05 Jan 2018
Over the past decade risk management has become an increasingly large part of the operating model for financial institutions around the world in the face of enhanced regulatory scrutiny, evolving customer expectations and the unprecedented pace of technological advancement.
Managing third-party risk is particularly challenging as it puts pressure on financial institutions to account for how other companies and providers are using and protecting their data and managing sustainable operations.
"Effective third party risk management is about more than just keeping on the right side of regulators.”
In the current environment, effective third party risk management (TPRM) is about more than just keeping on the right side of regulators.
It provides an opportunity for financial institutions to create business value while better managing risks now and into the future.
Having a strategic TPRM function in place can not only help financial institutions reduce operating costs but also lay the groundwork for building deeper, trusted relationships with customers – ultimately delivering a strong competitive advantage.
In a heartening result, EY’s 2018 Global Financial Services Third Party Risk Management Survey showed most financial institutions globally have made significant upgrades and enhancements to the governance and oversight of this critical function.
While many financial institutions are continuing to adjust the scope and structure of their risk-management functions overall there has been an encouraging maturation of third-party programs.
We are seeing more organisations enhance reporting processes and engaging senior management in third-party risk management.
The survey also found banks - generally subject to a higher level of regulatory scrutiny - tended to have more well-established, mature and robust TPRM programs than insurers and asset managers.
However challenges continue to persist, particularly around technology integration across the entire end-to-end third-party life cycle.
In fact, almost all financial institutions surveyed (96 per cent) said they had not yet reached the optimised level of technology integration and 81 per cent were either negative or neutral about how well their technology integrates and captures risk for reporting.
The survey also showed 89 per cent of financial institution’s third-party inventories still require manual updates when a new service is added.
It’s unsurprising then six out of ten firms are planning on spending more on TPRM technology enablement in 2018 (up from five out of ten in 2016), as they work to improve the level of integration.
The centralisation of the TPRM function continues to increase with 57 per cent of financial institutions now having a centralized structure, compared to 45 per cent in 2016.
However, there is still no clear consensus as to who owns the program. Just over a third (37 per cent) of organisations said primary ownership of TPRM resides within the procurement function, but business lines (19 per cent), operational risk (17 per cent), enterprise rise (13 per cent) and information security (6 per cent) also came up as program owners.
Effective TPRM reporting provides transparency and accountability and can drive valuable conversations with senior management.
Four in five financial institutions found reporting on critical third-parties could be done on demand, however reporting on other aspects of the TPRM program could take upwards of a week or more.
While senior management remains heavily engaged in TPRM reporting the survey found the information was not necessarily making its way to the board level.
Critical third-party information is only escalated to the board of directors at 41 per cent of financial institutions, and just 26 per cent of organisations report TPRM breaches and incidents to the board.
Tracking fourth parties also remains a major challenge for financial institutions. In fact, 60 per cent of the organisations which identify fourth parties do not currently maintain an inventory of those parties for monitoring and governance purposes.
Nearly three-quarters (74 per cent) also said fourth-party concentration would either be extremely challenging to report on or they could not report on it at all.
Almost all financial institutions which identify and monitor fourth parties take an indirect approach to performance due diligence, with 80 per cent relying on third parties to monitor and assess them.
Only 15 per cent independently review fourth parties, while 28 per cent do not assess or monitor fourth parties at all.
This heavy reliance and lack of keen focus on fourth parties creates significant potential risks for financial institutions including concentration risk, critical failure points and data leakage beyond the fourth party level.
As the complexity of managing third – and fourth – party risk continues to increase, financial institutions could benefit from five key health checks:
Tim Dring is the EY Oceania Banking and Capital Markets Leader
The views expressed in this article are the views of the author, not Ernst & Young. This article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
05 Jan 2018
18 Oct 2016