As uncertainty increases, how can third-party risk management evolve?

Authors

Vignesh Veerasamy

EY Americas Advisory US-West Risk Transformation Leader, EY Global and EY Americas Third-Party Risk Management Commercial Lead

Strategic thinker. Complex-problem solver. Innovation enthusiast.

Matthew Moog

EY Global Third-Party Risk Leader in Financial Services

Passionate about the most valuable asset, EY people. Firmly believes in the current campaign of asking better questions to get better answers.

Kanika Seth

EY EMEIA Financial Services Third-Party Risk Management Solution Leader

Experienced financial services professional, leading third-party management. Passionate about diversity and inclusivity across EY. Cricket enthusiast.

6 minute read 22 Apr 2020

Show resources

Current global uncertainty is a reminder of the increasing complexity of managing third-party risk. Are existing programs keeping up?

The rapidly evolving threat around the COVID-19 virus is raising concerns globally about the resilience of enterprises. One potentially overlooked vulnerability? The increasing dependence on third parties. The interconnectedness of today’s business environment and the use of external vendors – from supply chains to the delivery of critical business services – poses a risk of disruption that can result in significant revenue loss. Some 40% of organizations have experienced a data breach caused by a third-party, while half have suffered an outage, according to our upcoming survey of global third-party risk management (TPRM). Incidents such as these are only expected to increase during the pandemic as work environments and control structures are disrupted.

Organizations need to evaluate their resilience strategies and plans, including the ability of critical offshore operations and third parties to continuously support important functions. Among the functions that should be assessed and potentially strengthened are product delivery and support, IT, human resources, payroll, financial reporting and cybersecurity. Companies must also be alert to hidden third-party risks, such as concentration risks around vendors’ use of mobile apps to support remote working.

Balancing the risks and benefits of using third parties to deliver business services has always been key and during a crisis, the risks can be significantly heightened. Current TPRM approaches may prove to be insufficient, both during and after the crisis.

As a result, organizations will need to review their TPRM operating models and challenge the status quo. This may include centralizing the TPRM program or using a managed services provider, both of which may lead to increases in effectiveness and efficiency.

Centralized approach

58%

of financial services firms have implemented centralized structures.

Enterprise action steps

  • Now:
    Businesses experiencing pandemic-related third-party disruption will want to identify and mitigate the immediate resiliency risks linked to critical and tier one third-party relationships. These include the ability to: operate under significant stress for prolonged periods of time; safely and securely move to a remote working environment; and adequately address financial stability concerns.
  • Next:
    As conditions stabilize, companies should carefully monitor these parties to understand their resilience throughout the period of disruption.
  • Beyond:
    After the crisis, organizations can use the lessons learned from COVID-19 to review the effectiveness of their TPRM and minimize future risks to vendor operations. Risk leaders may ask themselves if their current programs are keeping up with the complexities of today’s business ecosystem, and whether they should pursue new approaches or resource models.

Fragmented TPRM can be more challenging in a crisis

The increasing reliance on third parties means that managing the associated risks is already high on the C-suite agenda. Many companies, however, still take a fragmented approach with responsibility spread over different departments, creating uncertainty around their overall risk exposure. Lacking a single view of risks across the third-party population makes it harder to aggregate, escalate and take necessary action. It also means C-suite leaders spend more time gathering relevant data instead of focusing on innovation and growth.

Businesses may also be challenged to find talent with deep, sophisticated knowledge across three broad areas – business, risk and procurement. Without it, they may struggle to assess their true exposure to third-party disruption. Consider these key questions to determine your organization’s third-party resilience during a crisis:

  • Which third-party business support can you not afford to lose?
  • Are your critical and tier one third parties (including dependencies with nth parties) prepared and able to support your organization’s essential functions and operations during a crisis or disruption?
  • Can you identify how many contracts, third parties, employees and other key relationships might be affected?
  • Do you know how your third parties continuously provide services remotely, while keeping your organization’s data secure?
  • How do the “force majeure,” hardship or exclusivity clauses in your standard terms and conditions or key contracts apply in various crisis scenarios?

