Posted Wed 21 Aug 2019
The impending application of the Guidelines on Outsourcing from the European Banking Authority (EBA) reflects a growing focus on the potential impacts Third Parties can have on the resilience of an organisation, and with good reason. Third Parties were identified as the second most common root cause of incidents reported to the FCA (after poor change management) and Regulators are growing increasingly cautious of the risks posed by Cloud Providers (the EBA has had outsourcing guidelines in place for Cloud services since July 2018) and FinTechs, as they offer increasingly disruptive technologies to the market, but are less mature in managing the inherent risks in the Financial Services space.
So, how can you effectively mitigate for Third-Party Risk when managing Business Resilience? Here we have outlined some of our top tips for doing so:
Embedding Third-Party Risk management across your organisation can be a challenge – but it needs to be considered in the same manner as any other operational risk. Organisations should define and communicate its risk appetite; associated tolerance levels and clear and specific policies for procurement; ongoing governance and risk management. Measurement processes should be embedded across the business – leveraging tooling where required – to ensure effectiveness and consistency in application.
Build a business engagement model and supporting analytical processes to ensure you have visibility of all Third Parties supporting your organisation and apply a tailored, proportionate approach to assessing and mitigating the relative risks they pose. Your Risk Framework should have the flexibility and adaptability to manage an increasingly diverse supplier ecosystem, without unduly restricting the potential for new or ongoing supplier relationships.
Capability to assess and manage high-visibility and high-impact risk such as Cyber Security and Data Protection tend to be relatively mature across many organisations. However, to effectively understand and manage the potential impact a supplier may have on your business resilience, organisations should consider the myriad of risks suppliers can pose, including (but not limited to):
Businesses must be unequivocal on the potential for managing conflicts of interest, something that becomes ever more salient when considering conflict between investors and clients, which may arise as a result of the increasing prevalence of FinTechs.
Organisations are required to deploy an increasingly proactive assessment of the capability and performance of its Third Parties; building supplier governance models that provide regular reviews and are updated to ensure relevance to the current scope of the service provision – it is common that these change during the term of the agreement.
In order to provide objective assurance, businesses should leverage their audit rights. This ensures suppliers continue to meet their obligations, particularly for complex arrangements, and that the right skills, technical capability and level of rigour are applied proportionate to the complexity and risk of the third-party service. The risk of relying solely on accreditation or consolidated audits should also be considered.
Many organisations have come a long way since the age-old “the Exit Plan will be finalised within three months of the contract signature date”; a clause included in their contractual agreements but without any resultant actions. That said, organisations should still ensure that their exit strategies are fully developed (with a known scope of activities, effort and costs) and that they account for risks and issues that could prevent their effective implementation before entering in to a Third-Party agreement. Plans should look at whether the organisation would have the capability to effectively re-integrate the services; feasibly move to another provider; and/or implement enhanced supervision and control over the supplier until a longer-term plan can be developed. Contractual rights should then reflect the nature of the plans.
When considering the above risks, organisations should consider the full extent of the supply chain. Subcontractors, often referred to as ‘fourth parties’ – can pose equally, or even more significant, threats to the resilience of your organisation than your prime contractors. Therefore, Third-Party Risk Management should effectively extend to sub-contractors. It is wise therefore to consider the following factors:
In summary, Business Resilience means taking a holistic view of your organisation, understanding dependencies and risks, and planning for effective management, should it be required.
TORI Global can help ensure your Third-Party Governance and Risk Management processes are effective in addressing your Business Resilience needs. If you’d like to talk further, please contact Mike King or Paul Brooks at TORI Global.
 FCA - Cyber and Technology Resilience: Themes from cross-sector survey 2017/2018