Cracking the Code Behind Assessing Your Third-Party Risk Management Exposure
In the fallout from the recent bank failures, many banks and non-bank financial institutions, are reviewing their Third-Party Risk Management (TPRM) exposure, while balancing the need for outside sources to help them meet the demands generated by regulation, economic cycles, technological developments, resource constraints and competitive pressures. These outsourced third-party arrangements perform critical services across institutions, including contributing to operating cost efficiencies and facilitating the delivery of products and services.
The recent bank crisis won’t change how institutions innovate with third parties, but it is a call for action for leadership to look more carefully at every third-party relationship and partnership. This same level of scrutiny will be seen outside of the financial services world. Also, the ever-looming spectra of potentially far-reaching Environmental, Social and Governance (ESG) reporting should continue to be center-stage on any governance committee’s agenda.
Regulatory Scrutiny and Guidance Around TPRM
Financial institutions have entrusted an increasing percentage of their business operations to these third parties, causing regulators and supervisors to become increasingly concerned about organizational risks, including operational risk, compliance risk, ESG risk, strategic risk, geopolitical risk, reputational risk and liquidity risk. To account for the spectrum of risks, the regulators have begun to view the universe of third parties quite broadly, expecting financial institutions to know the third parties they work with and to hold those entities to the same standards applicable to financial institutions. The business generates the need for the third party, and often manages the relationship and the risks that it generates.
The third party exposes the organization to risks (e.g., reputational, liquidity, operational) and oversight functions are implemented to manage those risks. To complicate matters, the regulatory requirements may change depending on the products, the services offered and the locations in which they are offered. The recent issuance of updated interagency guidance from the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB) and the Office of the Comptroller of the Currency (OCC) describes the regulatory guiding principles and considerations for banking organizations’ risk management of third-party relationships across the stages in the life cycle of third-party relationships: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination. The updated guidance further scales the risk management practices aligning with the risk profile and nature of the third-party relationship.
How Well Do You Know Your Third-Party Exposure and Universe?
The relevant universe of third-party relationships encompasses any entity that interacts with a financial institution and is not within its legal entity structure. This partially inclusive list includes:
- Shared service providers
- Outsourced providers
- Joint venture partners
- Business alliance members
- Contingency arrangement participants
- Contingent workers
- Transaction counterparties
Similarly, it encompasses all the paths by which a financial institution interacts with these third parties, including:
Understanding Your Organization’s Third-Party Relationships and Potential Risk Exposure
In practice, though, how can a financial institution “know” all its third parties? At a minimum, organizations must be able to identify every third-party relationship and the nature of each relationship – down to the least impactful. Ideally, it should also be able to evaluate the types of risks associated with each and to prioritize them by severity of risk exposure. Upon completion of the third-party risk analysis at the enterprise-wide level, it will highlight concentrations of exposures to individual third parties, as well as concentrations by risk type. In our world of resource constraints, the highest concentrations and highest risks would garner the most attention.
Regulators have issued interagency guidance that provides a broad framework for managing risks related to third-party business relationships, and encourages financial institutions to adapt the risk management principles to fit their individual risk profiles. TPRM requires a framework that places accountability with the board of directors and senior management who must scale the principles according to the size, magnitude and criticality of the third-party provided products or services. Important features of the general framework include:
- Risk assessments to identify the entity’s needs and requirements to engage a third party.
- Proper due diligence to identify and select a third-party provider.
- Written contracts that outline the duties, obligations and responsibilities of the third party and the financial institution.
- Ongoing oversight and monitoring of third-party arrangements and providers consistent with established policies, procedures and reporting lines, and conducted by staff with sufficient expertise.
