Evolving TPRM strategies to align with regulatory change and ensure security across supply chains

Maya GoethalsDirector, Compliance and Risk Management, Bank of America Merill Lynch

Below is an insight into what can be expected from Stefano’s session at Risk Evolve 2024.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

How can TPRM strategies evolve to align with regulatory changes and ensure security across supply chains?

To adapt to regulatory changes and enhance security across supply chains, third-party risk management (TPRM) strategies must evolve by adopting a proactive and dynamic approach. Firstly, organizations need to establish robust frameworks that facilitate continuous monitoring of regulatory landscapes. This involves staying informed about changes in data protection laws, industry-specific regulations, and geopolitical developments that may impact the security landscape. By leveraging technology such as automated compliance tracking systems and threat intelligence platforms, companies can efficiently identify and assess the potential risks introduced by regulatory changes. Regularly updating policies and procedures to align with new requirements ensures that TPRM strategies remain effective and compliant.

Furthermore, collaboration and transparency are crucial elements in evolving TPRM strategies. Establishing strong partnerships with third-party vendors and fostering open communication channels allow organizations to share insights and collectively address emerging risks. This collaborative approach involves conducting regular risk assessments, including security audits and compliance checks, to ensure that vendors are also adapting to the evolving regulatory environment. Encouraging vendors to implement robust cybersecurity measures and providing resources for education and training helps create a more resilient supply chain. By integrating these elements into TPRM strategies, organizations can navigate regulatory changes more effectively and maintain a secure and compliant supply chain ecosystem.

What are the key approaches of the PRA and EBA to DORA, and how can organizations adapt their TPRM strategies accordingly?

The PRA, as a part of the Bank of England, focuses on ensuring the operational resilience of financial institutions in the UK. Their approach involves setting clear expectations for firms to identify their important business services, assess the potential risks, and establish effective strategies for mitigating disruptions. The PRA emphasizes a comprehensive understanding of the interdependencies within the financial ecosystem, requiring organizations to demonstrate not only technological resilience but also a holistic view of their operational processes.

On the other hand, the EBA, being a regulatory body for the European Union, aims to enhance the resilience of the financial sector across EU member states. The EBA’s approach to DORA involves developing guidelines for financial institutions to assess and manage risks associated with their digital operations, focusing on key areas such as cybersecurity, data integrity, and third-party dependencies. Organizations should adapt their Third Party Risk Management (TPRM) strategies accordingly by aligning with the specific guidelines provided by the PRA and EBA. This includes incorporating thorough assessments of third-party vendors, emphasizing their cybersecurity measures, and ensuring compliance with the evolving regulatory landscape. Additionally, fostering transparency and collaboration with third-party vendors is essential, as it allows organizations to collectively address challenges related to digital operational resilience and automation in line with regulatory expectations. Regular updates to TPRM strategies based on the evolving guidance from the PRA and EBA will help organizations stay resilient in the face of digital transformation and technological advancements.

What steps should organizations take to develop consistent supervisory and risk assessment requirements for all outsourced activities in their TPRM strategy?

To establish consistent supervisory and risk assessment requirements for all outsourced activities in their Third Party Risk Management (TPRM) strategy, organizations should first conduct a comprehensive inventory of all their outsourcing relationships. This involves identifying and categorizing the various third-party vendors involved in critical business functions. Once this inventory is in place, organizations can establish a standardized risk assessment framework that considers factors such as the criticality of outsourced activities, the sensitivity of data involved, and the potential impact on the overall business operations. Developing a consistent set of risk assessment criteria ensures that all third-party relationships are evaluated using a uniform approach, allowing for better comparability and prioritization of risks.

Furthermore, organizations should implement a robust supervisory framework that encompasses regular monitoring and auditing of third-party vendors. This involves defining clear performance metrics and Key Performance Indicators (KPIs) that align with the organization’s overall risk appetite and regulatory requirements. Regular assessments, audits, and reporting mechanisms should be established to ensure ongoing compliance and performance monitoring. Collaboration and communication channels between the organization and its vendors should be strengthened to facilitate information sharing and address emerging risks promptly. This proactive approach not only ensures consistency in supervision and risk assessment across all outsourced activities but also enhances the organization’s ability to adapt to changing regulatory landscapes and emerging threats in a dynamic business environment.

How can organizations address the heightened scrutiny of intergroup outsourcing arrangements?

Organizations can address the heightened scrutiny of intergroup outsourcing arrangements by implementing a robust governance framework and enhancing transparency in their processes. Firstly, it is crucial for organizations to establish clear policies and procedures governing intergroup outsourcing, ensuring compliance with relevant regulations and industry standards. Transparent communication with stakeholders is essential to demonstrate accountability and adherence to compliance standards. Implementing advanced monitoring and reporting mechanisms, along with regular risk assessments, helps organizations proactively identify and address potential issues within intergroup outsourcing arrangements. By fostering a culture of compliance, transparency, and accountability, organizations can navigate heightened scrutiny, building trust with stakeholders and regulators in the process.

What can financial institutions do to overcome the challenges of continuous monitoring of data capabilities to detect and respond to emerging risks?

Financial institutions can overcome the challenges of continuous monitoring of data capabilities to detect and respond to emerging risks by adopting advanced technologies and refining their risk management processes. Implementing real-time monitoring systems powered by artificial intelligence and machine learning enables institutions to analyze vast amounts of data promptly, identifying anomalies and potential risks in real-time. Automation of routine tasks within the monitoring process enhances efficiency and allows resources to focus on more complex threat detection and response efforts. Additionally, financial institutions should regularly update their risk management frameworks to stay ahead of evolving threats, incorporating threat intelligence and conducting frequent assessments of their data security measures. Collaboration with industry peers and regulatory bodies can also provide valuable insights into emerging risks and best practices. By embracing a proactive, technology-driven approach and fostering a culture of continuous improvement, financial institutions can enhance their ability to monitor data capabilities effectively and respond promptly to emerging risks.