Third party risk management (TPRM) is a relatively new discipline for many financial services firms and so it’s no surprise that organizations are still navigating their way. As firms establish their third party risk programs, there’s many common pitfalls that they can fall into. Knowing about these helps you avoid them, so Aravo recently spent some time with third party management expert, John Bree, to expose some of the more common missteps that he has seen organizations make when it comes to setting up, or enhancing, a TPRM program.Bree is currently senior vice president and partner at consulting firm Neo Group, based in New York. Previously he was a managing director at Deutsche Bank, where he was the global head of vendor and third party risk management. Bree says that, in his general observations of TPRM as a discipline as well as in his specific encounters with programs at a wide range of individual firms, he’s encountered the following five common challenges:
- Confusing supply chain management with outsourcing. Many financial services firms see all third party relationships as being roughly the same, but Bree believes this is flawed thinking. “With the supply chain, you have control over what is coming inbound – if you are building a product, you can check the components that have been supplied and validate them before you use them,” says Bree. “On the [out]sourcing side, primarily firms are taking data that has been entrusted to them and are sending it somewhere to be processed. Once that data leaves their control, they don’t have the ability to pull it back.” It is this very lack of control in an outsourcing relationship that has regulators concerned, he adds. For example, “they are asking, once your firm sends data to a third party, what are you doing to ensure the use of that data remains compliant – not just at the beginning of a third party relationship, but throughout the entire lifecycle?” Many firms do not realize that they continue to have responsibility for customer data after an outsourcing relationship ends, and fail to ensure the data is disposed of correctly by the vendor. It’s important for firms to understand how the risks associated with outsourcing relationships are different to more traditional vendor relationships, particularly around information security.
- Doing a risk assessment once a year. Or even once every six months. While the financial services industry has made good progress on improving the quality and scope of the questions contained in initial risk assessments, Bree is insistent that these exercises are simply not enough for a good TPRM program. “If a firm is only doing a risk assessment, a regulator is going to look at that and say, ‘You are doing your risk assessment once a year so you have 364 days to fail. Who is monitoring the relationship the rest of the year?’” He points out that the regulators have already enforced the idea of continuous monitoring in the “know your customer” space. There, the initial focus was on performing KYC checks during customer onboarding. However today, many jurisdictions require some form of ongoing monitoring for changes in a customer’s status that could potentially flag a problem. Regulators are beginning to demand this kind of awareness when it comes to third party risk as well, he says. A wide range of different data types can be helpful here – from monitoring traditional and social media for vendor mentions, to keeping an eye on things like their employee turnover rate, billing cycle, or credit score. Bree says there is a considerable amount of data that financial services firms have access to today which could be turned into behavioral analytics for TPRM. Firms are also building the right to monitor third party systems that use their data into the initial contracts, so that they have their finger directly on the pulse of the relationship. Bree adds, “You cannot measure things once, which is a ‘point in time’ any longer. Things are moving too fast.” Trending and pattern awareness is essential.
- Putting procurement in charge of third party risk management. Procurement has a very valuable role to play in any major organization – ensuring the firm is getting the right products at the right price, from an approved vendor, says Bree. But then most procurement departments move on to the next project, while the business line is left managing the third party relationship day-to-day. It’s the business – the first line of defense – that needs to own the risks within that vendor relationship, says Bree. The first line of defense needs to work with the second line – compliance and risk management – to ensure it understands the risks inherent in the relationship and that it has controls in place to mitigate them. It’s the function of TPRM to ensure the business is supported in its requirement to monitor and manage risk. “An organization needs to have a strong three lines of defense program, and there has to be a clear understanding of roles and responsibilities,” says Bree. “Procurement cannot monitor all of the different relationships – it’s not effective. It should be the relationship owner, the one who owns the risk, who does that. The second line has to share in any corrective actions, improvements or enhancements that need to take place.”
- Thinking about TPRM at the end of the new product development cycle, or project. Financial services firms are guilty of doing this all the time, says Bree. A division will create a great looking business case and get approvals, only to then discover that there are issues with sourcing some of the vendors. Perhaps the project relies on FinTech and none of the third parties meet certain compliance requirements, or there are problems with outsourcing to certain jurisdictions from a regulatory or risk perspective. Or perhaps it’s just not possible to put cost efficient, adequate controls in place to mitigate the risks created by the relationship. The whole project could be derailed because TPRM was not considered at the outset. “I think collaboration has to start much earlier in our processes, at the beginning of the product or service design lifecycle,” says Bree. “The right people have to be in the conversation at the beginning, working together. If teams can do that, it will solve a lot of the territorial issues around TPRM.” Not having “TPRM by design” baked into product and service development will wind up costing firms more “because they are going to have to start bolting things on to the back, when in reality they could have built in the controls up front,” he adds.
- Failing to identify opportunities through good TPRM. For many firms, “risk management” is philosophically all about preventing downside, when the reality is that it should be about creating the opportunity for benefits as well, says Bree. Within a good TPRM program – particularly one that is rich in the flow of information about third party relationships and has engaged internal stakeholders – it is very possible to identify upside too. “For example,” says Bree, “when service companies or providers are announcing a new program or a new operational approach, shouldn’t a client be able to seize on that as a customer and benefit from that, either through reduced pricing or enhanced services?” TPRM programs that actively monitor traditional and social media for supplier names can, for example, be alerted to this kind of vendor news. Bree adds, “The real-world benefits of TPRM is that you should be able to identify opportunity and accelerate savings.”
Overall, Bree says that these top five challenges could be easily fixed with enhanced collaboration and communication among the different teams within the organization, as well as improved data about the third party relationship. While correcting these errors may, at the moment, be considered “good practice”, in future this good practice is likely to morph into compliance requirements. “The regulators,” says Bree, “are going to continue to be demanding.”
John Bree is a financial industry professional with a proven track record in developing and managing Vendor & Third Party Sourcing Risk Management, AML/CTF, KYC, and Anti-Fraud programs. John has held senior positions in New York, Tokyo, Singapore and London for Citi and Deutsche Bank covering corporate, investment, commercial and consumer banking operations. He has proficiency in developing and implementing analysis, operations, monitoring and investigation systems and processes involving transaction accounts, credit cards, debit cards and online banking.
John has managed global staffs and corresponding budgets in multiple locations and delivered cost efficient and operationally effective programs ensuring compliance with local and global regulatory requirements. Through interaction with Business Units, Internal Audit and regulatory agencies, has resolved MRIAs, MRAs and Findings, on time and without penalty.
John is a SVP & Partner with Neo Group, Inc. an international Advisory and Solutions firm supporting major corpoartions beyond Advice to Outcomes, in the areas of, Governance Support and Risk Monitoring, Global Talent, Automation, Analytics, and Process Optimization.