Third Party Risk Management Landscape & Best Practices
April 2022
Straight To The Point
To remain competitive, respond to changing customer expectations, leverage industry expertise, and to optimize operational efficiencies, financial institutions have been increasingly turning to third parties. This trend began in the early 1990’s and was largely profit driven when third parties were contracted to provide traditionally internal services more efficiently. More recently, financial institutions have increasingly looked to third parties for a number of reasons: to help meet changing customer expectations; to remain competitive; or when producing the product or service would require material short-term expense outlays or technologies inconsistent with the existing systems.
While outsourcing proved that it could be “cheaper and faster,” it did not always translate to “better” and opened the organizations up to a number of new risks. In fact, inadequate understanding of third-party risks and lack of proper oversight resulted in business disruptions for many organizations, and some came with severe consequences. Hence, more formalized third-party risk management processes were born.
THE EVOLUTION OF THIRD-PARTY RISK MANAGEMENT PROCESSES
Starting in the late 2000’s, financial institutions began to realize that their traditional Risk Management, Compliance, and Audit functions could not adequately manage the risks emerging from the significant increase in the size and scope of third-party relationships. Regulators throughout the globe also started to publish new guidance on third-party risk management significantly heightening awareness and raising expectations.
Since then, much has been learned, leading to several globally accepted standards.
Typically, an effective third-party risk management process follows a continuous life cycle made up of five phases: Planning, Due diligence & third-party selection, Contract negotiation, Ongoing monitoring, Termination/Renewal. The risk management processes carried out throughout these five phases seek to identify, assess, and mitigate risks inherent in third-party relationships. The numerous actions under each phase require a thorough understanding of the level of risk and complexity of the third-party relationships commensurate with the company’s strategic goals and risk appetite.
Although there is wide acceptance of this high-level framework, the adequacy of organizational structures, process, and technologies adopted by companies in designing and implementing supporting policies and standards vary significantly. A key factor in establishing an effective third-party risk management process is recognizing the need for new skills and new tools; relying exclusively on old legacy practices and processes no longer provides protection. While financial institutions have been expanding staffing and increasing spending for their third-party risk management (“TPRM”) programs, without proper expertise, a number of these efforts lead to over-engineered processes and yet fail to achieve acceptable levels of control and risk mitigation.
Companies with the most effective risk programs ensure engagement at the most senior levels including the Board of Directors and C-Suite. The same rule applies to managing third-party risk regardless of who owns the TPRM function. After all, while a financial institution can outsource the work, it cannot outsource the responsibility, nor the accountability.
CHANGING RISK LANDSCAPE
Thanks to an ever changing and evolving third-party risk landscape, many new, and arguably more dangerous threats have been emerging:
- Cyber risk is ranked number one among many third-party risk experts. Concerns range from ransomware or malware infiltration due to third-party access points, as well as data breaches, outages, and data leakage
- IT complexities have increased as more organizations allow employees to work from home with different levels of remote access security measures in place
- Dedicated Company Devices vs. Multi-use Employee Devices introduce yet an additional level of risks from reputational to technology
- Labor shortages are forcing companies to hire a higher number of contractors to fill gaps, which expands security risk
- Automation has led to increased utilization of external software developers, which also increased the potential risk of malicious code being inserted into software updates
- Organizations have limited, if any direct oversight of 4th (or 5th, Nth) parties even when they handle critical functions. Given this high degree of difficulty many firms have defaulted to relying on legal agreements in lieu of performing their own due diligence in the form of onsite audits and compliance. This has worked well until there is a problem
- Crisis Management capabilities took on a whole new importance during the pandemic because of financial institutions’ reliance on critical services provided by third parties
- Geo-political events recently brought to question the sustainability of globalization. Because of supply chain disruptions created by everything from so-called “acts of god” to force majeure the vulnerabilities created by this outsourcing strategy have been painfully highlighted. There is serious consideration by organizations to insource, onshore, if not near-shore products and services from their current locations. These developments raise significant concerns over the use of third parties going forward
In the meantime, regulators around the globe have been tightening their expectations through new and revised guidance on several risk areas, such as, Privacy, Governance Risk and Compliance (GRC) practices, and Disaster recovery. There is no doubt, this list will continue to grow and expand the span of TPRM. The recent introduction of ESG requirements and Scope 3 responsibilities parallel many of the challenges that firms face with third-party management and may provide possible new tools and therefore should be closely watched.
Besides the obvious business impairment risks of third-party provider problems, there is the added desire to align with regulatory expectations and avoid deficiencies in supervisory examinations. Since regulators typically define “what” they expect but remain silent on the “how”, the design and the effectiveness of TPRM programs vary significantly from organization to organization.
BEST PRACTICES
Today's operating environment is profoundly different even when compared to a few years ago. Digital technology, advanced risk analytics, along with regulatory and compliance expertise have emerged as key organizational assets helping drive important strategic and operational decisions. While there is a much stronger understanding of the need to better manage third-party risk today, some organizations are still struggling to determine how best to go about it.
The good news is several best practices have been developed over time, such as:
- Having stakeholders with the right level of ownership and accountability
- Establishing policy and standards that ensure consistency
- Developing dedicated third-party oversight expertise and recognizing the needs for hands-on oversight at the point of actual delivery
- Obtaining greater transparency into suppliers’ operations through data management, dashboard tracking, and analysis
- Proactively identifying, assessing, and monitoring risk areas
- Staying on top of regulatory expectations
Financial institutions can also drill down into these Best Practices by asking some key questions:
- Is the TPRM framework supported by a well-defined organizational structure, processes, and tools?
- Does the TPRM program follow the continuous life cycle of Planning, Due diligence & third-party selection, Contract negotiation, Ongoing monitoring, Termination/Renewal?
- Are TPRM roles and responsibilities and ownership at 1st, 2nd, 3rd lines of defense well-defined, well-documented and executed?
- Is there a clear escalation policy for when issues are raised and robust follow-up procedures in place?
- Is there a comprehensive training program to educate all stakeholders involved in the TPRM process?
- Is there an experienced TPRM leadership team with the unique skills required in place to oversee the TPRM program?
Let our team of TPRM experts assist your board and senior management team to establish a successful, well managed third-party risk management program that includes proper structure, processes, and technologies to keep your business and institution safe and comply with regulatory expectations.
Our goal is to help you achieve your goal of maximizing your third-party relationships while minimizing the embedded business and regulatory risks in the most efficient and effective manner, leveraging our knowledge of industry best practices.
MEET THE AUTHORS
Thomas Dujenski - Director, Risk & Regulatory Compliance
Richard Toledo - Director, Risk & Regulatory Compliance
John Henrie - Senior Manager, Risk & Regulatory Compliance
Yakut Akman - Risk & Regulatory Compliance Expert
Hollis Hart - Advisory Board Member
Table of Contents
About Reference Point
Reference Point is a strategy, management, and technology consulting firm focused on delivering impactful solutions for the financial services industry. We combine proven experience and practical experience in a unique consulting model to give clients superior quality and superior value. Our engagements are led by former industry executives, supported by top-tier consultants. We partner with our clients to assess challenges and opportunities, create practical strategies, and implement new solutions to drive measurable value for them and their organizations.