5 minute read 22 Apr 2020
Are Third Parties a blind spot in Risk Management?

Are third parties a blind spot in Risk Management?


Roy Alexander Boukens

EY EMEIA Financial Services Risk Management Associate Partner

Expert in the broad financial services industry. Focused on Enterprise Risk Management, Non-Financial Risk Management and Internal Control. Excited about organizational transformations.

5 minute read 22 Apr 2020

Third-party risk has increased for financial institutions just as it has for other sectors. What are their obligations and where can EY make a difference?

Digital changes and an increasing focus on core business are making the ecosystem of financial institutions grow. Working with third parties means that financial institutions are also becoming part of a larger, more complex but also a riskier network. How should they account for this reality in their Risk Management? A great number of obligations have been imposed in the past, but it keeps evolving. COVID-19 offers an opportunity to identify strengths and weaknesses. It is an exercise around which EY can create added value.

What we saw in other sectors could have an impact also in the financial sector: ecosystems are growing, under pressure from an increasingly important digital agenda. Financial institutions are increasingly concentrating on their core business, which means that as a result they are working more with third parties (TP). It is no coincidence that in recent years, various fintech players have emerged who are responding to this trend - in addition to the large number of traditional players that were already established in the market. This fact raises a number of questions, and it should. What is my place in the larger picture? And what is the impact on my business when one of those third parties fails or stops delivering? That is exactly what Third-Party Risk Management is all about.

Corona lays bare weaknesses in Risk Management

In itself, the coronavirus, and all the consequences it brings about, do not change much about the workings of Risk Management (RM). However, its unique and far-reaching nature does lead to a different and broader view of Risk Management. In the past, a pandemic was sometimes a blind spot in RM. It was identified, but ultimately assessed as something that was very unlikely to happen. Today it is becoming clear that, in the current reality of a wider ecosystem, this may not have been the right assumption. In addition, the situation is causing third parties to stumble and get to grips with their own resilience. Both financially and operationally. How are their finances? How are they continuing to deliver? This can change overnight and if you do not know what the risk is, this can cause obvious problems. These more complex ecosystems also have an international dimension. We witnessed how significant the consequences for companies can be with one of our customers, a Scandinavian insurer. Because a TP in Poland suddenly ceased all activities, certain processes could no longer be executed and delivered, which completely immobilized the insurer. What effect will the corona crisis have on TPRM? Hopefully, it will be a wake-up call. 

For too long, third parties were a blind spot in Risk Management.

Outsourcing guidelines

Steps have been taken in the past to make TPRM more stringent. Certain rules have been followed more strictly and rigorously. For example, banks are bound by the so-called EBA outsourcing guidelines, which, if followed, should prevent us from ending up in scenarios that financial institutions prefer not to end up in. These guidelines are so-called principle-based. There are several principles that highlight what objectives need to be achieved in managing third parties and understanding the risks that they pose. For example, it prescribes that all suppliers must be known and that someone needs to be responsible for every one of them. It has to be said, however, that some companies already fail in this regard. And we are not even talking about the suppliers of our suppliers yet, the so-called fourth and fifth parties. There are also principles that mention the obligation to make risk assessments in terms of continuity, data, privacy or security. It is essential that it is the financial institution itself that is responsible for meeting these requirements. Coming back to the corona crisis: this is the perfect moment to examine to what extent this exercise has borne fruit. What has worked well and where does it need to be improved? At least the importance of controlling the external third-party environment has been made clear.

The corona crisis is an opportunity to review the effectiveness of Third-Party Risk Management.

Complying with international standards

Is there a different reality in Belgium compared to other European countries in terms of TP Risk? Or is there a European approach that looks different from, say, the American one? The approach in Europe is mainly based on the guidelines issued by the EBA. This does not differ substantially from some standards in the US, for example. However, TP Risk is on the rise worldwide. With an ever increasing number of cyberattacks, larger and more complex ecosystems, adoption of the cloud and, of course, the digitization of the financial sector, it is becoming increasingly important to correctly identify, assess and respond to these risks. The chain is only as strong as its weakest link and in the case of operational and non-financial risks these are often third-party risks. That is why expectations are rising all over the world.

The added value of TPRM Solutions

Dealing with third parties and performing TPRM requires specific expertise from various fields. From security to risk management in general. EY's TPRM Solutions offer various services. Some clients are supported in defining and implementing their overall approach. By definition, this is forward-looking, even though older information is used to make sense of what has happened in the past. Another service is performing third-party assessments. What are the risks and potential shortcomings of a third party in the context of the requirements? Is it appropriate to work together and why? What risks does it involve and what actions should be taken to mitigate them? These are the kind of questions that such services can answer. EY also assists in setting up so-called Shared Assessment Entities. If each institution makes its own assessments, this often leads to all institutions asking questions to the same third parties. Significant savings can be achieved by conducting the assessments together and sharing the results. This benefits the institutions, third parties and regulators alike. In the United States this is already under way, but in some European countries, too, financial institutions are setting this up. Finally, EY can offer Third-Party Risk Management as a service in which all assessments are performed on the EY platform by EY professionals as an ongoing service for a client.

Third Parties are becoming increasingly crucial, which means that the risks are also increasing.

Growing importance of cybercrime

The most recent Global TPRM Survey conducted by EY shows that over the past two years, as many as 38% of the companies surveyed were confronted with a data breach as a result of a third party they work with. A fairly high figure produced by a combination of two factors. There is the third-party fact that, as outlined, requires additional coordination and oversight and creates more complex and therefore often more fragile connections. But there is also the reality that cybercrime is becoming increasingly important. It is no coincidence that cyber risks have been at the top of the list with RM research and queries in recent years. There cannot be a stronger argument to give TPRM the place it deserves. 

EY Belgium newsletter

Stay up to date with our EY Belgium newsletter. 



Financial institutions, too, experience a trend where they are both digitalizing and focusing more on the core business, which leads to more frequent cooperation with so-called third parties. This increases the complexity of the relationships, often with an international dimension. And this raises a lot of questions related to risk and risk management. Despite a lot of rules and regulations, risks related to third parties still too often turn out to be a blind spot. The TPRM Solutions services offered by EY help remedy this shortcoming.

About this article


Roy Alexander Boukens

EY EMEIA Financial Services Risk Management Associate Partner

Expert in the broad financial services industry. Focused on Enterprise Risk Management, Non-Financial Risk Management and Internal Control. Excited about organizational transformations.