An Introductory Guide to Third-Party Risk Management

An Introduction to Third-Party Risk Management

Risk management is the continuing process of identifying, analyzing, evaluating, and treating loss exposures and monitoring risk controls and resources to mitigate the adverse effects of loss.

But third-party risk management isn’t just a subfield of the broader category of risk management. Third-party risk management (TPRM), as this guide will argue, is its own distinct discipline.

Entities will do well to understand TPRM in its complexity, which can be accomplished by reading this guide that (1) provides better comprehension of third-party risk, (2) lays out the rationale for adopting TPRM procedures now, and (3) articulates certain third-party risk management best practices as they’ve been advanced by analysts and regulators in the field.

Understanding third-party risk

Third-party risk management is multi-faceted because third-party risk is so complex, particularly in the cybersecurity, compliance, and finance arenas. In fact, third-party risks are just as prevalent and varied as internal risksⁱ . But tied up as they are with another entity’s actions, operations, and processes, third-party risks tend to be more unpredictable.

But what’s third-party risk, exactly? It’s the potential risk that arises from organizations relying on outside parties to perform services or activities on their behalf.

Third-party risk is particularly keen when the services or activities in question constitute material business activities, defined in the statutesⁱⁱ as those activities that have the potential, if disrupted, to have a significant impact on an organization’s business operations or the ability of that organization to manage its risks effectively, having regard to such factors as:

• The financial and operational impact and impact on reputation of a failure of the service provider to perform over a given period of time

• Cost of the outsourcing arrangement as a share of total costs

• Degree of difficulty, including the time taken, in finding an alternative service provider or bringing the business activity in-house

• Ability of the entity to meet regulatory requirements if there are problems with the service provider

• Potential losses to the entity’s customers and other affected parties in the event of a service provider failure

• Affiliation or other relationship between entity and the service provider

Why third-party risk management now?

So, why the focus on third-party risk in the first place? As Deloitte notes, companies have become more reliant than ever on third-party vendors. In fact, “the use of third-party vendors has increased exponentially”ⁱⁱⁱ.

Nor is it just a matter of the quantity of vendors, it’s the kind and quality of services provided, as well. Where formerly third-party vendors were seen as cost savings and efficiency boosters, handled by Procurement, they’ve now become central to how businesses operate – “many companies even outsource core functions”^iv.

The implication, though, is when vendor incidents happen, they quickly cascade into reputational crises for the organization by compromising material business activities.

Further, the pool of vendors organizations rely upon is also shrinking, according to a Deloitte Global Survey taken last year^v . This has had the effect of introducing further risk due to the concentration of critical dependencies in the hands of a few providers.

Are organizations dealing with third-party risk?

Are organizations prepared or third-party incidents as their risk accumulates?

The short answer is the pre-COVID work many organizations did to build up business continuity and disaster recovery plans for their third-party networks hasn’t been able to keep pace with the profound shift in the risk environment ushered in by the pandemic.

We can describe that shift this way.

COVID precipitated greater dependence on cloud service providers (CSPs). As of 2022, 73 per cent of Deloitte global survey respondents stated they had moderate to high levels of dependence of CSPs^vi. Already staggering in itself, the figure is set to jump all the way to 88 per cent in the years to come.

Another result of COVID-related disruptions is that organizations are facing a newer spectrum of more complex risks across overlapping domains. Those domains include geopolitical, geographic/supplier concentration, sanctions, export controls, etc.

Deloitte summarizes trends in the third-party risk environment thusly:

1. Increased incidents related to vendors. Suppliers are causing more disruption and risks are not being managed. Information security, privacy and anti-fraud management are some examples.

2. Regulators focusing on supplier risk. Regulators are increasing the pressure on organizations to better manage their supply chain risk.

3. Pressures from economic volatility. Economic conditions mean tighter margins for suppliers

Of the above, we’ll single out regulatory pressure for special comment. Regulatory pressure is particularly acute in the financial services sector

Under the banner of operational resilience compliance, banking regulators have put forth specific compliance requirements for firms who have “outsourced” material business activities to third parties.

The European Union, for its part, has gone even further, passing the Digital Operational Resilience Act (DORA), which will soon compel entities operating in its vast jurisdiction to establish third-party risk management measures to mitigate ICT (information and communications technology) risk.

A quick list of relevant regulations in advanced markets include:

• Australia. Australian Prudential Regulation Authority. Prudential Standard 231 Outsourcing.

• U.K. Bank of England Prudential Regulation Authority. Policies relating to operational resilience for banks, building societies and investment firms.

