The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Cyber Resilience and sustainability are the two overarching strategic goals of ‘the next evolution’ of Third-Party Risk Management. Technology and data, and the linkage between them, sit at the heart of the transformative journey - most organisations agree on this interdependence and the need to create an integrated framework to manage the myriad of risks they face. With increasing operational, technological, and regulatory pressures, organisations must evolve their TPRM strategies to ensure resilience and compliance – not just to mitigate their own risk, but to avoid systemic risk to the wider economy. 

Those financial institutions who integrate cyber resilience and sustainability with pre-existing risk assessments on a single holistic framework are uniquely benefiting by breaking down silos, whilst addressing current and forthcoming regulatory compliance. 

Dun & Bradstreet’s Sara de la Torre (Head of Financial Services and Insurance) and Jay DePaul (Chief Cybersecurity & Technology Risk Officer) recently discussed the challenges and opportunities for the sector on a recent webinar with UKFinance’s Adam Avards, and gave practical recommendations on how to achieve an integrated third-party risk framework for operational resilience and ESG.

Why interconnected and holistic third-party risk management?

By viewing third-party risk within the broader context of enterprise risk management (ERM), organisations can enhance their ability to anticipate and mitigate risks effectively.

A unified approach allows for a clear, comprehensive view of risks across the organisation. By breaking down silos and aggregating data from multiple departments, firms can identify risks earlier and take pre-emptive action. 

While the focus from a regulatory point of view is largely on technology service providers today, an interconnected strategy allows financial services organisations to build resilience across their entire supply chain. Considering this wider ecosystem is important - according to Marsh, 73 per cent of organisations have experienced significant disruption caused by a third party, whether it be a data breach or ethical violation – and means firms can better anticipate disruptions and minimise cascading impacts. 

Adopting this interconnected approach strengthens supplier relationships, fosters collaboration, and enhances the overall effectiveness of risk management strategies. It can even become a competitive advantage.

Challenges in third-party risk management today

Despite its benefits, third-party risk management remains fraught with challenges, especially as financial institutions deal with increasing complexity. During the webinar, we asked the question, ‘What is your biggest organisational challenge around third-party risk management?’ and attendees answered as follows:

Next, when asked the question: ‘Do you feel you have the right data to support third-party risk challenges?’ during the webinar, 0 per cent of the audience felt they had all the data they needed. Most had some data, but 20 per cent felt they didn’t have any relevant data to support their challenges today.

Integrating ESG and cyber resilience into third-party risk management

To effectively integrate ESG into third-party risk management, financial institutions and insurers should follow these key recommendations:

1. Enhance data quality: Consolidate and unify internal and external data for compliance, service providers, ESG, cyber risk and more across the organisation to ensure transparency and traceability. Implement a master data management approach and partnering with a third-party data provider like Dun & Bradstreet to clean and enrich information, can help financial services organisation to align global third-party risks with ESG goals and achieve a ‘single view of truth’ for each third-party, accessible across the organisation.
2. Adopt a holistic risk scoring model: Integrate this data into a unified risk-scoring methodology based on your risk policies. This provides a more comprehensive view of risks and supports better decision-making.
3. Streamline processes: Create efficiencies by, for example, consolidating ESG, cybersecurity, and compliance questionnaires. Leverage technology to automate data management and collection, scoring, reporting, and risk monitoring – ideally all in one place. Work with a third-party data provider to find the information you need and monitor it on an ongoing basis with automated risk assessments.
4. Foster collaboration: Treat suppliers as partners in ESG and resilience efforts, encouraging mutual growth and shared responsibility. Shared knowledge is an ongoing exercise, and it requires the education of employees and vendors on best practices for sustainability and compliance, fostering collective resilience.
5. Promote global transparency: Develop frameworks that address risks across global supply chains. Ensure transparency and accountability to meet evolving regulatory and stakeholder expectations.

To watch the webinar and hear the discussion in full, click the button below: