Vendor & third party risk – Effective measurement and reporting of risks to provide comprehensive enterprise wide analysis

Vendor & third party risk – Effective measurement and reporting of risks to provide comprehensive enterprise wide analysis

By Steven Wyles, Head of Santander Services Risk & Director Third Party Risk Management, Santander UK

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is What, for you, are the benefits of attending a conference like Vendor & Third Party Risk Europe?

Head of Santander Services Risk & Director of Third-Party Risk Management at Santander UK. My experience is focused on risk and control in a Financial Services context, both within Internal Audit and, more recently, Third-Party Risk Management. My involvement around Third-Party Risk Management extends to both auditing of the framework, individual third-party relationship and process audits in the third-line of defence, as well as the design and on-going implementation of an enhanced policy and control framework for Third-Party Risk Management.

Prior to working at Santander UK, I worked within Internal Audit at American Express (EMEA), and prior to that, External Audit at the National Audit Office.

For me, the key benefit of attending a conference like this is being able to discuss emerging themes and best practice, as well as network with like-minded colleagues in the field of Third-Party Risk Management.

How can different regulations coming from many jurisdictions be harmonised?

This requires greater collaboration between supervisors. This also requires firms to collaborate with supervisors to drive greater alignment and feed into the process of defining content (e.g. such as the recent EBA Outsourcing Guidelines Consultation).

Given that many firms are global institutions, having differing jurisdictional requirements (e.g. OCC, PRA, EBA, etc.) can make Implementing a cohesive and consistent Third-Party Risk Management Framework across the Group difficult and costly.

What would be the benefits of a standardised operational resilience?

It should provide a clearer mapping of how / where the supplier ecosystem supports end-to-end processes within the firm, which will enable a clearer and more consistent view of supplier ‘points of failure’ in the process. This will also provide the foundation to understand interconnectivity across the supplier ecosystem and supplier dependency / concentrations.

What are the challenges in aggregating risk across the firm?
  • Agreeing a risk assessment / segmentation approach that is fit-for-purpose and works for all areas of the firm; and
  • Aggregating risk data from various source systems, each with differing data points and quality, to provide a single and joined-up view.
Why presenting consistently to the decision makers in a “value added” way is creating hurdles?

Notwithstanding that Senior Management may have differing needs In terms of reporting; understanding what they view as ‘value-added’ information is not so much the challenge (a simple conversation or workshop can identify this). In my view the difficulty is connecting the various data points collated from multiple systems and in different formats in a way that allows for consistent and value-added reporting.

How do you see the impact of vendor & third party risk evolving over the next 6-12 months?

The continued focus from regulators on third-party risk management and, now, operational resiliency across an end-to-end process (including the supplier ecosystem) will ensure that third-party risk remains a ‘Top Risk’ for most firms.

The will be driven by:

  • The changing nature and complexity of third-parties entering the supplier ecosystem (e.g. cloud, digital partnerships, etc.). This will require Third-Party Risk Management Frameworks which are responsive to the risks emerging In the suppler ecosystem;
  • The opportunity to better use data to enable more effective risk management and predictive risk management; and
  • The need to understand how the supplier ecosystem supports end-to-end processes within the firm and the supplier ‘points of failure’. Producing a complete end-to-end mapping will be complex.