Challenge the status quo

If current TPRM programs do not efficiently and effectively mitigate risks, it may be time to consider another way. Risk leaders are realizing that a proactive, centralized approach can better manage third-party risks in a way that delivers the growth, confidence and trust needed to strengthen the business.  According to EY’s global TPRM survey, 58% of financial services firms have implemented centralized structures with another 38% having at least some sort of hybrid function. For many, there is still a way to go to effectively protect the business.

Risk leaders are realizing that a proactive, centralized approach can better manage third-party risks in a way that delivers the growth, confidence and trust needed to strengthen the business.

Risk leaders are realizing that a proactive, centralized approach can better manage third-party risks in a way that delivers the growth, confidence and trust needed to strengthen the business.

Organizations are using a variety of approaches to manage TPRM. An internal centralized utility is one example. The benefits of a utility include the ability to: conduct third-party assessments on behalf of the business units; aggregate distributed data; manage the underlying technology; and oversee complex or enterprise critical suppliers and their footprint across the global organization.

An internal utility can also process and package all relevant information for use by the executives making third-party decisions. Still, many organizations have found building the internal expertise, technological capabilities and governance to make this work requires a significant investment and major culture shift.  The challenge is how to achieve and sustain this over time given the rapid evolution of risk, the advancement of technology and the increasingly complex regulatory environment.

Outsourcing third-party risk management to a managed services provider is another approach gaining traction. Our survey revealed that 41% of financial services organizations expect to adopt a managed services approach to TPRM over the next 2-3 years. They cite three reasons driving this shift:

  • Specialist expertise available on demand.

Top talent with a deep understanding of TPRM is hard to find and expensive to keep. When companies outsource TPRM to a managed services provider, they have scalable, flexible access to global teams of specialist expertise, which can be more cost-effective.

  • The latest technology and data-driven methods.

Third-party risk management is increasingly data-driven, proactive and action-oriented, drawing on the strength of machine learning and artificial intelligence to respond quickly to threats, including those posed by fourth and “nth” third parties. But continual investment in these technologies – and the workforce to run them – is difficult for an organization to sustain. Collaboration with the right managed-services provider can give organizations access to the latest and most effective cloud-based technology, advanced data-driven analytics and the confidence that data is always used in accordance with compliance obligations.

  • Tried-and-tested processes proven to reduce risk.

Many companies are still relatively new to the world of third-party providers: 52% of survey respondents indicated they had run TPRM programs for three years or less. In contrast, TPRM managed-services providers draw on many years of experience running complex programs enabled by proven processes and methodologies.  

Depending on an organization’s needs, a managed services provider can either oversee the entire TPRM function or take on specific elements, such as performing the inherent risk profiling, executing TPRM assessments, conducting findings management and even the deployment and maintenance of a TPRM technology platform. 

Managed services

41%

of financial services organizations expect to adopt managed services in TPRM over the next 2-3 years.

Optimized TPRM is a business confidence boost

Third parties are increasingly integral to modern business. The benefits they bring can be enormous, including specialist knowledge and cost efficiencies, but as COVID-19 has shown, so too are the risks to operational resiliency when they are unable to perform their role. If current TPRM approaches are no longer fit for purpose, they may expose the business to heightened risk, particularly in a crisis. A more centralized approach, either internally or using a managed services provider, may more effectively and efficiently manage the complexity of third-party risk and deliver the freedom and confidence to drive the business forward. 

Summary

The impact of COVID-19 on supply chains and operations has revealed gaps and fragmentation in some organizations’ approach to third-party risk management.  Once the immediate crisis eases, businesses should reassess whether a centralized internal facility or external managed services provider are the more efficient, effective solutions. 

About this article

Authors

Vignesh Veerasamy

EY Americas Advisory US-West Risk Transformation Leader, EY Global and EY Americas Third-Party Risk Management Commercial Lead

Strategic thinker. Complex-problem solver. Innovation enthusiast.

Matthew Moog

EY Global Third-Party Risk Leader in Financial Services

Passionate about the most valuable asset, EY people. Firmly believes in the current campaign of asking better questions to get better answers.

Kanika Seth

EY EMEIA Financial Services Third-Party Risk Management Solution Leader

Experienced financial services professional, leading third-party management. Passionate about diversity and inclusivity across EY. Cricket enthusiast.