Third party risk management is making headlines and for some very good reasons. Why? Structural factors are forcing a complete rethink of current practices. Financial institutions and third parties are each facing their own challenges as third party risk management receives greater focus than ever before.
Factor #1: RELIANCE
There is an increased reliance on third parties. Financial institutions globally depend on third parties to deliver business critical processes and services. Third party vetting and risk management is a growing issue as more firms outsource and engage with third parties, and even fourth parties, for these vital tasks. It is critical for a financial institution to understand the extent of its dependencies on third parties and ensure that these third parties are operationally sound, especially from an information security standpoint.
Factor #2: COMPLEXITY
The increased reliance on third parties leads to increased complexity of oversight. It’s no longer sufficient to know just your third parties, but the fourth and fifth parties too, as well as thoroughly understand the products and services they provide. According to PwC, 45% of firms rely on third parties to manage their fourth party risk. The complete supply chain of risk must be understood in order to properly assess an institution’s enterprise risk profile.
Factor #3: REGULATION
Regulators around the globe are taking notice. The Office of the Comptroller of the Currency in the US, the Financial Conduct Authorityin the UK, the Monetary Authority of Singapore and many others, have issued guidelines for managing third party risks. Firms can outsource the job and the function, but they cannot simply outsource the risk. This includes cybersecurity, or more aptly put ‘cyberinsecurity’. The mantra is you must know your third parties and every aspect of their risk management lifecycle – including crucial aspects related to due diligence and ongoing monitoring.
Factor #4: OUTDATED PROCESSES
Current processes aren’t keeping pace with the new emphasis on third party risk management. Risk assessment processes today are duplicative, bilateral and costly with multiple touch points. Half of firms still rely on spreadsheets to support their third party risk management programme according to a recent study by Aite. It is not uncommon for a third party to receive a spreadsheet questionnaire from a financial institution with 28 different tabs to complete. That’s a long and arduous task to comply with for every bank a third party does business with.
Factor #5: STANDARDS
While regulators across the globe have issued guidance around third party risk management, few if any have issues any mandatory rules. While tools and questionnaires for conducting due diligence do exist, there is a lack of flexible technology to support workflow efficiencies underpinning this critical process.
So how can the quality of third party risk management keep pace with the level of risk and complexity of these relationships? The future of third party risk management is more than just spreadsheets. The industry is at an inflection point and needs standards to drive best practices to run its business and meet regulatory guidelines. The current processes are broken and it’s time to move to a centralised way of doing things which will benefit financial institutions and third parties alike. Through a shared data hub, redundancy collapses, costs decrease and inefficiency falls by the way side.