Earlier this month, I attended and chaired at the Center for Financial Professional’s conference on Vendor and Third-Party Risk USA in New York. The two-day event highlighted the complexity that third-party risk managers face, with topics as far ranging as cyber-risk at fourth parties, to applying third-party risk frameworks to intra-company organizations. The event also demonstrated that the discipline is having to evolve and mature fast in order to keep pace with the changing digital landscape as well as ongoing regulatory change. Here are my top takeaways from the event, which I hope you will find of interest.
- Maturity – As we also found at the UK event, it was clear that there is a great deal of variance in the overall development and maturity of third-party risk programs. In New York, we put the question of program maturity to the audience in the form of a poll. While most organizations in the US do not consider themselves to have “leading” programs – less than 2% selected this choice in the poll, one third say they have “established” programs. The majority – 55% – say their programs are “emerging”, while one in 10 indicated they are only just “aware” of third-party risk management as an issue. Those very early in their maturity tend to be hampered by a lack of automation – with many still working off of more basic tools such as spreadsheets and SharePoint.
- Ownership – The ownership of the third-party risk management program within financial services firms is decidedly mixed. While operational risk teams had the highest percentage of ownership – at 27% — this is far from a majority of firms. At 25% of firms, third-party risk sits within procurement, while at 20%, it rests either within the chief operations officer’s structure or a business line. Compliance owns this team in 16% of firms, while at 11%, other teams entirely own the function. There seems to be a shift in financial services firms towards situating their third-party risk team within operational risk – so the discipline can sit within its overall approach to enterprise risk – which makes sense. One of my observations and that of colleagues also attending, is that the development of third-party risk management has parallels to what we saw in the early days of operational risk management.
- Scorecards – Third-party risk programs are beginning to make inventive use of these traditional risk management visualization tools. Some organizations indicated that they are actively sharing the scorecard results of a strategic third party with that third party, with the intent to work with them to raise the bar of performance and to provide the insight and joint action plan required to help further de-risk the relationship. This is a trend towards a much more collaborative relationship with the supplier. Other firms said they are turning their scorecard results into an internal incentivization tool for their internal supplier portfolio managers – effectively linking third-party risk and performance to objectives and KPIs (and the behavioral motivation of a competitive spirit – after all, no one likes to see a poor scorecard performance when compared against their peers).
- Intra-Company ‘Third Parties’ – Several presentations either mentioned or focused on how organizations are applying their third-party risk framework to intra-company organizations to comply with current regulatory guidance, and to ensure they are operating to the standards of the firm’s third-party risk framework. Some firms have formed regional boards to provide a third party governance overview for their intra-company relationships. Others have applied the third-party metrics to these related organizations and then shared the outcomes – to help enrich collaboration across the relationship. Firms are also looking much more closely at the suppliers that these intra-company organizations have, and are requiring a greater level of transparency about these 4thparties, which may have been more opaque in the past.
- Speaking of 4th Parties, transparency efforts here now extend to the 5th, 6th and n-parties. This is in no small part because understanding and applying the appropriate level of due diligence to a supplier’s suppliers is getting more and more attention from the regulators. It’s becoming clear that for many organizations, these can be a significant source of many different types of risk, including concentration risk. For example, many tech suppliers may use the same cloud hosting company. However, gaining that visibility can be problematic – it may require changes to contract terms not just between the firm and the supplier, but also between the supplier and the fourth party. Operationalizing this level transparency down the supply chain may take time, but organizations say they are beginning to realize the importance of obtaining it.
- Risk Appetite – At the London CEFPRO event, risk appetite featured significantly in the agenda, and Victoria Munoz-Titos of AIG provided an insightful audience poll that asked: who among the attendees had implemented a third party risk appetite framework at their organization, and what were the driving forces behind it. We thought it would be interesting to replicate it for the US audience and compare the results, which are outlined below:
Has your organization implemented a third party risk appetite?
