Earlier this week we published the results of a survey that we conducted with the Center for Financial Professionals. With over 200 respondents from around the globe, the survey was designed to take a snapshot of the state of third-party risk management, and to help firms develop their road-map to maturity, and support with planning, resourcing and direction.
The survey provided a great deal of insight, and we’ll be taking a deep dive into some of the results together with the implications for TPRM programs over the coming weeks.
We will also share the results of some polls that we conducted at the CEFPRO Vendor & Third Party Risk Conferences in New York and London where we launched the results. These provide an interesting cross-Atlantic comparison between peers.
But first to the survey results – which revealed gaps between regulatory expectation and the reality associated with third-party risk programs. What looks good in theory, is often a lot harder in practice.
Key results from the survey include:
Most organizations are at a relatively early stage of their program maturity – two-thirds of respondents report their programs were developing, defined, or in the initial stages of maturity. Just 5% reported that their programs were optimized, with the remaining 28% stating that their programs were established. Many organizations lack dedicated resources or have only small teams, for what is becoming an increasingly complex, dynamic, and scrutinized function.
Managing and maintaining a full inventory of third parties
Regulators, including the Office of the Comptroller of the Currency (OCC), expect firms to have a complete inventory of all their third party relationships. Yet, what is seemingly the most basic of expectations – knowing who all your third parties are – can be a challenge. The survey found that 6% did not know how many third parties they had, and that 75% did not have all their third parties in a single inventory. Incomplete and multiple inventories make reporting on third parties difficult, with the vast majority at 72% of respondents indicating they would be unable to produce a complete report of all their third parties quickly.
There is an expectation that banks should conduct due diligence on all potential third parties before selecting and entering into contracts or relationships, and that they perform ongoing monitoring once the contract is in place. The survey found that 73% of respondents had not conducted initial due diligence on all their third parties, with 32% having conducted initial due diligence on fewer than half of their third parties. Only 17% are conducting on-going due diligence on all their third parties. 4% are not conducting ongoing due diligence at all.
The OCC has made it clear that banks should design compensation programs to attract and retain qualified personnel, align with strategy, and appropriately balance risk-taking and reward. The survey revealed a wide range of salaries across the profession and the globe. Average salaries for those in the industry were $75,119 for Managers, $118, 037 for Analysts and $199,648 for those at the SVP, VP, or Director level. The global range however was significant, ranging from $33,745 to $725,000.
Funding and budgets
Control functions are expected to have sufficient resources, yet the survey found around a third of respondents do not believe that they have an appropriate level of funding for the people (skillset and coverage), tools (technology and content sets), and innovation and continuous improvement required for their programs to be successful. However, four out of ten respondents are expecting to see increases in their budgets for the next 12 months, and half of the respondents say that the budget will remain the same.
A growing concern among regulators is that consolidation among larger service providers has increased third party concentration risk, in which a limited number of providers service large segments of the banking industry for certain products and services. Despite this being an area of increased focus for regulators, the majority (69%) of respondents stated that their programs are not managing for concentration risk.
Fourth party risk (and beyond)
There’s an expectation that organizations will know which of their third parties use subcontractors and that the same levels of controls for risk management are applied through the extended supply chain. The survey found that 20% of participants do not require third parties to disclose sub-contractors, 17% do not have controls in place for how third parties manage subcontractors, and 46% do not conduct due diligence on critical 4th parties.
Cyber-risk, information security, and data protection
The survey found that 86% of respondents are managing for cyber-risk and information security risk in their programs, and 79% are managing for data privacy risk. Yet, only 27% would be able to produce a report of their third parties with cyber-risk exposure quickly and easily (11% would find this impossible).
In addition to these areas of exposure, the survey found that there was a clear need for better reporting, with the majority of respondents unable to produce standard third-party risk reports completely and quickly. Contributing to this challenge was the lack a of a single inventory, the use of disparate systems across organizations, lack of integration between systems, and technology limitations.
Next week, we’ll take a deeper dive into some more survey results – with a focus on compensation for third party risk professionals, budgets and resource.