Importance of Effective Third-Party Risk Management For The Financial Services Industry

Table of Contents

Introduction

Over the last two decades, companies in the BFSI (Banking, Financial Services & Insurance) industry are increasingly outsourcing their core activities to third parties. While this trend provides operational efficiencies and cost advantages, it also exposes financial services firms to a multitude of risks. In fact, instances of cyber-attacks, security breaches and data privacy concerns, caused US financial services firms to pay fines of more than $23Bn in 2022. Furthermore, the increase in digital transformation of business operations, exposes companies across other industries to experience high risk exposures as well.

As a result, Third Party Risk Management (TPRM) has become more important now than ever. Companies often focus on risk management activities during the initial due diligence phase but fail to monitor and control risks across the third-party engagement life cycle. This can lead to security or compliance gaps. Some of the key risks that third-parties impose on financial services firms are below.

Major third-party risks for financial services firms

Cyber and Privacy Risk

An organization’s data is lost or security is compromised due to deficiencies in the cybersecurity and privacy controls of the third party.

Compliance & Regulatory Risk

Supplier fails to comply with required regulations, causing the client’s organization to be non-compliant

Digital Risk

At different portfolio companies and the central procurement team at the PE firm. The fact that procurement organizations can be at different levels of maturity in portfolio companies is also prohibitive to strategic collaboration

Reputational Risk

At different portfolio companies and the central procurement team at the PE firm. The fact that procurement organizations can be at different levels of maturity in portfolio companies is also prohibitive to strategic collaboration

Financial Risk

Third party cannot continu to operate as a financially viable entity, hence causing disruption in the client’s core business

Geopolitical Risk

Legal, regulatory, political and socio-economic repercussions of working with a third party that does business in a particular country

The risk can increase depending on how the company uses these third parties. If a supplier has access to customers’ personal identifiable information (PII) and their systems get hacked, all of the customers’ personal information is compromised. This could not only lead to fines in tens of millions of dollars, but also cause irreparable damage to the organization’s brand and reputation.

A Robust Third-Party Risk Management Program Is The Need Of The Hour For Financial Services Firms

The risk can increase depending on how the company uses these third parties. If a supplier has access to customers’ personal identifiable information (PII) and their systems get hacked, all of the customers’ personal information is compromised. This could not only lead to fines in tens of millions of dollars, but also cause irreparable damage to the organization’s brand and reputation.

Leverage Procurement best practices
Segmentation

Risk based segmentation driven by the nature of risk with suitable controls to address risk

Rules Based Due Diligence

Carefully designed rules based on the type of third party, it should also assess regulatory compliance based on activity performed by third party

Post Contract Compliance Management

End to end process capture, track & report compliance, QC metrics in addition to performance

Governance

Independent, cross functional teams responsible for oversight and decision making. Executive support should be available for escalations whenever necessary

Tools

Comprehensive risk management tools including repository of performance, compliance & risk-based data with clear risk management owners across BU

Valorant Recommends A 5-Steps Process To Set Up a Third-Party Risk Management Program At Financial Services Companies

Establish A Governance Structure

Establish a robust governance structure with engagement from the board and C-Suite so that sound risk management practices are embedded into the organization’s culture. The tone needs to be set from the very top. TPRM governance defines the vision of the organization’s TPRM capability and provides direction for the execution.

Identify And Categorize All Third Parties Working With The Company

Identify, categorize and assess your existing third-party population to effectively manage your third-party inventory. Not all third parties are the same; segmentation allows organizations to prioritize their efforts and ultimately helps in guiding how vendors should be managed from a risk perspective. The example below highlights how a risk due diligence approach can change focus based on how a third party interacts with the customer.

Risk Assessment strategy based on extent of customer interaction Insurance Example

Guideline For " Type Of Interaction "

High touch interaction includes marketing, sales of policies, claim appraisals, investigation

Low touch interactions are usually non sales activities like customer service, providing information on existing policies

This third-party inventory needs to be maintained as it is constantly changing, with third parties being added and removed or services expanding and reducing.

Establish A Defined Risk Approach And Model

Adopt risk models according to the organization’s risk appetite and culture. Determine the level of risk the organization is willing to take. As organizations develop a clear view of their third-party landscape through a robust inventory, it is important to differentiate among third parties based on risk and understand what further actions organizations may need to take to remain protected.

Implement TPRM Policies & Standards Approach And Model

These should outline the purpose and phases of the TPRM framework and define the roles and responsibilities of all the key stakeholders. It is vital for all stakeholders to understand their responsibilities when engaging a third party, the risks associated with doing business with an external party and the consequences of not complying with the organization’s policies and standards to achieve effective TPRM execution.

Establish & Execute TPRM Processes

Most organizations focus on risk management activities during the due diligence and monitoring phases. However, organizations need to embed third party risk management activities across the third-party risk management life cycle. It is important to set up post contract compliance management procedures which can go beyond performance management to focus on compliance & complain tracking as well as addressing any concerns suitably.

Conclusion: The Way Forward

With continuous advancements in technology, the regulatory and risk management landscape impacting third party management will continue to change and evolve for BFSI companies. However, third party risk management should not be a reactive response to changes in technology and regulations. Rather, it should be a proactive approach towards making a better and standardized life cycle of vendor relationships. Board members and management must become more agile and adaptive in their approach towards third party vendor selection and management. These steps will go a long way to managing enterprise third party risks by ensuring all your third parties are serious about cybersecurity and fulfill regulatory requirements.

Author

India Lead and Consulting Director (IN)

Ankit is a seasoned management consulting professional based in Valorant’s India office in Bangalore. He specializes in advising corporate and private equity clients on cost transformation and profitability improvement through Supply Chain, Procurement and Technology.
Enquiry Now