The last 18 months or so have served as a real-time stress test for the operational resilience plans, systems and processes of financial institutions and their supply chains. Clearly the efforts have broadly been successful, with no financial crises emerging during that time.

In some ways one might expect banks to be more resilient; they have long experience of digital processes that can be adapted for hybrid working models, their business models are based on maintaining their business reputation, and regulators keep a close eye on their operations.

However, institutions have been working hard to learn lessons from the last 18 months, in particular examining their third-party relationships and the risks they are exposed to through these. The Deloitte 2021 Third Party Risk Management (TPRM) survey reveals how hard they have been working on these. Based on fieldwork completed in late 2020 and early 2021, the research explores how companies in multiple economic sectors view the value of TPRM, how well their preparations have helped them recover from the challenges of the last 18 months, and what their priorities are for TPRM in the future.

The research rewards careful reading, but there are several stand out points that detail how the financial services sector's view of TPRM is evolving in light of a range of initiatives that have taken place over the last 12 months.

Organisations in the financial services sector are generally further down the path of absorbing the lessons learnt compared with their non-financial peers. Almost half of respondents of the survey were still recovering from the operational impact of the pandemic, viewing it fundamentally as a business continuity issue. The balance, which largely included the financial services firms who responded, were better at learning from, and building on, the lessons of 2020 and 2021. 

This is likely driven by two reasons. While all companies have supply chains, financial institutions often have suppliers of data and services who are based throughout the world. Moreover, their suppliers have typically provided high-value, time-sensitive information that must be provided regardless of commercial or operational challenges. Banks have had to be adept at managing their supply chain to ensure it continues to deliver ?come what may?. Another driver is the scale and scope of regulatory scrutiny, which is typically more extensive than that experienced by non-finance companies.

A common theme among all survey respondents was a desire to invest in the systems and processes that provide real-time TPRM risk intelligence and reporting. Despite being generally better prepared for TPRM than their peers, 54 per cent of financial institutions were looking to invest in this area, to enhance their advanced capabilities yet further. Financial firms were also significantly more likely to invest in tools and technology to enhance their TPRM capabilities too. 

The survey suggests that financial institutions are focusing efforts to address the key risks to which financial services business are uniquely exposed -  namely cyber risk and the risks involved with engaging with suppliers who are geographically dispersed across the world. While banks themselves are well prepared for cyber resilience issues, ensuring that their suppliers are similarly prepared is vital to avoid disruption. The business model of many banks is to leverage skills and expertise across the globe to accelerate product and service development, with the aid of third parties and this can expose institutions to myriad economic, social, political, and operational risks that they need to be aware of, as part of a TPRM programme.    

One interesting highlight of the research was that financial institutions also have a greater propensity to bring services in-house that were previously outsourced to third parties, compared with their non-finance peers. While there is an cost to this, increased scrutiny around resilience, among other issues, is compelling such firms to review more comprehensively what services are outsourced, and which need to be bought back in-house. 

However, financial institutions need to stay competitive so outsourcing will not be going away. Arguably outsourcing is likely to become more complex and more fluid, with multiple activities being outsourced while others are brought in-house, at the same time. This change, alongside the greater regulatory scrutiny involved - companies will have to enhance their resilience, whether a service is insourced or outsourced under the PRA's SS1/21 and SS2/12 operational resilience standards - partly explains the greater investment in technology.