Vendor & third party risk ongoing monitoring and assessment

Vendor & third party risk ongoing monitoring and assessment

By Alice Kelly, Head of Research and Production, CeFPro. 

Vendor and third party risk management is an increasingly maturing discipline across risk management and financial institutions. Many are putting increased pressure and focus on the area, and allocating resources to further boost management, oversight and compliance. As a relatively new discipline compared to areas such as credit and market risk, vendor and third party risk can pose as large a threat with the opportunity for vendor breaches resulting in data loss and ultimately reputational damage, with the main responsibility falling upon the institution itself to conduct effective assessments and ongoing monitoring of all third parties.

The Center for Financial Professionals conducted extensive research with over 30 industry experts ahead of the Vendor & Third Party Risk EMEA event, taking place 13-14 June in London. The event will provide full results of the research study with a range of presentations, panel discussions and networking opportunities. Ahead of the event, below is a summary of the key areas of focus across the industry as highlighted by some of the leading professionals.

As with many risk disciplines, especially one evolving as rapidly as vendor and third party risk, regulatory expectations and preparation is a key area of focus and concern for many. Regulators globally have put increased pressure on vendor risk departments to increase security and accountability to ultimately protect customers and their sensitive information. One of the main focus areas was around understanding how to set up the business under these changes and the implications they could have internally. Very rarely were the changes themselves and implementation mentioned, they are considered a given, however the broader implications on the business are a key consideration. With vendor and third party risk still being a relatively immature processes, resource and staffing allocation rarely match those of other disciplines, therefore vendor risk managers are increasingly having to be very reactive to changes, often without the ability to pre-empt or pre-prepare for what may be to come. This, alongside global disparity on regulatory requirements increases pressure on the function and incorporating jurisdictional deviations to the changes further impacts resource constraints.  The focus for vendor and third party risk professionals is to ensure adaptability to incorporate regulatory expectations which are often based on high level principles to ensure timely compliance with limited resources.

“… to protect our customers number one, It’s not just compliance, it’s basically management to protect the customer first and foremost… Though having said that, the increase in all those demands over the last few years has created a huge amount of work, additional work on people that wasn’t part of their original roles.”

Alongside regulatory requirements placed on the financial institutions themselves, comes that of regulatory requirements that vendors have to comply to, and the oversight requirements of financial institutions to ensure their vendors are compliant. With key areas coming up in 2018 including GDPR, it is a challenge for banks to ensure timely compliance internally, but alongside this ensuring that their vendors are compliant, particularly for areas like GDPR where the fines could prove fatal to some institutions.

“The banks are going to be in the hit for penalties, the banks have to set stricter controls themselves, but you might have signed a contract some years ago to do an activity or to deliver a service, that they see as an additional cost… they say ‘this is going to cost us more, so we’ll have to charge you for it,’ and unless you have a robust contract you might be in a bit of difficulty there you know.”

“They need to get more pro-active themselves, particularly around monitoring their own suppliers that could be critical to us. It’s very hard to get the evidence out of them because of the complex risk parties, we build it into our contracts but I think some of them still don’t have robust risk management practices, not to the standard that we would expect.

Unsurprisingly, a key area of focus centred around cyber and information security and ensuring that vendors and third parties are assessed and continually monitored throughout the life cycle to adhere to the same level as internally. As mentioned, reputational impacts on financial institutions can result in unquantifiable damage, with accountability being on institutions to ensure they are protected. Alongside proactive management to ensure that cyber and information security events do not occur, comes the need for business continuity and exit planning should an event occur. Financial institutions need to so a robust continuity plan from their vendors to resume services, and if services cannot be resumed, how to exit from the relationship with minimal impact on the institutions and customers.

“So, in terms of cyber and defence against cyber I think again it extends the fact that it’s not just your own it’s your suppliers cyber resilience as well that’s important, and disaster recovery in connection to that. It’s just the way that people think differently about cyber, it’s not question of waiting for a problem to happen, it’s almost being ready to sort of press the button the moment you become aware of anything, going into defence mode sort of thing.”

“…New cyber threats, new ways of you know, there’s lots of ways evolving in the marketplace, there’s new apps, new websites, new propositions, and there’s always going to be vulnerabilities there, but when do you feel comfortable to go live with these, how do you place for such things, do you have proper testing measures in place, to make sure that you can potentially identify these threats. And ultimately a lot of it boils down to people, you know how good are your people?”

Finally, a third area of heightened focus across the industry which ultimately encapsulates the above mentioned topics, is that of effective due diligence and ongoing assurance. Many mentioned the frequency and requirements for due diligence practices and ongoing monitoring activities and the lack of a unified approach to this across the industry. The focus is moving towards efficiency and undertaking assessments through the life cycle in an efficient manner to ensure annual coverage. Assessments and governance of vendors from any perspective is time and resource intensive, many of which are lacking, but expectations remain. With increased pressure to ensure effective oversight and monitoring of vendors from multiple perspectives (including regulatory and cyber as mentioned above), it is increasingly important to ensure that departments are aligned internally to ensure a unified approach to end to end governance, diligence and monitoring.

“…My main concern is, is it consistent throughout the life-cycle, whether it is pre-contract or post contract, it’s all about whether you can undertake an adequate assessment of your supplier, using automation third-party information, rather than having a team of people that go out and visit suppliers on a regular basis.”

“If you’re doing due diligence of a critical supplier, and you go and visit them on site, how in depth, how much time can you really spend there to know whether or not that supplier is doing all of the things that they say they are doing. In terms of the operational MI which is how they are delivering the service, in line with how you want it to be done and in a controlled way.”

An area within ongoing monitoring and assurance should be that of concentration risk, not only are institutions monitoring their vendors capabilities, but also ensuring that there is not an over reliance across the industry on one vendor. To take that a step further, they must also consider vendor outsourcing with the same theory in mind, ensuring that there is no concentration risk with too many vendors relying on the same 4th party.

“If you have the entire industry using one party, and that party goes, you’ve suddenly got a large percentage of the industry trying to find someone to cover them. Or trying to manage it… it’s not just concentration, it’s about the quality of service, loss of key staff, too fast an expansion. All of those things are things that you’d be monitoring as part of your service review meetings, and also by your due diligence.”

“You’ve got certain companies that provide a lot of archive data management for example, then it tends to go through the same few suppliers, who do that sort of thing. So, you know if you had a disaster at one of those businesses you might lose an awful lot of data, I know they’ve got their own disaster stuff.”

“The regulator gets anxious when they see like ten of the top twelve people are using the same supplier, because you’ve got more of a market risk then if something goes wrong with that supplier, or they fail financially or systems-wise, with cyber-security being what it is at the moment, such a hot topic. You know the regulator gets more involved and more concerned about that sort of concentration risk.”

The above is a summary of just a few of the key areas highlighted as pertinent topics within the vendor and third party risk space across Europe. There is increased pressure on vendor risk professionals both from a regulatory and efficiency perspective. The threat landscape from a cyber and information security standpoint is continually evolving, and often those with little cyber expertise are managing vendor assessments and questionnaire results, the role of the vendor risk professional is becoming increasingly diverse.

The Center for Financial Professionals would like to invite you to join your peers on June 13-14 in London for the 3rd Annual Vendor & Third Party Risk EMEA. Join likeminded professionals as we review evolving processes for management, oversight and compliance.

You may also be interested in…