TPRM, Fourth-Party Risk Management, and Concentration Risk in Banking

April 6th, 2022 Hannah Tichansky Reading Time: 3 minutes
Blog - White and brown concrete building 4937197 - FI

BIS’s Basel Committee on Banking Supervision (BCBS) has released a new newsletter focusing on third- and fourth-party risk management and concentration risk. BIS works with banks and other regulatory authorities to promote financial stability by providing policy recommendations and analysis. The BCBS committee “develops global regulatory standards for banks and seeks to strengthen micro-and macroprudential supervision.” BCBS does not have legal force as a formal authority, rather it supports and relies on its members to promote its suggestions and mandates.

Financial institutions, particularly banks, have set the precedent for other industries when it comes to utilizing technologies to help survive the COVID-19 pandemic. However, this increased reliance on third and fourth parties, and their technologies, have caused increased operational risk exposure.

Understanding the Principles for TPRM and Operational Resilience

The Committee, through a series of outreach programs that focused on how to improve banks’ TPRM, fourth-party risk management, and concentration risk, recommends the implementation of the Principles for Operational Resilience (POR) and the use of the revised Principles for the Sound Management of Operational Risk (PSMOR) in order to strengthen operational resilience. These were released and revised respectively in 2021 and the committee is continuing to monitor this risk landscape.

These Principles were designed to address new and existing hazards surrounding TPRM and fourth-party risk, which are continuing to evolve due to the increased use of cloud, third, and fourth-party technologies. While these risks can’t be prevented, appropriate management of these technologies and management of concentration risk will help companies withstand and recover from operational risks and disruptive situations.

Concentration risk is direct or indirect exposure, or group of exposures, that has the potential to lead to large losses that can threaten an organization’s ability to perform its core business. This type of risk can be the result of dependence on a geographic area, single vendor or fourth party, or portfolio of investments.

TPRM and Fourth-Party Risk Management Outreach Meetings

In coordination with POR and PSMOR, BCBS conducted outreach meetings with participants and supervisors from the private sector to analyze how organizations are utilizing TPRM best practices, and to provide a forum for information sharing on concentration risk and fourth-party risk management.

Key insights from these sessions include:

  • There are critical gaps in companies’ TPRM including insufficient knowledge of provider responsibilities, a lack of monitoring of critical fourth parties, and insufficient business continuity plans.
  • Banks are worried that insufficient supply chain transparency will lead to increased incidents of operational risk.
  • While risk management is keenly focused on direct suppliers, there are continued risk exposures when it comes to outsourcing and fourth parties further along supply chains.
  • The Committee also found that vendor termination and offboarding plans are often missing enough detail and testing, which causes confusion when it comes time to execute a strategy or stage.

The sessions also noted that banks should not be outsourcing their risk management responsibilities when it comes to their due diligence and risk management processes.

“Consistent with the POR and revised PSMOR, outreach participants indicated that banks’ third- and fourth-party risk management arrangements should reflect strong governance and the integration of risk management in their due diligence processes.”

BCBS Newsletter

Another key component of operational resilience is through thorough use of business contingency and business continuity planning and processes. This is particularly important when it comes to:

  • Exit strategies if there is a disruption related to critical operations
  • Assessing the ability of third parties to support critical operations
  • Providing alternative processes if an outage occurs at a third party, such as bringing a service in-house

In order to reduce concentration risk, participants also stated that banks should work directly with service providers to plan for the case of potential failures.

The Committee will continue to monitor TPRM and fourth-party risk management efforts in reducing concentration risk. They note that implementing POR and PSMOR best practices will strengthen banks’ operational resilience and help them withstand operational disruptions.

To learn more about enhancing your TPRM and fourth-party risk management, as well as building organizational resilience, reach out to one of Aravo’s experts who are on-hand to help!

If you are interested in learning more about Operational and Organizational Resilience, check out our latest edition of Risk & Resilience Magazine, which focuses on these topics.

Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management