Blog

Whetting the Appetite in Third Party Risk

A snapshot of the results of two new audience surveys suggests that the concept of “risk appetite” within the third-party risk management framework is still finding its feet. Attendees at a pair of June New York and London conferences, aimed at the financial services industry’s third party risk professionals, responded very similarly to three key questions.

Aravo - risk appetite graph 1-1.jpg

Just over half of respondents (57% in the EU and 56% in the US) said their organizations have implemented third party risk appetites. This is in spite of quiet regulatory urgings on both sides of the Atlantic to do so, and probably reflects the fact that in many organizations, third party risk management sits outside of the operational risk team – with compliance, procurement, operations, or another group. Increasingly, financial services firms are relocating third party risk within operational risk management, however – and as this trend continues, the number of firms with an explicit third party risk appetite that sits within their overall enterprise risk management framework is expected to rise.

Of those firms that are putting a third party risk appetite in place, most are in the early days of implementation. In both the US (55%) and the EU (67%), the majority of firms said their organization’s level of maturity was “emerging”. Just one-third in both regions said their programs were “established.” No firms claimed their programs were “advanced” and only 2% in the US said their program was “leading” – no one from the EU did.

Given the early stages most programs are at, just how is “third party risk appetite” being defined? One possibility is “The amount of risk resulting from relationships with third parties that the organization is willing to take in pursuit of its strategic objectives.” Another potential definition could be: “Third party risk appetite is the level of this type of risk a firm is willing to assume in its exposures and business activities, given its business objectives and obligations to stakeholders.” The industry has yet to come to agreement on a single definition of the concept.

Approaches to implementation also vary. Some firms at the events said they were, at least initially, choosing to build their third-party risk appetite in a “top-down” way, alongside their implementation of a new board-level governance structure. Other firms are creating their appetite in a bottom-up fashion, using third party risk management data as a foundation. Still others are beginning to use a more hybrid approach, incorporating the strategic elements of the “top-down” methodology with the data-driven focus of the “bottom-up” approach.

All three approaches require a strong risk governance framework – including board and senior management governance structures as well as data governance. Such a framework needs investment of individuals and resources – so perhaps it’s not surprising that firms are seeking to build commercial value into their programs, as well as regulatory compliance.

In fact, one-third of EU respondents and 22% of US respondents say that the main factor driving their organization to consider a third-party risk appetite is a belief in the commercial value of an advanced third-party risk management strategy. An additional 14% of US respondents said internal efficiency drivers were driving their third-party risk appetite program (none did in the EU.)

Compliance remains a strong reason for the implementation of this program on both sides of the Atlantic, however. Half of EU respondents said it was the driver behind their program, while 29% in the US agreed. Additionally, 8.3% of EU respondents said “internal compliance factors” were pushing their program forward, while 29% in the US cited this factor. This is with good reason – it’s important for organizations to follow the regulations that supervisors are publishing closely, and ensure adherence as they build out their programs.

In the EU, the survey questions were created by Victoria Muñoz-Titos, the EMEA head of risk and control services at AIG in London, as part of her presentation on third party risk appetite. They were replicated and asked of the US attendees by Anna Mazzone of Aravo Solutions.  

While the sample sizes were relatively small (55 for the US), the surveys present an interesting snapshot in a point of time.

 

Related Content:

White Paper - The Business Case For Better Third Party Risk Management

Executive Overview - The New GDPR: Taking A Strategic Approach To An Internationally-Focused Data Protection Rule

OCC Update Briefing 2017-7 - The OCC's Supplemental Examinations Procedures for Third Party Relationships Raising the Bar for Banks' Third Party Risk Management

Infographic - EU GDPR & Third Party Risk - 5 Steps You Can Take Today

Blog - Third Party Risk: Why Global 2000 Companies Should Be Focused on Third Party Compliance

Blog Post - OCC BULLETIN 2017-7: The OCC's Supplemental Examinations Procedures for Third Party Relationships

Analyst Podcast - Session 1 - How to Develop a Third Party Management Strategy

Request A Demo of Aravo Third Party Risk Management Solutions

Topics: risk and compliance, Financial Services, third party risk management, compliance programs, risk management, governance, reputational risk, compliance risk, tprm, event, third party risk, EMEA, survey, risk appetite