By Amit Lakhani, Head of Third Party Risk Management, CIB, BNP Paribas
Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I dedicated a decent time in academia pursuing my Masters In Computer Engineering (USA) and In Information Security at the prestigious Royal Holloway. I continued on the PhD in Information Security at Royal Holloway and then shifted my career Into consulting for the next 12 years with Accenture and KPMG. I joined BNP Paribas In 2018 heading their Third Party Risk Management (TPRM) division within the RISK function (second line of defence). Throughout I have been focussed on the operational risks to the business, right from their Identification, assessment, mitigation and remediation aspects. In the third party risk management space, my key focus currently Is on embedding and enhancing a standard risk management process globally for BNP Paribas’s Corporate and Institutional Banking Division. This Includes governance, service risk profiling, third party due diligence, risk decision and exit strategies. I am also Involved In the development of data analytics capabilities to support the overall TPRM process.
What, for you, are the benefits of attending a conference like Vendor and Third Party Risk Europe and what can attendees expect to learn from your session?
For me the fantastic networking, war stories, the lively environment and the energy that Vendor and Third Party Europe provides is second to none. This is my first time as a panelist and speaker but even as an audience member, I was impressed by the quality of discussions, the calibre of the participants and the rich content and learnings I could take away.
I am going to present a view of the approaches to the concentration risk analysis in my session and means to address over-concentration. The attendees can expect to go away with understanding of why concentration risk analysis is important for both internal and external arrangements and what are the mechanisms they can use to address if concentration risk becomes an issue.
In your opinion, how can we look to effectively understand local and global operation when limiting concentration risk across supply chain?
Any organisation that Is looking to understand their global and local operations has a responsibility to understand first, their overall supply chain (including but not limited to Internal and external, 4th party plus arrangements and criticality of services outsourced) and secondly to address a multitude of risks that the operations manifests. Concentration risks are a major Issue but only a part of the overall operational risks universe In this situation. By limiting the concentration risks, the organisation will be in a better position to manage any disruption due to supply chain Issues.
What are the key considerations that need to be made when avoiding the concentration in third part outsourcing?
In my view, the response to this question differs between the types of arrangements. In external arrangements, the key considerations include avoiding the outsourcing of majority or all of the critical processes, monitoring of the outsourced services and the third parties (negative news etc.) and ensuring a clear process In service reviews with vendors. For Internal arrangements, concentration is usually a Senior Management decision to setup service centres due to a number of reasons – proximity, cost-benefit analysis, cultural fit etc. It Is the risk analysis and assessment required at these Senior Management decision making governance setups that could help In eliminating or reducing the concentration risks.
What challenges and opportunities could arise from vendor failure?
Challenges that usually arise Include timing, search and finding the ‘fit for purpose’ vendor and vendor service, especially In a regulated environment. Opportunities Include Inclusion of certain contractual aspects such as right to audit clauses, privacy and data protection clauses; re-design the service provision to meet new requirements from the beneficiary and forming a partnership with new vendors to better serve the business.
How do you see the impact of Vendor and Third Party Risk evolving over the next 6-12 months?
In my view, the regulatory pressures on vendor and third party risk management are going to drive a number of changes in the next 6-12 months. The thematic focus on 4th Party + (the vendors that vendors rely on), senior management accountability for third party and vendor risks and the access and data protection by third parties and vendors will drive the key changes in this space.
