This week, I had the pleasure of chairing Day one of the Center for Financial Professional’s conference on Vendor and Third-Party Risk EMEA. The conference brought together insights about the evolution of the discipline as well as some key best practices. Here are my top ten takeaways from the event that I would like to share.
- Third party risk isn’t just about numbers – it’s about relationships. Sometimes the complexity of the third-party risk environment can be viewed through metrics such as the number of relationships or contract value. This is changing – focus is now turning to the quality of individual relationships. This evolution is being driven by the business, which is viewing third parties as more strategic partners in many cases. Third party risk programs need to be able to support this perspective with new kinds of data about the relationship, such as performance indicators.
- What a third party is, is evolving. A decade ago, a third party was simply a vendor. Today, third parties can be affiliates, joint marketers, and intra-group entities, among other things. Third-party risk programs should incorporate these different kinds of organizations into their programs, considering the specific challenges each type of relationship brings.
- Ownership of third-party risk is changing. Once the discipline was either owned by information security, procurement or compliance. Today, the enterprise recognizes that risk assessments are covering many risk domains and there is the need for an integrated view on risk of the third party. Thus, third-party management is increasingly being owned by the risk management team, and is being viewed through the lens of the enterprise or operational risk discipline.
- Third party risk internal engagement is changing too. Best practice firms are moving beyond viewing the discipline simply as an assurance function. Today at these firms, the first line of defense is actively involved in detection and management of these risks. Too, the third-party risk program is gaining a deeper understanding of the commercial drivers of the business.
- Third party risk appetites are being created. When the third-party risk program sits within the overall enterprise risk framework, it will have a risk appetite assigned to it. Arriving at a number can be challenging the first time around – firms can use a bottom-up or a top-down approach, or a combination of the two. No matter the approach, the board must sign-off on it, and the risk appetite needs to be communicated effectively across the organization.
- Perform risk assessments before contracts are signed. Best practice sees third-party programs becoming part of the RFP or RFI process – getting both disclosure and business requirements in front of vendors early on. This also is a better way to partner with the business, because it can reduce the need for third-party risk to “say no” late in the vendor onboarding process.
- Regulators are focusing on business resiliency. In third-party risk and relationships, many regulators now want to see robust BCP or DR plans that have been jointly tested.
- Data protection is now also a significant focus. For example, what are your data breach notification requirements? Under the GDPR in the EU the requirement will be 72 hours. Ensure your organization and relevant third parties do “fire drills” to test the process for releasing this information to the regulator within the time required.
- Fourth party transparency and governance is also receiving attention. Financial services regulators in the US are now asking firms to understand their fourth parties in similar ways to third parties – expect other regulators around the globe to follow suit.
- It’s all about third-party data. A more sophisticated approach to managing third-party risk is very difficult without a robust technology solution that can provide a single source of truth. For example, best practice firms are now triangulating data from self-assessments, scorecards, and external data, such as cyber-risk ratings. Being able to analyze third parties in this way enables the third-party risk program to deliver valuable strategic insights to the C-suite and the board.
I’m also chairing day two of next week’s event in New York – I’m looking forward to exploring some of the regional differences with the attendees there. There was some discussion at the London event about how the Third Party Risk discipline is much more advanced in the US, and that the UK and EU are looking towards their counterparts (and regulators) in that region for best practices. I’d agree with this, and think it is in some part due to the regulation, in particular: the US Office of the Comptroller of the Currency OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013, and its Supplemental Examination Procedures for Third Party Relationships issued in January 2017, together with the FFIEC’s Appendix J.
However, in my experience, I’d also add that I think the UK is more advanced in some community and utilities initiatives than their US counterparts. I think Hellios provides a perfect example of this, with their growing Financial Services Qualification System (FSQS) community https://www.hellios.com/procurement/fsqs.html. This is designed to standardize and manage requests for compliance and assurance data for major financial services organizations that have adopted FSQS, and there was great feedback from their members at the event.