TORI Logo

Six steps to managing Third-Party resilience

The impending application of the Guidelines on Outsourcing from the European Banking Authority (EBA) reflects a growing focus on the potential impacts Third Parties can have on the resilience of an organisation, and with good reason. Third Parties were identified as the second most common root cause of incidents reported to the FCA[1] (after poor change management) and Regulators are growing increasingly cautious of the risks posed by Cloud Providers (the EBA has had outsourcing guidelines in place for Cloud services since July 2018) and FinTechs, as they offer increasingly disruptive technologies to the market, but are less mature in managing the inherent risks in the Financial Services space.

So, how can you effectively mitigate for Third-Party Risk when managing Business Resilience? Here we have outlined some of our top tips for doing so:

 

Ensure Third-Party Risk Management is built into your Operational Risk Management Framework

Embedding Third-Party Risk management across your organisation can be a challenge – but it needs to be considered in the same manner as any other operational risk. Organisations should define and communicate its risk appetite; associated tolerance levels and clear and specific policies for procurement; ongoing governance and risk management. Measurement processes should be embedded across the business – leveraging tooling where required – to ensure effectiveness and consistency in application.

 

Understand your supply base and risk positions

Build a business engagement model and supporting analytical processes to ensure you have visibility of all Third Parties supporting your organisation and apply a tailored, proportionate approach to assessing and mitigating the relative risks they pose. Your Risk Framework should have the flexibility and adaptability to manage an increasingly diverse supplier ecosystem, without unduly restricting the potential for new or ongoing supplier relationships.

 

Ensure your Risk Assessment covers all areas of Third-Party Risk

Capability to assess and manage high-visibility and high-impact risk such as Cyber Security and Data Protection tend to be relatively mature across many organisations. However, to effectively understand and manage the potential impact a supplier may have on your business resilience, organisations should consider the myriad of risks suppliers can pose, including (but not limited to):

  • Concentration: reducing over-reliance on one supplier; where a supplier is over-reliant on one organisation, or indeed whether the market is seeing undue consolidation.
  • Geographical / Political: consider the stability of the base locations of the supplier, including all service delivery locations, and don’t forget elements such as data recovery, especially where local regulation may not be as rigorous in data protection as, for example, GDPR.
  • Insurances: is the supplier effectively covered to manage the potential impacts they may incur on their business?
  • Physical Security: you may focus on the security of IT systems, but is the physical security of your Third-Party sufficient to protect its, and your, interests?

Businesses must be unequivocal on the potential for managing conflicts of interest, something that becomes ever more salient when considering conflict between investors and clients, which may arise as a result of the increasing prevalence of FinTechs.

 

Oversight and Audit

Organisations are required to deploy an increasingly proactive assessment of the capability and performance of its Third Parties; building supplier governance models that provide regular reviews and are updated to ensure relevance to the current scope of the service provision – it is common that these change during the term of the agreement.

In order to provide objective assurance, businesses should leverage their audit rights. This ensures suppliers continue to meet their obligations, particularly for complex arrangements, and that the right skills, technical capability and level of rigour are applied proportionate to the complexity and risk of the third-party service. The risk of relying solely on accreditation or consolidated audits should also be considered.

 

Build comprehensive Exit Strategies

Many organisations have come a long way since the age-old “the Exit Plan will be finalised within three months of the contract signature date”; a clause included in their contractual agreements but without any resultant actions. That said, organisations should still ensure that their exit strategies are fully developed (with a known scope of activities, effort and costs) and that they account for risks and issues that could prevent their effective implementation before entering in to a Third-Party agreement. Plans should look at whether the organisation would have the capability to effectively re-integrate the services; feasibly move to another provider; and/or implement enhanced supervision and control over the supplier until a longer-term plan can be developed. Contractual rights should then reflect the nature of the plans.

 

Think about the whole supply chain

When considering the above risks, organisations should consider the full extent of the supply chain. Subcontractors, often referred to as ‘fourth parties’ – can pose equally, or even more significant, threats to the resilience of your organisation than your prime contractors. Therefore, Third-Party Risk Management should effectively extend to sub-contractors. It is wise therefore to consider the following factors:

  • Prior approval of any such arrangement should be contracted
  • Ensure an effective governance model is in place to provide oversight of performance and risk across the entirety of the supply chain
  • Implement risk assessments that include sub-contractor risks

 

In summary, Business Resilience means taking a holistic view of your organisation, understanding dependencies and risks, and planning for effective management, should it be required.

 

TORI Global can help ensure your Third-Party Governance and Risk Management processes are effective in addressing your Business Resilience needs. If you’d like to talk further, please contact Mike King or Paul Brooks at TORI Global.

 

Alternatively, register to attend our Business Resilience Breakfast on 10th September, where we'll be discussing the multitude of factors that play in to resilience. More details can be found here >>

 

[1] FCA - Cyber and Technology Resilience: Themes from cross-sector survey 2017/2018

Mike King
Head of Procurement & 3rd Party Management
Top