4 minute read 24 May 2018

Five health checks for third-party risk management in 2018

By

Matthew Moog

EY Global Third-Party Risk Leader in Financial Services

Passionate about the most valuable asset, EY people. Firmly believes in the current campaign of asking better questions to get better answers.

4 minute read 24 May 2018

Financial institutions are improving how they manage risks, but technology and regulatory changes keep ratcheting up the challenges.

The global financial crisis of 2008 put the spotlight on how risk is managed in our financial institutions and increased the scrutiny around how financial services organizations engage with and manage third parties. The result has been significant improvements in third-party risk management (TPRM) practices, particularly in the US.

Our sixth annual global financial services third-party risk management survey (download the PDF) shows many companies are continuing to make upgrades to the governance and oversight of this function. But it’s also clear challenges remain, indicating that many financial institutions could benefit from five key health checks:

1. Are your technologies and tools integrated?

Technology improves banks’ ability to spot third-party risks quickly — but only if leaders have a clear view across their digital landscape.

Almost all (96%) financial institutions we surveyed said they had a ways to go to truly integrate the different technologies and tools used to manage third-party risks. Only 20% felt positive about their levels of technology integration.

Emerging technologies are expanding both the amount of data held by third parties and financial institutions’ reliance on technology that sits beyond their walls, including on cloud platforms that may have been externally developed.

Balancing this technology with niche internal systems is challenging but critical if organizations are going to capture all risks and get one clear view of their world.

2. Is it clear who ‘owns’ TPRM?

In many financial institutions (37%) TPRM sits in procurement — though there is no clear consensus in the sector around where the function resides. However, a single point of contact is important to confirm that everyone is clear on who is setting TRPM strategy, giving direction and making certain that expectations are met.

Where a function sits is less important as long as the right skills are there to support the function, it is aligned to the business needs and, most importantly, has strong leadership.

3. Is your board aware of third-party breaches?

Most financial institutions (81%) find it easy to report on critical third parties and about 60% are engaging senior management when breaches occur. This improved governance is an encouraging sign of the growing maturity of TPRM, but surprisingly, less than one-third of organizations report critical incidents to the board.

Most boards are experienced with and understand third-party risk. It’s important that the board has meaningful information around threats so it knows where critical risks to the organization may lie.

4. How deep is your knowledge of risks from fourth parties?

Financial institutions’ understanding of fourth parties is increasing. As more organizations outsource business functions, their dependence on the vendors of these companies, which may include huge corporations as well as sole proprietors, creates risk. But 60% of the organizations we surveyed said they don’t maintain an inventory of their fourth parties and nearly all rely on their third parties to perform due diligence on these companies.

Understanding fourth-party risk goes beyond just listing those companies on an inventory, and the most mature organizations are pinpointing exactly where their data goes and how far it goes — often, fifth and sixth parties are involved, especially with the use of cloud platforms.

Getting a picture of this “neural network” of providers and seeing where the dependencies are can help identify where risk is concentrated in the business, what may be the critical failure points and where data leakage could occur.

5. How are you planning to meet greater regulatory requirements around data?

All the organizations we spoke to said that they had work to do to implement the EU’s new General Data Protection Regulations (GDPR) around informing EU residents of why and where their personal data is held by a third party.

It’s an issue financial institutions must come to terms with quickly, as GDPR is evidence of how the bar around protecting third-party data is constantly getting higher.

Keeping this data safe and secure is also a growing challenge, with about half of the financial institutions we surveyed saying they had experienced a data breach or outage caused by a third party.

Our survey revealed that cybersecurity breaches and outages from third parties are common among financial institutions. In fact, three-quarters (or more) of organizations that have one third-party breach or outage are typically subject to multiple breaches or outages.

While most of these events have minimal impact and are addressed immediately, the risk of damaging breaches or outages is very real. The companies that have done well to address these have practiced how they’re going to respond. They have a plan with a clear framework around when and how to execute it, and an understanding of how to communicate a consistent message to the public and to media.

Ongoing process of improvement
Most financial institutions are maturing their TPRM functions, in response to both regulatory pressure and consumer demands. But the complexity of managing third-party risk will only increase — regularly taking the pulse of this critical function will help banks, asset managers and insurance companies keep threats in check.

Summary

As the complexity of managing third-party risk continues to increase, financial firms must regularly assess this critical function.

About this article

By

Matthew Moog

EY Global Third-Party Risk Leader in Financial Services

Passionate about the most valuable asset, EY people. Firmly believes in the current campaign of asking better questions to get better answers.