Understanding how third party risk impacts operational resilience and aligning to regulatory requirements

Understanding how third party risk impacts operational resilience and aligning to regulatory requirements

By Charles Forde, Global Head of Third Party, Outsourcing & Inter-Entity Risk, UBS

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

Since the beginning of my career I have been in roles which have been a mix of operational risk, third party controls, technology and operations. After university, I started my career in the United Nations managing global projects supporting the military peace-keeping missions and humanitarian relief operations in the field. We built and ran a global data and voice service using a combination of intelsat satellite services and by piggy-backing on the backbone of one of the companies servicing aviation. We were very dependent our key third party partners for critical rapid deployments and decommission in conflict zones. At the same time, all of the missions and operations needed an administrative infrastructure and applications to connect back to headquarters sites, even for basic functions such as reporting, payroll, procurement, etc. Working next to military personnel from many countries was great training in how to deliver a project efficiently, without unnecessary excess and on a very tight budget.

I moved into financial services and had roles for major firms delivering business transformation projects, often in an environment where new technologies were enabling new sources of business but also introducing a new range of risks.

For a number of years I have been focused on Third Party risks. The field has matured significantly over the last ten years and my time has been split between risks due to external third party suppliers, (including the traditional BPO / ITO services) and the increasing amount of Inter-Group suppliers. The Inter-Group area has really expanded after the Too Big Too Fail restructuring that firms went through after the last financial crisis and required the separation and capitalisation of the Operating Companies (Business) from the Service Companies (basically all support functions).

At this time, my main area of interest is on the emerging regulations for Operational Resilience, of which Third Party and Outsourcing risk is a major component. Forward-looking, I expect that there will be an in increasing oversight on the concentration on the cloud service providers and the role that they play for resilience of critical business services.

What, for you, are the benefits of attending a conference like Vendor & Third Party Risk Europe 2019 and what can attendees expect to learn from your session?

The benefits of attending Vendor & Third Party Risk Europe 2019 are many as I have found that it is one of the most useful events to attend for those with an interest in this area. It offers attendees with the opportunity to meet and network with some of the subject matter experts in this field from both industry and from major vendor firms and market infrastructure providers.

The conference event has a very good mix of attendees and has a good balance between presentations, panel sessions and it provides an opportunity to challenge the presenters, exchange ideas and best practice and to benchmark your own approach and processes for Vendor and Third Party Risk.

I have found the event to be one where I always get new ideas and perspectives and I always meet peers in the industry with whom I keep in contact for information sharing and collaboration long after the event.

In your opinion, how can we look to effectively Leveraging existing monitoring capabilities and processes?

There are many tools and processes available either as standalone products or as functionality within existing systems. And, the number of tools and processes is always increasing. But in order to effectively leverage them for managing Vendor and Third Party risks, I am focused on determining which monitoring tools and processes may be leveraged for risk assessment (providing valid data points) and which may be leveraged for monitoring and providing only risk indicators.

It is important that firms have a number of monitoring capabilities which can be used to validate their diligence and to help prioritise the allocation of resources for diligence over the highest risk engagements and most services.

In order to effectively manage third party engagements, the monitoring capabilities and processes must be embedded in the supplier management lifecycle. The means covering every phase, from pre-contract diligence to contract initiation, ongoing performance management through to contract termination. Cyclic, or periodic, diligence and assessment is an area where firms should focus on enhancing their monitoring capabilities and processes to ensure that the higher risk and critical business services are prioritised.

What are the key considerations that need to be made when moving towards cloud computing?

When we talk about moving to cloud computing, we need to make a distinction between single cloud instances of software (SaaS) and the large scale migration of applications and services to cloud based platforms, (rather than in-house data centres). For the latter, the recent trend is for large scale Infrastructure and Platform as a Service (iaaS and PaaS) in financial services.

For firms making this transition, some of the key considerations are:

1. Selection of strategic Cloud Service Provider(s) – carefully determine the success factors and the product features of the major providers to support the successful migration of the. application estate. Not all of the top CSPs are equal in every respect, including functionality (such as sophistication of data analytics) and geographic coverage.

2. Application inventory and prioritisation – before starting the transition of the application services, it is critical to have an accurate internal inventory and to understand the ‘quick wins’ and the challenges (such as legacy apps which may not be possible to migrate. The applications must be tiered based on factors such as their business criticality and sensitivity of data.

3. Security controls – controls must be defined to operate effectively and be scalable to cover the firm’s specific information and data protection requirements. This is to ensure that there are reputation, financial and regulatory risks are mitigated. Cross border controls on data access and access to encryption keys are among the key points to consider.

Can you provide an overview of Emerging trend to standardise operational resilience?

Operational resilience has continued to evolve ever since the Bank of England coined the term a number of years ago. The UK regulators have very much taking the lead on the topic of operational resilience and the discussion paper which was published by the PRA and the Bank of England last July has got a lot of positive attention from regulators and financial services globally.  The European banking authority is also very closely aligned on the topic of operational resilience.

The trend that I see emerging is  that the European regulators are all now moving mostly in the same direction towards guidance and regulations on operational resilience as it relates to critical business services. Additionally,  The Basel Committee of Banking Supervisors has as of December 2018 formed an operational resilience working group. I believe that this has been a result of the ongoing engagement from the Bank of England and the PRA with the key regulators who are members of the BCBS.

Even among the regulators in the United States, they have stated that the priority is on the availability of critical business services which is also broadly in alignment with the concepts of operational resilience. As we see impact tolerances and stress testing defined and rolled out by the UK regulator in 2019,  I expect that we will see the same approach following shortly after particularly from the regulators from the G20.

How do you see the impact of vendor and third party risk  evolving over the next 6-12 months?

Over the next 6 to 12 months I expect that we will see increasing focus from the major global regulators on the third-party and vendor aspect of operational resilience and on the cloud service providers who are taking an increasing share of the regulated financial services firms.

As the cloud service providers are not regulated and not considered as financial market infrastructure providers such as other firms, I also expect that we will see an increasing focus on improved risk assessment and ongoing assurance of those firms.

For efficiency and consistency I also expect that we will see a rapid increase in shared  assessments, shared audits and on-site reviews. I think that we will also see the development of improved global standards for third-party risk management and financial services as there is no competitive advantage for any of the firms.