Third Party Vendor Risk Management: Why it Matters to Financial Institutions
28 September 2020
IN LIGHT of the ongoing COVID-19 pandemic and the impact that the Coronavirus has exerted all over the globe, now more so than ever the financial services sector must focus its attentions on operational resilience and risk management. Here, Rich Cooper outlines the key reasons why.
The Institute of Risk Management recently conducted a survey and found that 94% of the respondents believe the COVID-19 pandemic has actively strengthened the case for risk management. Moreover, 95% said they will assess the need to revisit their enterprise risk management framework and business continuity plan due to the pandemic. Part of this will also involve the evaluation of third party vendor risk.
What about risk management and third party vendor risk management specifically focused on financial institutions, though?
That sector plays a crucial role in ensuring global economic security and prosperity. Understandably, the industry is under constant pressure from regulators, with new regulatory obligations coming into play each year. Vendor or third party assessments are not only Best Practice in today’s regulatory playbook, but are also increasingly expected by regulators, business partners and customers alike.
The question then becomes: ‘What is Best Practice when it comes to third party vendor risk management for financial institutions?’
Third parties can amplify risks for financial institutions. Operational resilience for companies in the financial industry is the ability to continue operating, servicing customers and partners regardless of setbacks, barriers or limited resources. For financial services firms, resilience is absolutely vital, not only due to the interconnectivity of the industry, but also the value placed on reputation. Financial services firms must be resilient to continue succeeding as trustworthy institutions in the financial world, which is precisely why third party assessments are crucial.
The modern day financial institution is likely to outsource to third party vendors for a multitude of reasons, from a desire to expand their offer through to reducing costs. When it comes to the number of vendors, depending on their size and offer, financial organisations can have hundreds of outsourced third parties. As an organisation’s network expands, variables are added and, in turn, risks amplify. If the financial organisation fails to maintain quality control over third party activities, these vendors can cause substantial financial and reputational damage, regardless of their size or industry.
Managing vendor risk
When it comes to third party risk management, financial organisations must include several fundamentals within their plan.
There needs to be strong contract management in order to manage and store contracts, clearly outlining Service Level Agreements and the business relationships between the financial firm and the third party.
Vendor reviews are also hugely important in order to ensure that third parties can meet the regulatory obligations required and expected by regulators, partners, and customers. The financial organisation should aim to have a system in place to conduct these reviews on an ongoing basis rather than in one-off scenarios. The organisation should also conduct annual vendor risk assessments on all essential third parties.
Vendor profiles that are habitually updated offer a clear overview of all third parties currently connected with the financial institution. Also necessary are clear guidelines when it comes to access to (and the control of) sensitive information by the vendor, as outlined in a vendor contract.
Performance metrics guarantee that the quality of service and compliance meets contractual agreements. The organisation’s business resilience or risk team should regularly monitor and analyse the metrics.
Open communication with the vendors when it comes to testing, assessments and inclusion in the financial organisation’s crisis management plans will also be hugely important.
While not always possible to put in post, a vendor relationship manager will act as a connection between the vendor and the business. They would own the vendor relationship when it comes to the services they provide as well as ongoing performance and compliance.
Impact of COVID-19
Has anything changed in a ‘post-COVID’ environment? The COVID-19 pandemic has proven that many organisations were ill-prepared for sudden changes to the workforce or business environment. In turn, third parties that were unable to cope with the pandemic duly disrupted the business processes of dependent organisations.
While third parties have always held this potential risk, the grand scale of the pandemic has placed an even greater emphasis on third party risk management in all industries, especially so financial services. As firms learn from their shortcomings during the pandemic, increased investment in third party risk management programmes can be expected.
Further, investment in risk management technology will ensure that outsourcing vendors have a business continuity and disaster recovery plan, and that the financial organisation can continue servicing even at times of crisis. This is critical when it comes to maintaining customer and stakeholder trust.
Outsourcing has clear benefits for financial organisations from the efficiency and cost perspectives. However, firms must dedicate resources towards adequately vetting the vendors with whom they work and carefully construct a risk management plan to avoid future disruptions.
Proactive risk management will help organisations avoid exposing the themselves to operational, regulatory, financial or reputational risk, while also continuing to reap the benefits of working with third parties.
Rich Cooper is Principal of Financial Services at Fusion Risk Management