Meeting the challenges of third-party risk

Third parties are integral for business and help reduce cost and improve agility. But as services provided by third parties become broader in scope, the risks have become more complex. 

Historically, firms outsourced non-core competencies such as call centres or IT support desks. However, many now default to third parties for essential business activity, reducing the need for in-house capability but increasing third-party dependence. This is particularly true for technology such as cloud and data services, where subscription models can deliver responsive, affordable and scalable services to support customer needs. As the extended enterprise now includes a larger number of third parties and supply chains are often longer, effective oversight is more important than ever - and regulators are taking note. 

So what are the current concerns for third party risk management and why are they a priority now?

Operational resilience
Many financial institutions are implementing operational resilience frameworks, which consider service outages from the perspective of the client, as opposed to the business. Working on the assumption that outages will happen, firms must take steps to prevent financial harm by identifying critical services, mapping supporting processes and maintaining tolerance levels. This has immediate implications for third-party risk across the extended enterprise, and firms need a plan to restore outages including alternatives to critical suppliers. 

Establishing appropriate service level agreements with each third party will help manage impact tolerances, supported by effective crisis management and resilience scenarios to enable recovery during an outage. Concentration risk is also a key concern, particularly in niche areas, and it's important to consider where the business sits in a third party's client priority list.  

Cyber security 
Concentration risk is also an issue for cyber security and third parties are often targeted by criminals, offering access to multiple clients in a single stroke. Good cyber practices can reduce the risk including following National Institute of Standards and Technology (NIST) guidelines, maintaining appropriate permissions and actioning effective patch policies. However that is not always enough, and zero-day exploits are particularly challenging with no precedent and no immediate patch. 

Cyber breaches can cause data leaks with hefty fines under the General Data Protection Regulation (GDPR). Effective data management and governance is crucial, ensuring information is stored, archived or deleted appropriately, limiting the impact of a breach. It's also important to consider where third parties are handling, managing and storing data. 

Cloud services are increasingly popular for storage, infrastructure and software as a service. Moving these capabilities off-premises creates a new dynamic for risk management and many providers carry third-party risks of their own. As such, it's important to consider fourth party risk and beyond, to understand weaknesses across the whole supply chain. While each layer reduces oversight, the risk profile will also change. For example third parties may present data access risk, while a fourth party may carry greater risks of service outages.

Managing third-party risk
Covid-19 has brought third-party risk to the fore, with outsourced providers facing the same challenges as their clients. As continuity plans were actioned, third parties supported remote working and enabled many businesses to continue their services. Lessons learned from the pandemic, combined with operational resilience and other outsourcing guidance will shape the future of third-party risk management.

Area of expertise: