Third party risk management is on a journey. A journey that is being accelerated and guided by increased regulatory attention.
Nowhere is this more apparent than in financial services. In some respects, the financial services industry has had to play catch-up on this journey. It hasn’t had the head start that many other industries with critical supply chains have had, which has seen the emergence of increasingly sophisticated supplier risk and performance management programs, including those at leading brands such as Unilever, Procter & Gamble, Nike and GE.
However, banks have shifted a significant part of their operations to outsourcing and fintech, introducing additional risk into the global financial system. With so much personal and financial data at stake, and the volume of business taking place digitally, cybersecurity – and the exposure third parties and suppliers bring with them - is an additional dimension of risk for the industry and the consumer. And the regulators are paying attention.
This has meant that financial services firms have had to turn considerable attention to third party risk and mature their associated programs fast. The OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance, issued October 30, 2013, was a clear and coherent message from the regulator that third party risk management was to be taken seriously by banks, right up to the board.
Third-party relationships may increase a bank's exposure to operational risk because the bank may not have direct control of the activity performed by the third party. Operational risk can increase significantly when third-party relationships result in concentrations.
OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance
Risk Management Frameworks
In order to be effective, third party risk management needs to be embedded into the DNA of a business and its operations. Recognizing this, supervisors are asking firms to create frameworks for their third party risk programs that are aligned in philosophy and structure with their overall approach to enterprise and operational risk. This includes creating a third party risk appetite, incorporating third party risk information into strategic decision-making, performing analysis and undertaking corrective actions, as well as ensuring there is proper assurance and oversight.
Third Party Risk & Operational Risk
In financial services firms, this has led to third party risk increasingly being seen as an extension of operational risk, and consequently falling under the ownership of this function. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.
However, with this trend to locate third party risk within the context of operational risk, it is also important to recognize that third party risk has its own distinctions and requirements as to how it is managed. Aravo’s latest whitepaper, Third Party Risk – A Unique Kind of Operational Risk, outlines five key differences between third party risk and traditional operational risk that should be taken into consideration:
- As a specific type of operational risk, third party risk has received unprecedented regulatory and legislative focus.
- Significant engagement with entities outside the core organization is required.
- Third party risk programs must be engaged with other internal stakeholders, and information types, at an intensive level.
- Reporting for third party risk can be much more complex.
- Third party risk management needs to be integrated directly into the business workflow.
The white paper provides insight into these differences and where people, processes and technology can align, but also where unique requirements should be taken into account.
Technology that supports third party risk management and the automation of its processes, is a central consideration here.
The OCC guidance states:
“Use of third parties reduces management’s direct control of activities and may introduce new or increase existing risks, specifically, operational, compliance, reputation, strategic, and credit risks and the interrelationship of these risks. Increased risk most often arises from greater complexity, ineffective risk management by the bank, and inferior performance by the third party.”
With this in mind, it stands to reason that technology solutions need to be able to:
- deal with the increased complexity that third parties (and fourth, fifth etc.) represent;
- provide effective (and dedicated) third party risk management capabilities across multiple risk categories, and;
- monitor and assess the performance of the third party (as well as risk and compliance).
Yet, very often firms try and manage their third party risk programs through their existing operational risk management technology. Which, when considering the criteria above, falls short. Further, third party risk managers, business line users and third parties themselves (in the assessment process) often report that existing operational risk systems are clunky and unintuitive which can affect optimal use and adoption.
Instead, firms would be well served considering how they can integrate best of breed third party risk technology into their operational risk system so they are using the right tools designed for the job. System integration is key in third party risk, with the requirement to integrate with multiple systems such as ERP, accounts payable, procure to pay and enterprise risk platforms.
Putting it into practice
While many best practice financial institutions are shifting their third party risk program to sit within their overall enterprise or operational risk management team, it’s important to be realistic about how these disciplines are similar, and how they can differ in their requirements. Third Party Risk – A Unique Kind of Operational Risk will help you recognize and navigate key points of convergence and divergence, and also provides best practice approaches to essential, intermediate and advanced reporting requirements.
For more information about Aravo solutions for Third Party Risk Management, please contact us.