Taking the pulse of third party risk management: Industry benchmarking to understand program maturity

Taking the pulse of third party risk management: Industry benchmarking to understand program maturity

By Robert Koszkalda, Director, Third Party Risk Management, SVP, KeyBank.

Bob can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I’m the Director of Third Party Management at Keybank, a $135 billion dollar financial institution based in Cleveland.  I’m responsible for the development of and adherence to Key’s third party management policy, program and practices in alignment with Key’s enterprise risk management requirements and corporate risk appetite.  Before heading-up TPM, I implemented the technology risk function at Key and was a manager in IT Audit.  Current priorities include TPM being more influential during the planning phase, implementing service categories to streamline onboarding and provide consistency in risk management, and assessing the viability of third party utilities to off-board some of the administrative tasks of managing third parties.

At the Vendor and Third-Party Risk USA conference, you will be speaking on your insight regarding ‘taking the pulse of third party risk management: industry benchmarking to understand programme maturity’. What would you say are some key industry focus areas & why are these so important?

A focus area may be ensuring that third parties that perform enterprise critical activities are properly identified and are managed to a level appropriate for their value to the bank and risk profile. Critical activities are often core banking functions that are the life blood of a bank and should be managed accordingly.   The desire to “know all your third parties” could take the emphasis away from managing the most important third parties.

Cyber security of protected data has been a big risk for a long time and the threats to it continue to increase.  Implementing additional measures to complement point in time assessments and understanding the control environment of fourth parties that access your sensitive data will be a focus in the future.

Sales practices and other compliance risks are a hot topic due to the Wells Fargo situation.  Banks will need to ensure that third parties that interact directly with their customers have the appropriate policies and procedures to ensure ethical behavior and conformity to the bank’s policies for client interaction.

What are some of the key tools used to manage and monitor third party risk and any advice for effective ongoing oversight?

Many companies use a GRC tool to manage third party relationships.  These applications often have a lot of data that can be leveraged to provide risk insights, identify focus areas, improve the TPM process and inform executive management.  For example, metrics have shown that companies with poor financial health strongly correlate with weak information security controls presumably because they don’t have the resources to provide better security.  Also, GRC systems can be queried to identify third parties that have large amounts of bank data which will drive heightened attention such as continuous monitoring.  Tableau can be used to provide executive management easy to consume third party portfolio information.

How do you see the use of technology and advances in assessments changing third party risk management?

Advances in technology may be leveraged to implement management by exception in areas of financial health, negative news and information security monitoring.  Alerts could be triggered that meet specified criteria for management to follow-up with eliminating manual reviews. Also, some tools provide “fico-like” scores in financial health or information security which may allow lower risk to pass through the due diligence process with less human interaction.

Third party utilities provide managed services to banks including performing the mechanics of control assessments.  This allows banks to shift their focus from completing assessments to managing the risks identified during assessments.

Why is reviewing third party risk a necessary activity for businesses today?

Third parties are an extension of the bank.  They interact with bank customers, process bank data and perform critical bank activities. Even if there was not any third party regulations banks would want to make sure that third parties appropriately interact with their clients, protect their data and execute critical activates in adherence to service levels.


To delve in deeper on the above topics, the Center for Financial Professionals would like to invite you to join your peers at our upcoming 3rd Annual Vendor & Third Party Risk USA Congress, taking place June 5-6, NYC. Discuss the above challenges in far greater detail, hear the results of our global survey and network with like minded experts across two days.

You may also be interested in…