may vary. However, one could look to the Interagency Guidance on Third Party Relationships: Risk Management for best practices. The interagency guidance on third party relationships primarily applies to financial institutions, including insurance companies. While insurance agencies are not explicitly mentioned in the guidance, they are still subject to similar expectations when outsourcing to third-party service providers. Therefore, Insurance agencies should consider the guidance's principles when selecting and managing third-party relationships to ensure that they are effectively managing the associated risks. One key aspect of the guidance is that all business relationships (excluding customers) are in scope.
Hopefully, this information is helpful, but I would love to hear from other members who want to share their experiences.
Original Message:
Sent: 12-19-2023 10:55 AM
From: Anonymous Member
Subject: How are the review of operational controls being handled in the insurance industry's TPRM programs?
This message was posted by a user wishing to remain anonymous
How are the review of operational controls being handled in the insurance industry's TPRM programs? What is the approach/process, how do they determine what is in and out of scope, what are their materiality thresholds?