• U.S. The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), Treasury. Interagency Guidance on Third-Party Relationships: Risk Management

The third-party risk management lifecycle

How then to mitigate third-party risk, avoid exposure, and comply with statutes? At the bare minimum, companies should be following the third-party risk management lifecycle when onboarding critical third parties.

The purpose of the TPRM lifecycle is to help organizations manage their third-party risk by ensuring that vendors meet the same standards and expectations (be they for cybersecurity, data privacy, or any other matter) as their internal teams.

So, what’s the third-party risk management lifecycle consist of?

Like the risk management lifecycle from which it’s derived, the third-party risk management lifecycle^vii is an ongoing process requiring regular reassessment to ensure that risks are being appropriately managed.

The process itself consists of the following stages:

• Identification of whether you need to employ a third party

• Conducting due diligence

• Shortlisting and selection of a third party

• Sending out a risk questionnaire

• Contract drafting

• Commencement of the onboarding process

• Ongoing monitoring

• Undertaking of internal audits

• Contract termination or offboarding

Far from being undertaken in silo, though, the third-party risk management lifecycle should fit within the context of a broader TPRM program. The purpose of that program will be to provide better governance over a company’s third-party ecosystem.

Why better governance? Internal teams often lack visibility over third parties, inhering risk accordingly.

Strong governance, as Deloitte notes^viii, reduces that particular risk by increasing transparency, better aligning third party-engagements to overall company strategy, and providing consistent regulatory compliance.

Companies can go a long way to reducing their overall third-party risk profile – remember, internal teams across any given organization engage with third-party vendors – by embedding third-party risk management practices in all levels of the organization.

The benefit of formalizing third-party governance^ix in such a way includes:

• Following a more intelligent risk-based approach better aligned with enterprise strategy

• Better training of staff and executive champions in aligning service delivery with strategic objectives

• Development of standardized processes and proactive decision making via the use of data and analytics

• Creation of fully customized, value-added tools that support decision making

Leading practices in third-party risk governance

Such are the benefits of third-party governance. But what should the program itself look like?

Like with risk management more broadly, third-party risk governance will be highly site-specific. Of course, analysts^x have provided some generic leading practices that all organizations with significant third-party risk exposure should consider following.

The practices consist of the following:

• Define objectives and scope. To build a successful TPRM program, organizations should consider anchoring their operational resilience and third-party risk management plans to an existing framework, be it DORA, APRA, or the UK Operational Resilience Framework (More later).

Why? These frameworks already set criteria and expectations for third-party dependency management and business continuity planning and testing. Organizations, therefore, do not have to reinvent the wheel to perform an impact assessment and gap analysis against currently proposed drafts.

• Fully understand, document, and maintain your third-party inventory.

• Develop policies and procedures. Lack of coordination between internal stakeholders is often cited as the biggest challenge for organizations undertaking third-party risk management.

• Enhance ongoing monitoring. Initial due diligence is only a floor. Organizations will need more robust ongoing monitoring of third parties to enable more dynamic risk reporting. 

• Establish a governance structure. Regardless of ownership, the program will require input from multiple functions and teams, making well-defined governance crucial. For global entities, it’s, therefore, recommended to have a consistent global policy with local addenda for sub-entities.

• Implement technology and automation. Programs that integrate digital third-party risk management functionality into the supplier lifecycle and embed automated cross-functional workflows, e.g., procurement, cyber risk, resiliency, are more effective in managing third-party risk and reporting to senior leadership.

Third-party risk management: compliance requirements

As noted, building a successful third-party risk management program often entails aligning plans to an existing regulatory framework. This best practice makes sense. After all, the regulatory interventions themselves are the result of increased risk (to financial markets) posed by the sharp rise in third-party risk.

As a result, regulations, even for organizations outside of the industries in question, are a good place to turn to when beginning to build out TPRM programs.

On this score, what do the statutes say? Released in 2016, APRA Prudential Standard CPS 231, which deals with outsourcing, requires that all outsourcing arrangements involving material business activities be subject to appropriate due diligence, approval, and monitoring.

Drilling down a bit, some specific CPS 231 requirements include:

• Maintain a policy, approved by the Board, relating to outsourcing of material business activities

• Have sufficient monitoring processes in place to manage the outsourcing of material business activities

• For all outsourcing of material business activities with third parties, have a legally binding agreement in place, unless otherwise agreed by APRA

• Consult with the regulator prior to entering into agreements to outsource material business activities to service providers that conduct their activities abroad

• Notify APRA after entering into agreements to outsource material business activities

The standard also imposes timely notification requirements on regulated entities should they get into outsourcing arrangements involving material business activity. And when they do, entities must also provide a summary of the key risks involved in the outsourcing arrangement and the risk mitigation strategies put in place to address these risks.

