Following on from Part One which discussed the regulatory and firm position, this blog post looks deeper into the current state of third-party risk management.

Part Two: The Benefit Of Adoption

Today, third-party risk management practices vary significantly across the financial services industry, partly due to organisational differences, but also because of a broader absence of commonly observed best practices. This lack of a simple and comprehensive approach to gathering and validating third-party risk assessment information has resulted in financial institutions and third parties spending valuable resources requesting, providing and validating assessment information in an inefficient and duplicative manner.

The burden on businesses that serve the financial services industry is particularly high. These companies receive hundreds (in some case thousands) of duplicative requests for information on an annual basis, requiring a major investment in time and capital to respond. With limited resources to handle these complex due diligence requirements, vendors may find it hard to respond comprehensively to all requests, which can result in potentially incomplete risk data. More importantly, they can end up diverting precious resources to redundant documentation rather than actually managing and mitigating risk.

The Benefits of Standardised Cloud Assessments

To better meet the growing challenges of managing vendor risk, institutions should collaborate on a consistent set of standards for assessing third parties, one that is built on the best practices of the industry. By ensuring the same high standards are being met across the board, a standardised, best-practices approach simplifies and streamlines the third-party risk assessment process for financial institutions and their vendors alike.

The benefits of such a holistic, standardised approach are significant for everyone in the financial industry. For the risk practitioners, a standardised approach would enhance the quality and depth of their third-party risk assessments, enabling them to make more informed decisions on how to evaluate and mitigate risk. For the leaders of financial institutions, standardisation would create operational efficiency, resulting in direct cost savings or reallocation of capital to mitigating and managing risk rather than chasing third parties to collect data. Equally important, by participating in the creation and management of these best-practices standards, financial institutions will be engaging with peers, and staying ahead of regulatory and other trends across the industry.

For the third parties who serve the financial industry, such standardised assessment practices would alleviate the strain on resources by establishing consistent expectations, and reduce the time spent responding to individual questionnaires and requests. The consistency of assessment requirements across the financial services industry would also enable them to streamline their client acquisition and relationship management processes and deliver a higher level of responsiveness and services to their clients. 

For cloud service providers, this approach is particularly compelling and appropriate. While often described as vendors, cloud service providers are arguably more accurately described as partners in an institution's information technology evolutionary journey.  The relationship between a third-party cloud provider and the industry customers who use them is not a static one, but instead a relationship with shared responsibilities and usually an expectation of growth and flexibility.  The cloud service provider space in this regard is unlike other third-party vendor relationships of the past. The benefit of moving infrastructure, platform, and software capabilities to the cloud is the opportunity for institutions to become more efficient and adaptable, all while ensuring access to the most leading-edge technology advancements available.  With such a dynamic customer-provider relationship, it stands to reason that the way in which cloud services are assessed for risk needs to reflect a similar elasticity and dynamism.

Standardising Risk Assessment: A Win-Win for All

Bringing together industry participants and harnessing their collective expertise to develop a single global standard for third-party risk assessment ensures that high standards are consistently met. Such a standardised, globally recognized assessment methodology can deliver real benefits for all parties involved, enabling us to focus on the real task at hand - managing and mitigating risk.