Third party risk management (TPRM) could be set to evolve at lightning speed over the next five years, according to Victoria Munoz-Titos, former EMEA, Risk and Control Services at AIG in London. The changes won’t just be accelerated by regulatory demands either. Rather, they will be propelled by a transformation to the way organizations work together, as financial services firms incorporate outsourcing and other types of third party relationships even deeper into their business strategies. Below are the top seven trends that Munoz-Titos sees changing the way firms engage with TPRM and their third-party relationships:
- The definition of “an organization” will have changed. Financial services firms are working with third parties in new and innovative ways – whether it’s changing the dynamics of the supply chain or collaborating more closely around customer data. Throw TPRM into the mix, and it becomes clear that the boundaries of where an organization ends and a third party begins are becoming more and more porous, says Munoz-Titos. To succeed in this new environment, firms will need to stop thinking of relationships as “internal” and “external”, and think much more collaboratively – perhaps along a spectrum of engagement – when they work with third parties.
- Third party risk management will become a more specialist and centralized function. TPRM is in its infancy today in most organizations, and so is often a more distributed function, she says. Frequently, elements of TPRM are owned by sourcing teams and are closely aligned to the vendor onboarding process. However, “the ongoing management of the third parties, and the identification of the risks, tends to be a business-driven activity that tends to be distributed across a variety of roles and activities throughout the organization,” Munoz-Titos explains. For example, data and cyber security assessments will usually be performed by the IT department, or by outsourced specialist resources. She says that while distributing all the required assessments can be a more cost-effective way of doing TPRM, and often means that real subject-matter experts are performing the activities, it has its drawbacks. Key among those is the fact that usually many of the individuals lack experience in third party risk management – they may not have had appropriate risk management training, and may not know to look for things such as emerging risks, risk aggregation and/or the holistic assessment of risk impact. Munoz-Titos says she believes that firms will eventually move to hybrid models where greater emphasis will be placed on small, centralized teams with deep TPRM expertise, who are enabled through technology to harvest and analyze data across the organization. While this may sound like an option that will cost considerably more, she says the reality is that such teams deliver considerably more value to the organization, both through the risks they are able to spot and manage proactively, and through the broader and holistic insight they can bring to other organizational functions, i.e. Enterprise Risk Management. It also frees up individuals within the business for other activities.
- Focus will shift from understanding who third parties are, to understanding the drivers of risk. Historically, many firms did not have a centralized view of their third party relationships – these were held at the business level in individual silos. So, the first step for organizations has been to bring together all of their third party relationships into a single catalog. “Typically best practice right now is an organization that has knowledge of its third party network, albeit largely distributed amongst various organizational functions, how those third parties are performing, and how the contracts relate to the most pressing regulatory requirements,” she says. “I would like to think that, in two or three years’ time, the discipline will have evolved, so that TPRM is focused on getting a better up front and holistic understanding of the drivers for risk, in relation to the various topics that matter in those relationships.” For example, she says, it could lead to better understanding the impact of geographic or political risk on an outsourcing relationship in a different country, or how a vendor’s investment in cybersecurity infrastructure could enhance partnership potential. “It’s this sort of intelligence that could help TPRM drive value for the business.” She adds, “clearly there is a lot of work to do.”
- All firms will have TPRM risk appetite statements, and be using them. Today, says Munoz-Titos, some organizations create TPRM risk appetite statements using a sort of “finger in the air” approach, if they have one at all. Instead, the TPRM risk appetite should contain carefully considered areas of potential risk that are specific to the individual firm. The statement should also be aligned to and supportive of the overall strategic objectives of the firm. In addition, the risk appetite needs to be reviewed and maintained, and the individual elements of it must be quantified – and then benchmarked regularly against the firm’s actual performance. This performance should then be reported back to the board and senior management so that the results are fed into strategic decision-making. She adds, “structuring a risk appetite program in this way will drive real insight for leadership.”
- The definition of performance will move beyond metrics. Scorecards, as they are currently used by firms, can often be narrowly defined, incorporating just a couple of key performance metrics that are usually embedded into the contract. They are, essentially, contract validation tools, she says. Firms should start to use scorecards to define the value of the third party relationship in a broader sense – incorporate a wider range of risk and performance information, for example, to obtain a more holistic view of the overall relationship. She adds that TPRM programs should be supplementing a scorecard review with collaborative conversations with the vendor – to better understand the new areas of service and value creation opportunities that can enhance the organization, as well as the overall relationship. “Today the large majority of firms are very much focused on contracts as a transactional tool,” says Munoz-Titos. “It’s very short-sighted and narrow view of how a third party should operate within a firm. If firms implemented their third party risk programs in a more effective and collaborative manner, it would provide a huge opportunity for the firms themselves as well as for the third parties to create greater customer value.
- TPRM teams will be better at communicating the value they bring to their organizations. “It’s really about opening up people’s minds, particularly at the most senior level, to realize that TPRM is not just about tracking the here-and-now contract terms,” says Munoz-Titos. “It’s about getting senior management and the board to understand that if the way the organization handles its third party relationships goes beyond the compliance basics, there is actually quite a lot of commercial value that could be extracted.” Reporting to the board should focus on how third party relationships are contributing positively, or else are creating constraints or risks for the company that will impact the way the company achieves its objectives and meets its customer needs. Having a good risk appetite framework in place can make this easier to deliver on. Encouraging more collaborative relationships with third parties can also generate more information to provide enhanced decision-making context to senior management and the board.
- Good technology will be considered a basic requirement for a TPRM program. “Relying on people to capture TPRM data in spreadsheets and analyze manually is totally ineffective, as well as very short-sighted,” says Munoz-Titos. “It’s very inefficient, and can often be relying on people to do the work who do not have the appropriate analytical skills.” In short, using manual means to collect TPRM data creates its own forms of operational risk – something regulators already are very aware of. Using technology doesn’t just dramatically reduce operational risk, however. An advanced TPRM program should take full advantage of good technology to bring together and analyze volumes and types of data that would be impossible to manage on a manual scale. Technology also really accelerates the ability of the organization to increase awareness and understanding of TPRM, and to promptly act upon that understanding in line with the organization’s goals, she says. It also enhances the ability of the organization – and its third parties – to communicate and collaborate.
Munoz-Titos is optimistic about the overall direction of TPRM, even though the discipline is still in its early days. “Like many other areas in life, you cannot run before you can walk,” she says. Establishing solid foundations is key – putting the preparation in – is important, and this is the stage that many firms are at. But, as firms evolve their approach, she says, “closer collaboration, better communication, and other changes will give TPRM programs the sustainability they need.”
Victoria Muñoz-Titos, MBA, MSc, AIRM
Third Party Risk Specialist and former EMEA Head of Risk and Control Services at AIG
Victoria has more than 20 years experience working within large financial services organizations. She has a wealth of knowledge in end-to-end lifecycle management and risk mitigation of third parties; built initially in the UK and subsequently across the EMEA context. Victoria has worked as thought leader behind the development and implementation of risk management methodologies across various organizations. She often presents in industry forums on the subjects of third party risk management, risk appetite and enterprise controls assurance.