By Roxane Romulus, MBA, Director, Third Party Risk Management, Voya Financial
Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I’d like to think I took an unconventional path into the world of third-party risk management (TPRM). I had the advantage of getting into the TPRM space in 2014, a year after OCC BULLETIN 2013-29 released guidance to banks for assessing and managing risks associated with third-party relationships. I had been a 10-year communications and training executive at the time and jumped on the opportunity to message the importance of TPRM to the employees of the large regional bank I was working for at the time. Through that process, I learned the importance of understanding an organization’s outsourcing strategy and tying that to the future direction of the company. Over time, I had the opportunity to manage my own portfolio of third-party vendors in the Information Security and Operations space. After five years, and several roles in the TPRM space, my passion for TPRM continues to grow.
I now have the honor of being part of Voya Financial. Voya shares my strong commitment to third-party risk management, communications and training. You can have the greatest documented TPRM program in the world, but if your employees don’t understand its importance to the company’s growth then you have real challenges. The key is to go beyond the stick of regulation and tie these efforts to the company’s strategic objectives. As TPRM Director, I will be working to build a best-in-class third-party risk management program and creating a seamless workflow for our internal partners, including the chief information security officer as well as the, Strategic Sourcing, Compliance, Operational Risk, Enterprise Security and Business Resilience teams.
In your opinion, how can we look to effectively aggregate reporting systems across multiple systems and jurisdictions?
In my experience, the first question to ask is how many systems currently support your TPRM processes, and do they talk to each other? I’ve seen TPRM programs at all stages from no system of record, no reporting and risk assessments completed in Microsoft Excel. If you 1) don’t have any systems in place or 2) your systems don’t talk to each other, reporting will be virtually impossible. You need to get a handle on your data set, and the best way to do that is to make better use of technology to enable your TPRM efforts.
Understanding the data is the key to better risk detection and opportunity identification, and it all depends on the maturity of your program. Do you have a centralized view of your vendor inventory? Have you developed a risk modeling approach that covers the full inventory? Are you able to check the quality and measure the performance you expect from your vendors? Once you have the foundational elements of your program in place, and your organization has a coordinated, disciplined approach to risk assessment and monitoring practices, you can begin to aggregate your data to create a sustainable approach to reporting at the business unit level all the way up to the Board.
What are the key considerations that need to be made when reporting minimum requirements based on global regulations?
TPRM is a highly regulated area with specific requirements and guidelines that can cross many different countries. It can be challenging to not only identify upcoming regulations that may impact your organization but also to develop a solid roadmap to ensure on-time implementation. Consider performing a regulatory compliance check on your current TPRM program then perform an impact assessment for upcoming regulations. To sustain this, you’ll need to establish a regulatory change governance process to monitor and track new and changing regulations on an ongoing basis.
What challenges and opportunities could firms face when collecting data across systems?
I think many companies need to invest more in TPRM technology. The timing is right to make a play for greater technology investments that enable better risk reporting. We are in an era where there are tools to help automatically score risk, automate data quality efforts and enable access to industry data at the click of a button. Automation will help to create the system linkages and data aggregation needed to report on third-party risks in a more-timely manner.
How do you see the impact of outsourcing evolving over the next 6-12 months?
As companies continue to shift a significant part of their operations to outsourcing and fintechs, third parties will continue to increase organizations’ operational risk exposure. The more we outsource, the more we lose direct control of the activity performed by the third party. We will see the need for increased integration of third-party risk reporting into the operational risk framework to get a full picture of an organization’s most critical operational risks.
