7 Elements of an Effective Third-Party Risk Management and Governance Framework for Financial Services Providers

The increasing complexity of functions in the financial services sector necessitates specialization. This, in turn, has given rise to large-scale outsourcing and partnering by banking, insurance, and financial service providers to a growing number of third parties.

According to the 2021 World Retail Banking Report, banks are rethinking IT spending priorities by outsourcing up to 45% of mid-and back-office operations to third-party suppliers.

The largest financial services providers can have upwards of 50,000 third parties (suppliers, affiliates, partners, etc.). While financial institutions typically have defined processes (often with low or no automation) for managing the most significant suppliers, it only makes a small percentage of the complete third-party ecosystem.

This poses a considerable risk as the regulatory bodies such as the Office of the Comptroller of the Currency (OCC), Accounting and Corporate Regulatory Authority (ACRA), Federal Reserve Bank (FRB), and others hold the financial institutions responsible for the actions of their third-party vendors & suppliers.

In 2020, a leading financial services enterprise was fined a Civil Money Penalty of $80 million by the Office of the Comptroller of the Currency (OCC) for “failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner”.

To capitalize on the potential benefits and mitigate the risks involved with these extensive & sophisticated third-party networks, financial enterprises must have a robust and comprehensive supplier risk management and governance framework enabled via a powerful and adaptable software platform. 

The seven key elements that lead to success with a supplier risk management and governance platform implementation are as follows;

Organization-wide Third-parties Inventory

Organisation-wide Third-parties Inventory

The only way to effectively manage, assess and mitigate risk is by inventorying the third-party ecosystem the financial enterprise does business with. However, this is easier said than done as most business units work in silos and may have different ways of tracking and governing third parties. This makes it difficult to collate an organization-wide inventory of the third-party ecosystem with all the risks associated with the third parties in the ecosystem.

According to the Office of the Comptroller of the Currency (OCC), the term “third-party” includes “all entities that have entered into a business relationship” with the financial institution.

This means that the only way to mitigate the risk involved with the third-party ecosystem is to have an organization-wide inventory of non-customer entities like Suppliers, Channel Partners, Affiliates, Joint Ventures, and other relationships, including their multiple legal entities, services/products provided, regions served, etc. and the relationship between such parties.

Risk-based Third-Party Segmentation process and Effective ongoing Risk Assessment & Mitigation

Risk-based Third-Party Segmentation process and Effective ongoing Risk Assessment & Mitigation

A well-defined segmentation of the third-party ecosystem is crucial for financial services providers. Segmentation can be as simple as categorizing the third-party vendors as tier-1, tier-2, and tier-3 based on the risk level involved. The organization can have risk scoring and auditable due diligence assessment across multiple dimensions like location, IT/cyber risk, privacy, operational competency, reputation, financial crimes, and more. 

Next, the financial institution should have ongoing risk assessments and due-diligence questionnaires, tracking & mitigation processes that can capture inherent, assessed & residual risk, define minimum & target risk thresholds, track risk mitigation activities, and reduce risk score based on successful completion of risk mitigation activities.

A holistic view of Third-Parties

A holistic view of Third-Parties

For financial enterprises to have a complete understanding of their third-party ecosystem, it is crucial to have a holistic view of their supplier ecosystem, especially the Tier 1 and Tier 2 third-parties with key data points such as ESR (Environment and Social Risk), analyst ratings, adverse events, corporate financials, etc. The organization should be able to aggregate the third-party-related data from multiple sources easily and should have the ability to update and manage the data easily. They should also have the ability to visualize the information on dashboards for a detailed overview and drill-down analysis.

Having a complete overview of the crucial data of the third-party ecosystem enables the enterprise to monitor, assess and mitigate risks quickly.

Inventory of Third-Party Contracts or Arrangements

Inventory of Third-Party Contracts or Arrangements

Financial services providers can ensure that their third-party ecosystem complies with regulations, policies, and contractual obligations by having a single repository of all the third-party contracts and arrangements. This inventory needs to be comprehensive, and the firm should have the ability to track and manage contracts & service agreements/SOWs, contract versions, critical contract metadata, interpretations, amendments, work orders, pricing details, including discounts and key terms such as insurance, termination, warranty, etc. It should also enable vendor and contract managers to easily search and access key data like total value, expiry dates and be reminded about upcoming key expiry and renewal contract dates.

The financial service providers should also be able to automate the approval process for changes like contract changes such as amendments and operational changes such as changes to SLA thresholds by auto reminding the stakeholders.

Robust Compliance Tracking

Robust Compliance Tracking

Financial services providers need to have precise compliance mechanisms to track and trace binding contractual obligations and deliverables throughout the contract lifecycle. This ensures that the deliverables are met and the value realization is achieved as initially agreed by both parties. In addition, the organization should also have obligation traceability to track and monitor policies, procedures, clauses, & stakeholders, and the ability to automate the acceptance of obligations and deliverables through workflows.

By doing this, the financial services providers can ensure that the third-party ecosystem adheres to their regulations and gives them better control over their contractual obligations, compliance, performance management, risk management, and overall third-party supplier governance.

Supplier Performance Management

Supplier Performance Management

Financial enterprises need to have a system to measure, analyze and manage third-party supplier performance to improve, cut costs and mitigate risks. For example, the organization can utilize supplier scorecards to rate suppliers based on key parameters like operational performance, compliance, financials, pricing, etc. In addition, an organization can track, measure, and manage SLA, SLA versions, Supplier Issues, Assessments, Service Credits & Earn-backs, and more.

This alleviates the risk and improves coordination between suppliers and the organization, and enables them to operate seamlessly via an automated process.

Supplier Relationship Management

Supplier Relationship Management

With a robust Third-Party Risk Management and Supplier Governance system, an organization can easily set up workflows to automate the collaborative process with their suppliers. This also allows both parties to communicate policy updates, easily track issues & action items, and automate the approval processes to reduce friction in communication.

Financial institutions can ensure that they have complete control over their compliance and risk management initiatives with a system that is easily accessible, contains all essential data for both parties, has built-in supplier communication tools, and offers trackable communication & approval processes.

Enlighta empowers financial institutions to have auditable oversight of performance & compliance with third-party contracts and enables strategic supplier governance and third-party supplier risk monitoring.

Unlike point solutions, Enlighta addresses all facets of an effective TPRM and Supplier Governance framework, including performance mgmt., contract compliance, third-party risk monitoring, compliance attestation, and more. In addition, Enlighta integrates with leading GRC and Contract Lifecycle Management tools.

Introducing Enlighta Spice - TPRM and Vendor Management SaaS Solution!Try Spice For Free