In many respects, the bulk of CPS 231’s requirements simply serve to extend risk management best practices to the realm of outsourcing. And so, all organizations, even those not under APRA’s remit or in the financial services sector at all, could benefit from adopting the following best practices:

• Identify, assess, manage, mitigate, and report on risks associated with outsourcing to meet the institution’s financial and service obligations to its stakeholders

• Have procedures to ensure that all the institution’s relevant business units are made aware of, and have processes and controls for monitoring compliance with, the outsourcing policy

• Rest ultimate responsibility on the Board for oversight of any outsourcing of a material business activity. Although outsourcing may result in the service provider having day-to-day managerial responsibility for a business activity, the entity remains responsible for complying with all requirements that relate to the outsourced business activity

• Give the Board responsibility to ensure that outsourcing risks and controls are taken into account as part of the institution’s risk management strategy and when completing a risk management declaration

Third-party ICT risk management: compliance requirements

As a subset of third-party risk, ICT risk has grown by leaps and bounds. The European Parliament, as mentioned earlier, recently passed landmark legislation to address ICT risk (broadly). 

The Digital Operational Resilience Act, however, also includes specific provisions on ICT third-party risk management. Included here are a few requirements laid out in that subsection which might be of interest to all organizations even those outside of DORA’s jurisdiction:

• Manage ICT third-party risk as an integral component of ICT risk within the entity’s ICT risk management framework and in accordance with the following principles:
  
  1. Financial entities that have in place contractual arrangements for the use of ICT services to run their business operations shall, at all times, remain fully responsible for compliance with, and the discharge of, all obligations under this Regulation and applicable financial services law.
  
  2. Financial entities’ management of ICT third-party risk shall be implemented in light of the principle of proportionality, taking into account:
  
   a. The nature, scale, complexity, and importance of ICT-related dependencies
  
   b. The risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the  potential impact on the continuity and availability of financial services and activities, at individual and at group level
  
  
• Adopt and regularly review a strategy on ICT third-party risk, as part of the entity’s ICT risk management framework, taking into account the multi-vendor strategy. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management body shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions.
• Before entering into a contractual arrangement on the use of ICT services, financial entities shall:
  
  1. Assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function
  
  2. Assess if supervisory conditions for contracting are met
  
  3. Identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to reinforcing ICT concentration risk 
  
  4. Undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable
  
  5. Identify and assess conflicts of interest that the contractual arrangement may cause.
  
  
• Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.

Finally, third-party risk is exploding, while the supplier ecosystem is shrinking. Addressing this new risk environment, as this guide has argued, will take time, effort, and robust third-party risk management procedures. 

Beyond these procedures, though, organizations should also seek out third-party risk management software to manage risk across their entire third-party ecosystem. 

These solutions, such as Noggin, seamlessly collaborate with third parties in a unified workspace dedicated to enhancing resilience. From onboarding and due diligence to risk monitoring, contract, and action management, these platforms equip teams to pinpoint and address the top issues across the vendor ecosystem.

Sources

i. Cherelle Johannes, JDSUPRA: Risk Management 101: Navigating the Tightrope of Third-Party Risks. Available at https://www.jdsupra.com/legalnews/ risk-management-101-navigating-the-1412363/.

ii. “Material business activity” as defined in APRA CPS 231: Outsourcing

iii. Deloitte: Third-party risk is becoming a first priority challenge. Available at https://www2.deloitte.com/ca/en/pages/risk/articles/reduce-your-thirdparty-risk.html.

iv. Ibid.

v. Deloitte: Emerging stronger: The rise of sustainable and resilient supply chains: Global third-party risk management survey 2022. Available at https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-global-tprm survey-report-2022.pdf

vi. Ibid. 

vii. Lexis Nexis: Defining Third Party Risk Management. Available at https://internationalsales.lexisnexis.com/glossary/compliance/third-party-riskmanagement.

viii. Deloitte: Third-party risk is becoming a first priority challenge. Available at https://www2.deloitte.com/ca/en/pages/risk/articles/reduce-your-thirdparty-risk.html.

ix. Ibid.

x. Michael Giarrusso et al., EY: 2023 EY Global Third-Party Risk Management Survey. Available at https://www.ey.com/en_gl/risk/2023-ey-global-thirdparty-risk-management-survey.