Third-Party Risk Management Program
We have designed a Third Party Risk Management (TPRM) Program in accordance with industry best practices, regulatory, and state requirements. Boston Private’s TPRM program is designed to identify and reduce strategic, operational, financial, reputational, and cyber risks to the organization. We also ensure that our third parties comply with regulations and protect client information.
Governance and Oversight
The TPRM Program has dedicated staff and is aligned within Enterprise Risk Management. There is both internal and external oversight of the Program.
- The Risk Management Committee of the Board of Directors monitors the effectiveness of our program capabilities and reviews material program changes.
- In addition, the Vendor Management Committee reviews third party population and monitors and tracks non-conformance with established security expectations.
- Our entities are regulated and audited regularly by the following external auditors and regulatory bodies:
- Boston Private Internal Audit
- Federal Reserve Bank of Boston
- Securities and Exchange Commission
- Commonwealth of Massachusetts Division of Banks
The TPRM Lifecycle is a model that guides organizations through the life of a third-party relationship. The components of the lifecycle are based on both procedural and regulatory best practices in order to identify, mitigate, and manage risks. All Boston Private third parties are overseen in accordance with our TPRM program. As prescribed by regulatory guidance, the program is comprised of the following elements:
- Planning and Risk Assessment
- Due Diligence and Third Party Selection
- Contract Review
- Continuous Monitoring / Ongoing Oversight
We require all third parties to undergo due diligence assessments both at the time of engagement, and where applicable, on an annual basis. Due diligence and continuous monitoring involves a review of a third party’s financial condition, relevant experience, knowledge of applicable laws and regulations, reputation, and the scope and effectiveness of its operations and controls. There is a significant focus on information and cyber security, business resiliency, and fourth party usage.
Subject matter experts at Boston Private, which include Information Security, ensure third parties meet their expectations for data protection and high quality service. Performance monitoring is conducted to ensure third parties meet regulatory and contractual requirements.
Awareness and Training
Ongoing awareness and training is provided to Boston Private employees to ensure that there is continuous awareness of the importance of third-party risk management.
Periodic trainings provide employees with knowledge and guidance on how to effectively manage a third-party relationship, identify, manage, and mitigate risks, as well as how to exit a third-party relationship.