The global financial crisis of 2008 put the spotlight on how risk is managed in our financial institutions and increased the scrutiny around how financial services organizations engage with and manage third parties. The result has been significant improvements in third-party risk management (TPRM) practices, particularly in the US.
Our sixth annual global financial services third-party risk management survey (download the PDF) shows many companies are continuing to make upgrades to the governance and oversight of this function. But it’s also clear challenges remain, indicating that many financial institutions could benefit from five key health checks:
1. Are your technologies and tools integrated?
Technology improves banks’ ability to spot third-party risks quickly — but only if leaders have a clear view across their digital landscape.
Almost all (96%) financial institutions we surveyed said they had a ways to go to truly integrate the different technologies and tools used to manage third-party risks. Only 20% felt positive about their levels of technology integration.
Emerging technologies are expanding both the amount of data held by third parties and financial institutions’ reliance on technology that sits beyond their walls, including on cloud platforms that may have been externally developed.
Balancing this technology with niche internal systems is challenging but critical if organizations are going to capture all risks and get one clear view of their world.
2. Is it clear who ‘owns’ TPRM?
In many financial institutions (37%) TPRM sits in procurement — though there is no clear consensus in the sector around where the function resides. However, a single point of contact is important to confirm that everyone is clear on who is setting TRPM strategy, giving direction and making certain that expectations are met.
Where a function sits is less important as long as the right skills are there to support the function, it is aligned to the business needs and, most importantly, has strong leadership.
3. Is your board aware of third-party breaches?
Most financial institutions (81%) find it easy to report on critical third parties and about 60% are engaging senior management when breaches occur. This improved governance is an encouraging sign of the growing maturity of TPRM, but surprisingly, less than one-third of organizations report critical incidents to the board.
Most boards are experienced with and understand third-party risk. It’s important that the board has meaningful information around threats so it knows where critical risks to the organization may lie.