8 minute read 24 Feb 2020
Two kids playing with toy car

How to take the sting out of third-party risk management

By Kanika Seth

EY EMEIA Financial Services Consulting Cybersecurity Leader

Passionate about diversity and inclusivity across EY. Lives in London. Enjoys watching cricket. Likes to travel the world with her husband and family.

8 minute read 24 Feb 2020

The development of a data-driven, proactive and action-oriented third-party risk management (TPRM) system could help to provide the solution.

What was once a relatively small risk relating to the exchange of information with third-parties has now become one of the top risks for banks and other financial services organizations. Financial services firms are faced with a complex third-party ecosystem and multiple risks requiring management or mitigation. This fact has not gone unnoticed by regulators, who are increasingly interested in TPRM from a resilience perspective.

Although TPRM isn’t new and firms have procedures in place for tackling it, the many complexities and risks now involved mean that a new approach is required. The question is, what should that approach be?

Why is TPRM a priority for financial services organizations?

There are many good reasons why TPRM is currently high on the C-suite agenda. Firstly, financial services organizations use and rely on so many third parties of various types, benefiting from them in multiple ways. As well as outsourced service providers running back office functions with a view to improving efficiency and cutting costs, third parties increasingly offer specialist expertise in innovative areas and provide value-adding services. The third-party ecosystem has become highly complex.

This complexity is exacerbated by the fact that key third-parties will typically interact with many different third-parties themselves – so building a supply chain that runs to fourth-parties, fifth-parties and beyond. As a result, we now have the concept of the “Nth party,” representing the ever-expanding supply chain in the modern business environment.

Third-parties also exist within the group structures of global companies. A subsidiary based in Europe may be providing core services to other group companies, potentially exposing them to any unmanaged or unmitigated risks. Similarly, with the growth of FinTechs and initiatives such as open banking, many financial institutions are forming new alliances and joint ventures to capitalize on emerging opportunities. Again, these new relationships add complexity to the business ecosystem and to the challenge of effective TPRM.

Another complicating factor that has pushed TPRM up the management agenda relates to the many different types of risk that businesses must now assess and mitigate. As well as the classic data security risk, financial services entities need to consider risks associated with bribery and corruption, modern slavery, human rights, tax evasion and environmental impact, to name a few. The poor performance of a third party in any of these areas could have a damaging impact on the commissioning firm’s brand.

Regulators are also upping the ante in relation to TPRM, as evidenced by the outsourcing guidelines issued by the European Banking Authority (EBA). Local country regulators are developing their requirements too. For example, the UK’s Prudential Regulation Authority is developing its own policy on outsourcing and third-party risk management, inspired in part by the EBA’s activities and the Bank of England’s drive for enhanced operational resilience. Similar initiatives are taking place across the world. Organizations will need to be able to provide suitable answers to regulators’ questions in the future, or face the consequences in the potential forms of penalties and damaged reputations.

What challenges do financial services firms face in tackling TPRM?

A question I like to ask my clients is, who owns third-party risk at board level? This generally proves tough to answer. Allocating ownership is a key challenge for many financial services organizations.

It’s often assumed that the chief procurement officer has responsibility for TPRM. However, the chief procurement officer isn’t the person deciding which outsourced service provider to use or which cloud platform to select. These decisions will be made in the business, with the procurement team then required to facilitate them. Assigning third-party risk ownership to procurement is therefore untenable. That risk should sit with the decision maker – be it the chief information officer, head of operations or other appropriate business leader.

One of the other challenges when allocating responsibility is that the expertise required for TPRM covers three broad areas: business, risk and procurement. However, few individuals have deep understanding across all three – and certainly not enough to handle the third-party risks faced by every organization in the financial services sector.

How to address the TPRM challenge

One approach is to create an internal utility in procurement, able to process all relevant TPRM information and feed this back to the executives who will be making third-party decisions. Relevant information could cover areas such as the associated types of risk, controls and mitigating factors. Decision makers can then use this information before deciding which potential third party should win the contract.

