The development of third party risk management practices

The management of third parties and the inherent risk that they can bring into the organization has become an increasingly important and complex activity. Just how do you manage thousands of third parties and potentially millions of transactions? And you need to do this whilst keeping the organization compliant and ahead of the regulators, protecting your reputation and your bottom line. This report found that there are at least 69 different regulators operating around the world, and every one of them is scrutinizing your organization and your third party and vendor management programs!

One key theme is the lack of maturity in third party risk management across many organizations, save for the largest firms and those in banking.   This is evidenced by the self-reported standard of their existing program and supported by the general lack of focus with regard to the factors driving their programs, the diversity of disciplines responsible for managing the area and the overall lack of investment in third party risk management programs. Just over half of the respondents report an expected increase in budget in the next 12 months, despite their recognised program immaturity!

Banking emerged as the more mature industry in comparison to the other sectors within financial services, which were primarily made up of Insurance and Asset Management. This study found that banks are more likely to be running more mature programs that display sophisticated characteristics, but there is still a lot of room for improvement. At the upper end of the spectrum, these programs are defined by processes that emphasize system feedback and improvement, utilizing processes that are reported as formal, measured and controlled. Furthermore, the most mature programs are characterized by factors such as the bespoke application of risk matrices to determine vendor risk profiles.

The primary goal of the third party and vendor risk management program is protection. However we are also witnessing the emergence of a more dynamic view of third party risk management, where improved controls and better management are part of a proactive, value-generating strategy. This appears to be associated with the more mature third party risk management programs.

It is noteworthy that firms operating across multiple jurisdictions face an increasingly complex environment, as they must meet the challenge of multiple regulators and different regional demands. In fact, respondents in larger firms are twice as likely to be engaging with third parties in territories such as Africa, the Middle East and Asia when compared to their smaller counterparts. The SEC is the number one regulator in this space, followed by FINRA, with the FDIC running a close third, although they are less relevant to smaller companies (less than 500 employees). The OCC is most relevant to the largest firms (those employing over 5,000) and especially those in the banking sector.

When it came to budgets, banks are more prudent about any estimated increases in spend, with the majority anticipating they will increase spend by less than 10% in the next 12 months. Smaller firms are most likely to report significant budget increases and are playing catch up with the application of programs to meet the regulations. Unsurprisingly therefore, the firms predicting to increase spend by the most, were also found to be those that are reporting sensitivity to the highest number of risks.

Find out more about MyComplianceOffice and their vendor risk thought leadership here

Attend our Vendor and Third Party Risk Series