Introduction
Over the last two decades, companies in the BFSI (Banking, Financial Services & Insurance) industry are increasingly outsourcing their core activities to third parties. While this trend provides operational efficiencies and cost advantages, it also exposes financial services firms to a multitude of risks. In fact, instances of cyber-attacks, security breaches and data privacy concerns, caused US financial services firms to pay fines of more than $23Bn in 2022. Furthermore, the increase in digital transformation of business operations, exposes companies across other industries to experience high risk exposures as well.
As a result, Third Party Risk Management (TPRM) has become more important now than ever. Companies often focus on risk management activities during the initial due diligence phase but fail to monitor and control risks across the third-party engagement life cycle. This can lead to security or compliance gaps. Some of the key risks that third-parties impose on financial services firms are below.
Major third-party risks for financial services firms
An organization’s data is lost or security is compromised due to deficiencies in the cybersecurity and privacy controls of the third party.
Supplier fails to comply with required regulations, causing the client’s organization to be non-compliant
At different portfolio companies and the central procurement team at the PE firm. The fact that procurement organizations can be at different levels of maturity in portfolio companies is also prohibitive to strategic collaboration
At different portfolio companies and the central procurement team at the PE firm. The fact that procurement organizations can be at different levels of maturity in portfolio companies is also prohibitive to strategic collaboration
Third party cannot continu to operate as a financially viable entity, hence causing disruption in the client’s core business
Legal, regulatory, political and socio-economic repercussions of working with a third party that does business in a particular country
The risk can increase depending on how the company uses these third parties. If a supplier has access to customers’ personal identifiable information (PII) and their systems get hacked, all of the customers’ personal information is compromised. This could not only lead to fines in tens of millions of dollars, but also cause irreparable damage to the organization’s brand and reputation.
A Robust Third-Party Risk Management Program Is The Need Of The Hour For Financial Services Firms
The risk can increase depending on how the company uses these third parties. If a supplier has access to customers’ personal identifiable information (PII) and their systems get hacked, all of the customers’ personal information is compromised. This could not only lead to fines in tens of millions of dollars, but also cause irreparable damage to the organization’s brand and reputation.
Risk based segmentation driven by the nature of risk with suitable controls to address risk
Carefully designed rules based on the type of third party, it should also assess regulatory compliance based on activity performed by third party
End to end process capture, track & report compliance, QC metrics in addition to performance
Independent, cross functional teams responsible for oversight and decision making. Executive support should be available for escalations whenever necessary
Comprehensive risk management tools including repository of performance, compliance & risk-based data with clear risk management owners across BU
Valorant Recommends A 5-Steps Process To Set Up a Third-Party Risk Management Program At Financial Services Companies
Establish a robust governance structure with engagement from the board and C-Suite so that sound risk management practices are embedded into the organization’s culture. The tone needs to be set from the very top. TPRM governance defines the vision of the organization’s TPRM capability and provides direction for the execution.
Identify, categorize and assess your existing third-party population to effectively manage your third-party inventory. Not all third parties are the same; segmentation allows organizations to prioritize their efforts and ultimately helps in guiding how vendors should be managed from a risk perspective. The example below highlights how a risk due diligence approach can change focus based on how a third party interacts with the customer.
High touch interaction includes marketing, sales of policies, claim appraisals, investigation
Low touch interactions are usually non sales activities like customer service, providing information on existing policies
This third-party inventory needs to be maintained as it is constantly changing, with third parties being added and removed or services expanding and reducing.
Adopt risk models according to the organization’s risk appetite and culture. Determine the level of risk the organization is willing to take. As organizations develop a clear view of their third-party landscape through a robust inventory, it is important to differentiate among third parties based on risk and understand what further actions organizations may need to take to remain protected.
These should outline the purpose and phases of the TPRM framework and define the roles and responsibilities of all the key stakeholders. It is vital for all stakeholders to understand their responsibilities when engaging a third party, the risks associated with doing business with an external party and the consequences of not complying with the organization’s policies and standards to achieve effective TPRM execution.
Most organizations focus on risk management activities during the due diligence and monitoring phases. However, organizations need to embed third party risk management activities across the third-party risk management life cycle. It is important to set up post contract compliance management procedures which can go beyond performance management to focus on compliance & complain tracking as well as addressing any concerns suitably.
Conclusion: The Way Forward
With continuous advancements in technology, the regulatory and risk management landscape impacting third party management will continue to change and evolve for BFSI companies. However, third party risk management should not be a reactive response to changes in technology and regulations. Rather, it should be a proactive approach towards making a better and standardized life cycle of vendor relationships. Board members and management must become more agile and adaptive in their approach towards third party vendor selection and management. These steps will go a long way to managing enterprise third party risks by ensuring all your third parties are serious about cybersecurity and fulfill regulatory requirements.