Third-party risk reimagined

Among the most important recent trends in banking has been an increased tendency to outsource services previously handled internally. While this practice has its merits, a vendor’s operational weaknesses, financial instability or inappropriate conduct can create significant third-party risk that threaten a bank’s institutional standing and market fundamentals.

In the aftermath of the 2008 financial crisis, regulators began pressing banks to create more robust approaches to identifying, evaluating and monitoring third-party risk. The Federal Reserve further accelerated these efforts with its 2013 SR13-19 letter, “Guidance on Managing Outsourcing Risk.”

Banks responded in kind, building out comprehensive third-party risk management (TPRM) programs that subject vendors to extensive initial due diligence and quarterly or annual reviews. This approach worked well under then-normal circumstances. 

However, “normal circumstances” now are out the window. Cyber events such as the COVID-19 impact on supply chains and vendor networks; the Target data breach launched by fourth-party perpetrators via an unwitting third-party HVAC vendor; and the SolarWinds attacks have dramatically reshaped views of the pace and scale of third-party risk. The pandemic, in particular, raised questions that hadn’t previously been imagined. Do banks’ third-party vendors have adequate information-security protocols in place for work-from-home employees? Can those vendors actually survive a monthslong shutdown with zero revenue?

For risk managers, the new norm has revealed an urgent need for the following stronger TPRM requirements:

Frequent monitoring of individual vendors 

No sane investor would monitor the market risk of a liquid securities portfolio on a quarterly basis — they’d miss far too much. Risk managers are now taking a similar view of third-party vendors. Pre-COVID approaches such as quarterly financial reviews, periodic surveys to vendors and occasional relationship calls are no longer enough. The pandemic demonstrated that vendors’ financial stability and operational capacity to meet bank demands can change significantly, and often with relatively little warning. Consequently, TPRM programs should provide for more frequent vendor monitoring and review.  

Integration of near real-time information and analytics  

Increased monitoring will require more timely information about vendors. Banks can address this need by enlarging their vendor-management teams — and by adopting more sophisticated data-analytics systems. Such systems can retrieve signals from financial, news and social media sources, and tip off a bank to any potentially dangerous developments among its vendors. The timeliness of third-party risk metrics and analytics needs to look more like market risk data feeds, implying a complete transformation in how third-party risk is conceived, measured and managed. 

Risk transparency for fourth parties and beyond   

Tightly integrated, interconnected networks of commercial relationships are capable of transmitting data — and vulnerabilities — rapidly and stealthily. Every third-party vendor is only as safe as their safest vendor or commercial relationship, and every fourth party is likewise only as safe as the weakest link in their own extended network. Banks need the ability to scan for risk “over the horizon” by understanding fourth-party relationships and vulnerabilities, including the identification of common fourth-party exposures impacting their vendor and commercial networks.  

Stronger links between third- and fourth-party risk evaluations and action plans 

For companies in all sectors, COVID-19 demonstrated that they won’t have the luxury of developing crisis plans when they are actually in a crisis; they need predefined action plans, triggered as soon as qualifying conditions arise. Banks should apply this lesson to TPRM. We advocate for the development of specific playbooks, with activation thresholds defined in advance, so that crisis-response planning takes place before a crisis, rather than after it is already underway. 

Expansion of the range of possible TPRM actions 

Historically, changes in vendor-risk profiles might have triggered a limited number of exposure-reduction efforts, such as the insourcing of affected services or the identification of alternative providers. We are now seeing banks consider a much broader and more creative range of responses to vendor distress and limitations. These include such options as prepaying on long-term contracts; making equity investments in the vendors; providing debt financing; or developing new capacity through a joint venture. Previously transactional commercial deals are now increasingly framed as partnerships, with a broad range of operational and financial structures. 

While economies in North America, Europe and parts of Asia are emerging from the pandemic, it seems foolhardy to discount the possibility of future “unprecedented” shocks to our economic systems. Banks can, and should, prepare themselves by reviewing and strengthening their TPRM plans. Even without an epochal crisis such as COVID, these precautions will equip banks to realize the benefits of third-party relationships while guarding them against the potential hazards.  

Written by Dylan Roberts, partner within the financial institutions group at Kearney

Read the full article at