What are the main factors driving your organization to consider a third party risk appetite?
|Belief in the commercial value of an advanced third-party risk management strategy
|Internal efficiency drivers
|Internal compliance factors
- Playbooks – No matter how good a third-party risk management program is, things can and will go wrong. And when things go wrong, firms and their suppliers should have a playbook in place so that both parties know what needs to be done in identified scenarios. These are particularly important for vendors who could be impacted by cyber-attacks – which is almost anyone in this day and age. An example of the impact that these can have is the recent WannaCry virus, which disrupted a significant number of companies and government organizations for a number of days. Having a playbook to react by, in the event of such a crisis, can make things run much more smoothly when the pressure is really on, and ensure that there are tested lines of communication and escalation procedures between you and the vendor. This corresponds to an increased focus on and expectation of cyber-resiliency from the regulators. This is also going to become even more important with GDRP coming into effect – with response and reporting times expected to be within a 72-hour window.
- Internal Audit – Partnerships between internal audit and third party risk are developing, but need to be given more focus. Audit teams are a valuable partner, and there’s merit in having them review your program – especially if there’s clear guidance of what the examiners will be assessing against. Yet, nearly six out of 10 respondents to a poll we conducted said they had not reviewed the Office of the Comptroller of the Currency’s Supplemental Examinations Procedures for Third Party Relationships with their audit team. The majority had not asked their internal audit teams to come in and conduct a preliminary assessment of the third-party risk program, either. Internal audit can be a valuable partner in helping to strengthen the organization’s approach to third-party risk. There was frustration expressed among some attendees that they had sought engagement with internal audit, but with little success as it hadn’t been considered a priority. The general consensus here was to ensure that the audit team understood that third-party risk had visibility at the Board level, in order to help inspire a more active partnership.
- The Board – Third-party risk has landed firmly on the agenda of many boards – although not all. Deloitte found that TPRM features consistently or periodically on the board agenda of 62.6% of financial services organizations. This is reflected in the experience of many of the attendees, who indicated that they report to their boards about third party risk on at least a quarterly basis. A smaller proportion only presented annually, or not at all. However, it was generally agreed that board interest is rapidly growing, driven by concerns over the forms of reputational risk that can be associated with third-party actions. As a consequence ,your boards are going to be expecting a greater depth of information about third-party risk, more frequently. Organizations are going to have to ensure they are appropriately tooled to provide their Boards timely and accurate reporting.
- Regulatory Tensions – Some speakers and attendees said there are tensions with some supervisors between how third-party risk management rules have been drafted and the reality of the risks the firm faces. Some firms are concerned about a one-size-fits-all approach to third-party risk being adopted by some regulators, while others say that financial services firms engage in a broad set of businesses, and so third-party risk rules need to be flexible enough to adapt to these. There was some feedback that individual supervisors need to understand the risks that are distinct to particular business operations, and more open to the judgment of the experts who run the businesses.
There was also discussion on both the European GDPR (General Data Privacy Regulation) & NYDFS cybersecurity laws. Both of these regulations have far reaching regulatory obligation in terms of protecting the personal identity information (PII) for your customers and employees. You can learn more about GDPR in our previous blog post, and more on state and federal focus here.
Regulations such as these are increasingly requiring an understanding of third-party operating controls for managing PII/non-public information, the right to be forgotten, and an incident response plan (see the Playbook referenced in point 7 above) to rapidly report to the Executive Management, Board, and for GDPR the regulator, any breaches of customer information. Both of these regulations, in particular, the EU GDPR given the size of the financial penalties, need to be on the Board agenda.
- Cybersecurity Insurance – Financial services organizations are increasingly turning to cybersecurity insurance as a means of helping to protect themselves from a business loss as a result of an attack. These firms are finding that having a good grip on potential cyber-risks with their third and fourth party vendors can help in discussions with the insurers about the scope of coverage and cost of these kinds of policies. Essential to this approach is robust and timely reporting of potential threats.
Finally, as I noted in my blog about the London CEFPRO event, community models (or utilities as they are sometimes called) were not a topic at the New York event. This is likely a reflection that they are not so developed in this market. However, there is progress being made, and a recognition of the value of standardization, highlighted by the great work that Shared Assessments is doing. But one thing that the US can look to the UK to and learn from, is communities. It’s interesting to note that there’s active and growing communities in place. The Hellios Financial Services Qualification System (FQFS) is one such progressive community. FSQS is already used by 6 UK banks, Lloyds Bank, Metro Bank, TSB, Santander, Shawbrook Bank and Aldermore Group PLC. It is designed to standardize and manage requests for compliance and assurance data for adoptees.