Creating such a utility requires a cultural shift and the implementation of a change management program to ensure that everyone involved understands their roles, responsibilities and the TPRM information produced. Careful thought is also required to pitch the internal risk reporting at the right level. No decision maker will appreciate – or use – a 100-page report. On the other hand, one page of highlights may lack meaningful content.

Finding the right balance requires judgement. This is itself complicated by the increasing number of TPRM information sources available to banks and financial services firms – bringing the danger of information overload. Increasing numbers of service providers now offer data feeds on numerous risk topics such as corporate financial health, changes in ownership or presence on sanctions lists. The challenge for recipient institutions is to find ways to make all the information they receive meaningful.

In the future we expect to see financial services firms adopt an approach to TPRM that is increasingly data driven, proactive and action oriented, drawing on the strengths of machine learning (ML) and artificial intelligence (AI). For example, imagine your business has a key third-party based in Chennai. Imagine too that a previous tsunami in East Asia resulted in flooding in Chennai two days later. With this knowledge, if a similar tsunami occurs, it should be possible for an automatic alert to be triggered requiring the business to contact the Chennai third-party to ensure back-up capability is in place.

Such an approach is not only proactive, but also action oriented. Rather than simply resulting in pages of information, the TPRM system generates an action request. It ensures that the people in the business with some responsibility for TPRM – who may not be risk experts – understand what they need to do and when they need to do it.

As this new-style TPRM develops, so the traditional, direct method for sourcing information – conducting onsite visits and asking third-parties to provide responses to questions covering all relevant issues, from data security passwords through to policies on modern slavery – will gradually be replaced, at least in part. There will always be a need for periodic risk-management assessments, particularly for mission-critical and high-risk third parties. However, low-risk service providers could potentially be managed more efficiently in new, more technology-based and data-driven ways.

Technology is important, not only in the sense of ML and AI. It’s not the only answer, because people and processes are also key. However, the development of an end-to-end technology stack that facilitates TPRM across the three lines of defense would be beneficial. Such an enterprise-wide risk management system would need to link systems from financial to procurement to risk, with the capability to gather all relevant data. It needs to be scalable, flexible and capable of synthesizing all the different data feeds to produce meaningful, actionable information. What we don’t want to see is the development of a new cottage industry in TPRM reporting.

An approach to TPRM that embraces technology could also potentially help to tackle the “Nth third party” challenge. For example, through gathering and analyzing data, it may be possible to map potential risks associated with fourth-parties. These insights could be shared with the third-parties in the chain between your organization and the fourth-parties – helping them to ensure they are obtaining the right TPRM information and so managing risks more effectively.

Alongside increasing use of data and technology, collaboration is another important trend in the TPRM arena. As well as internal utilities, financial services organizations are increasingly exploring the potential of sector-based external utilities to help them manage third-party risks. If firms use many of the same third parties, there is no competitive advantage to be gained from undertaking solo TPRM. Instead, collaborating to share information could make the whole process more efficient and lower cost.

Some of these developments will take time to mature and become widely available or adopted. In the meantime, financial services organizations are encouraged to look again at their current TPRM approach. What activity is your firm undertaking to monitor and manage its third-party risks?

How does it report on those risks? And how does this information influence senior management decision making? Answering such questions can help to ensure that the increasingly important TPRM challenge is being properly addressed.

Summary

Third-party risk management (TPRM) is now high on the business agenda, but poses many challenges – from the allocation of ownership to the potential for data overload. Organizational structures and technology solutions have yet to catch up. Looking ahead, the development of data-driven, proactive and action-oriented TPRM systems could help to provide the solution.

About this article

By Kanika Seth

EY EMEIA Financial Services Consulting Cybersecurity Leader

Passionate about diversity and inclusivity across EY. Lives in London. Enjoys watching cricket. Likes to travel the world with her husband and family.