The need for effective third-party risk management
The rising number of disruptions and third-party failures has concentrated the attention of businesses and regulators. Covid19 has been a real-life test of operational resilience and has highlighted just how important it is to identify, understand and document third-party dependencies, and manage the risks arising from outsourcing and sub-sourcing arrangements – even when they lie outside the direct regulatory perimeter.
As the delivery of important business services is increasingly supported by third parties, the approach to operational resilience must apply to the entire extended enterprise. Hence, a more holistic approach is required. Due to the increasing reliance on third parties to deliver an array of technology and business services, there is now a recognition of the need for stronger third-party risk management within a wider operational resilience framework and approach.
In our recent research conducted jointly with Crowe, we surveyed firms in the financial services industry to obtain their views on all aspects of operational resilience, including their approach to third-party risk.
Most firms ranked third-party risk among the top five areas of focus within operational resilience programmes. Furthermore, 57% of firms surveyed understood the need to develop third-party management further or increase the consistency of its application.
A smaller, but significant, number (39%) of firms felt confident they had identified alternative processing arrangements or extraordinary workarounds for critical suppliers.
Previous research conducted by ORIC International highlighted the value in establishing common standard for third-party risk management. However, up until recently a lack of detail in regulatory guidelines has made it difficult for firms to understand the regulators’ expectations in areas not as well documented, such as cyber risk.
There is now more clarity on third-party regulation, as provided in the PRA’s paper on outsourcing and third-party risk management. Our survey showed that half of firms felt they had a good understanding of changes required to meet future regulatory expectations in respect of outsourcing and have plans in place to address gaps.
Proposals set out in the new guidelines include expectations for regulatory notification when entering, or significantly changing, a material outsourcing arrangement. Also outlined is the need to consider the proportionality of a firm or group and the materiality of the potential impact of outsourcing arrangements on the firm, including its operational resilience.
For further detail on the new PRA guidelines, and to receive a copy of our whitepaper on operational resilience, please contact us firstname.lastname@example.org.