Third party risk management (TPRM) is a strategic priority for boards and senior executives. As outsourcing and supplier diversification accelerate, so does the complexity of managing third party and downstream risks.
To explore this pressing topic in detail, we launched a project involving 70 of our member firms. Our goal was to give our members a better understanding of how financial institutions are managing their third parties and where they could improve their practice. Drawing on data and insights from the study, this article explores our main findings and provides seven practical steps you can follow to help improve TPRM practice. Our members can access the two practice papers and an industry overview report for more insights and benchmarking.
Headlines
TPRM is a priority for financial firms
TPRM is a strategic priority across financial services. Our research shows that firms are increasingly embedding TPRM into business strategy, focusing especially on outsourcing, supplier diversification and concentration risk management.
Third party risk is becoming more systemic in nature
Third party risk continues to increase, with firms becoming more and more reliant on suppliers to deliver digitalisation and growth. Our study revealed that the use of large technology, payment, and settlement providers is driving concentration and systemic risk across the industry. Additionally, the interconnectivity and complexity of third party ecosystems is amplifying other risk types – particularly cyber.
Focusing on building resilience helps address challenges
Firms are focusing on resilience to help mitigate the systemic nature of third party risk, including understanding supplier continuity/resilience capabilities, strong internal business continuity management and enhancing in-house capabilities. However, with limited viable alternatives available, particularly to large technology and payment providers, replacing critical third parties is difficult.
Third parties are managing fourth and nth parties
Our research showed that firms typically rely on third parties to manage fourth and nth parties. This creates challenges where third parties are reluctant, unclear or slow to disclose requested information. To address this challenge, some organisations have ensured that contracts clearly set out third-party responsibilities regarding fourth parties, including monitoring and control requirements.Ten steps to improve your TRPM practice
Based on our study, here are ten steps you can take to improve your TPRM practice and drive alignment with the operational and non-financial risk framework. ORX members can download the TRPM practice reports to read our findings in full.
1. Incorporate TPRM into business strategy development
Ensure TPRM is involved in setting the overall organisational outsourcing strategy and define which processes and services should be outsourced and which kept in-house.
2. Standardise the TPRM approach across the organisation (including centralised governance)
Centralise the governance and oversight of third-party risk and ensure processes and practices are consistent and rationalised where possible.
3. Ensure roles and responsibilities are understood
Make sure the importance of a consistent and aligned approach is understood across the entire organisation and ensure roles and responsibilities are clear across the three lines of defence.
4. Connect with other risk frameworks
To drive greater resilience and a more effective operating model, group TPRM with related risk functions, such as technology and cyber. Alternatively, you can there are regular conversations between TPRM and other risk areas.
5. Leverage contracts and controls to help support monitoring and robust exit planning
Think about direct and/or indirect testing requirements and set clear expectations around the supply and handling of data, including data supply requirements and data retention policies.
6. Measure and manage exposure to fourth and nth party risk
For a more complete picture, develop greater visibility of material downstream supplier risk exposure alongside third party risk exposure.
7. Apply a risk-based approach across the TPRM process
Using a risk-based approach helps you to prioritise resources and focus attention. This gives you a view of supplier criticality and materiality, in turn enabling you to determine the level of governance, frequency of monitoring, number of key controls and reporting requirements needed.
8. Develop robust TPRM data and a single system of record
Ensure TPRM data can be linked to operational and non-financial risk and control information and develop the ability to pivot between different vertical and horizontal views.
9. Explore uses of technology and tooling to drive greater efficiency and effectiveness
Automate processes and controls where feasible and investigate the potential of AI to help increase consistency and support real-time risk management.
10. Deploy sufficient resource in the business
Ensure TPRM has sufficient resources to meet the growing regulatory and other stakeholder demands.
Our members can report the two practice papers and an industry overview report for more insights and benchmarking to help improve their third party risk management practice.
Not an ORX member? Find out more about ORX Membership or get in touch to find out more.
