The pandemic has accelerated digital transformation across all industries (even faster than the CIO agenda), forcing organisations to quickly move key processes to digital environments to retain some level of activity during the disruption. However, this massive and aggressive adoption was executed considering primarily business continuity, with only minimal assessment done in terms of risk exposure and dependencies.
In the UK during the first half of the year, several organisations including Banks, Retailers, Internet providers and Social Platforms have been impacted by outage on their services, causing a ripple effect on business and the market.
These systems failures are partially explained by the increasing volume of operations, relaxation of security protocols (New Ways of Working) and integration with external ecosystems with minimum testing and backup plans, exposing businesses to new vulnerabilities.
Another aspect to highlight of this trend is the increasing dependency on a select few IT providers, especially those related to cloud services.
In the UK, the Bank of England is monitoring this trend closely, not just forcing Financial institutions to adopt a new Operational Resilience Approach for third parties, but is also considering applying a resilience test to Banking’ cloud providers in order to set a minimum standard and increase financial stability. On the other side of the channel, the story is quite similar. The European Commission has published a proposal for regulation on Digital Operational Resilience in the EU Financial services sector (“DORA”) with the purpose of harmonising the regulatory approach to concentration risk.
But, how to prepare your organisation for the next IT shock?
One key component that we have emphasised to our clients when building Operational Resilience, is the necessity to create a strong Third-Party risk Management framework: moving away from the analogue procurement function to proactive supplier management.
Where to start?
Change is not easy, especially for financial institutions given the complexity of the operations and service: however, we suggest starting by considering the following steps to build a dynamic approach:
- Understand your supplier and their dependencies: consider elements such as locations, recovery policies, dependencies on other companies (4th parties), experience providing the services and business reputation.
- Establish a strong commercial agreement with your suppliers and monitor their performance (SLAs). Classify them according to risk profile and service risk.
- Include automation in your supplier’s management process
- Perform independent assessment of your Third Party Management (TPM) function
How can TORI help?
At TORI, we have been supporting financial institutions on establishing a dynamic third-party framework that as a result, improves the business resilience and efficiency.
Some of the key elements that we cover in our methodology are:
- Designing and establishing a TPM framework, based on risk and counterparty exposure
- Supplier inventory and risk control: monitoring your agreements
- Cost control, based on “cost allocation” and operational efficiency
- Testing your supplier: business continuity, cybersecurity test and ethical hacking
- Challenging your governance structure and management process