Defining and Understanding Concentration Risk for Financial Institutions
Third-party resiliency, especially when it comes to concentration risk, should not be ignored. With recent high-profile bank collapses, the associated banks, venture capital firms and startups mismanaged their concentration risk. This occurs when a given bank’s portfolio is highly concentrated, less diversified or not balanced, and underlying assets are more correlated. In today’s digitally connected and interdependent business environment, concentration risk isn’t limited to just financial investments and conventional supply chain components. Concentration risk can occur whenever there is overreliance with one supplier or interconnectedness with other enterprise risks, resulting in a potentially devastating domino effect with an incident, threat or exposure. Concentration risk should always be assessed as part of ongoing monitoring with regards to technology, systems, data sources and oversight.
A potential third party should always be subject to a due diligence review to evaluate its quality of operations, define its risk profile, ability to comply with regulatory requirements, as appropriate, and long-term viability. Having passed this review, the third party would be considered in light of pertinent factors that could open the financial institution to risk, if it were associated with the third party, including: data security, cybersecurity/privacy, customer interaction, brand reputation, legal liability, fraud, intellectual property rights, business continuity, green/sustainability, downstream suppliers (tiers two and three), and geopolitical issues. Finally, a determination would be made as to whether the risks posed by the potential third party could be mitigated contractually, and whether they are commensurate with the risk appetite of the financial institution.
Safeguarding Your Organization Through Proactive Planning and Monitoring
It is paramount to perform proper due diligence and assess risk relating to potential reputational, regulatory, financial and operational factors that each third party poses to your organization. Furthermore, your organization should increase the depth and level of due diligence, and assess your concentration risk by identifying contingency planning alternatives.
Strategically, financial institutions would be best served to establish a single third-party management and oversight framework that is employed consistently across the entity and integrated into its operational, risk and compliance management and control activities. The framework must address all dimensions of the financial institution/third-party relationship, including business strategies and goals of the financial institution, risks associated with the financial institution’s business lines as well as the risks passed through to the third-party provider, the selection of third-party providers and the contractual agreements, the necessary ongoing oversight and monitoring requirements, and the processes to terminate relationships as risk exposures change. The framework should, on an enterprise-wide basis, ensure that a single set of policies and procedures are used to manage third-party providers, and that those engaged third parties will contribute to the entity’s criteria to achieve its strategic and operational goals. It will ensure clarity with respect to oversight functions, roles and responsibilities, risk appetite and the selection process. It will also permit entities to realize scale efficiencies in administrative areas as well as ongoing, repetitive roles such as testing and monitoring.
It is also important to ensure that innovation is properly and responsibly managed and fits your risk profile within your organization’s risk appetite. For more information on responsible innovation and OCC’s guidance on the matter, check out a recent article on Establishing Risk Management Principles for Responsible Innovation in Financial Services Companies.
As business strategies continue to change, so will regulations and regulatory expectations. Similarly, the supply of third-party providers is dynamic, and new risks are constantly emerging. Combined, these inputs create a highly complex matrix with the potential to “crash” if outlier risks are not adequately identified, controlled and need to be interconnected. A centralized and integrated third-party oversight framework then becomes the key to managing the influence of external forces on this system. To manage third-party risks, financial institutions should:
- Define and inventory their third parties.
- Assess their third-party risk appetite.
- Assess the risk in their existing third-party relationships.
- Execute enhanced due diligence for existing critical third-party relationships.
- Establish ongoing monitoring and enhanced performance, and monitoring standards.
- Train impacted stakeholders, and relevant board and management stakeholders.
How We Can Help
At Cherry Bekaert, our goal is to help clients protect value, power performance, and build financial and operational resilience. Increased volatility in the business and regulatory environment is a strong incentive to mature your organization’s TPRM program. Let us guide you through designing, deploying and remediating your TPRM capabilities, oversight and monitoring structures by aligning your TPRM program based on your portfolio of third parties and working across functions (e.g., Risk Management/Internal Audit, Procurement, Legal, Compliance) to customize the necessary TPRM controls to the unique needs of a particular function or business.
For more information on establishing or enhancing your organization’s TPRM program, contact Cherry Bekaert’s Risk & Accounting Advisory Services practice or your Cherry Bekaert advisor.