By Laura Hawkins and Anna Seligman are financial services experts at PA Consulting
Tailored Third-Party Risk Management (TPRM) is a key step in building sector resilience and is a focal point for Financial Services regulators. In March 2021, the PRA released its Supervisory Statement on outsourcing and TPRM, requiring firms to have greater oversight of the functions that are outsourced to external providers that support their business. The statement aligns with, and implements the EBA guidelines on outsourcing, and complements the joint FCA and PRA Operational Resilience policy that asks firms to identify the third parties that support the operation of an organisation’s Important Business Services. And there’s more coming down the line. With UK regulators intending to publish a joint Discussion Paper on the oversight of critical third parties in 2022, and the EU putting an emphasis on third parties in the Digital Operational Resilience Act due to be published in 2022.
So why is there so much attention on TPRM? Third parties account for nearly one in five of the operational incidents reported to the FCA, and some of those incidents have resulted in sector wide impacts. The Solarwinds incident, in which a cyberattack left 18,000 customers vulnerable to hacking, had the potential to have a big impact on the sector, and firms had to scramble to understand if they could be implicated in the disruption.
This all leads us to how these new rules impact regulated financial services firms. It remains your responsibility to assess the risk third parties pose to the BAU running of your business and the services you provide to customers. Do you really understand how your third parties support your business services? Do you have an accurate view of how a third-party disruption could impact you and your customers?
Here are three ways you can address third-party risk in a proportionate, tailored and holistic way.
Operational Resilience and TPRM: A smart match
In a recent Operational Resilience webinar hosted by the FCA, regulators stated that if Important Business Service (IBS) mapping doesn’t support an understanding of the full supply chain, firms aren’t doing it properly. Sixty four per cent of attendees at a recent PA-UK Finance TPRM roundtable stated that they treat TPRM as an extension of the Operational Resilience policy. We’ve worked with clients to identify where elements such as IBS mapping and scenario testing can support you in identifying your most critical third parties.
As the Financial Services sector seeks to understand the resources that support a customer’s end-to-end journey using an IBS, the mapping of the supporting resources will highlight where third parties are a critical part of one or more IBS. We are all aware that increasingly Cloud Service Providers are a key part of the customer journey, with most regulated firms increasing their hosted cloud use. However, it may be that your phone lines, call recording, and caller authentication that support an IBS of First Notification of Loss, or Telephony Banking, are all provided by a single outsourced provider with no substitutability. This is likely to be a material outsourcer, they are critical to the running of a key service and need to be held to the standards set out in the PRA’s statement. Don’t forget, it’s the service not the provider that needs to be considered and operational resilience can be the first step to understanding which third-party can impact your firm.
Scenario based due diligence
Currently, most firms use a due diligence questionnaire that is standard across all third parties and could be described as a ‘tick box exercise’ that doesn’t really offer a holistic view of the risk. All firms should reassess their approach to due diligence, making it more tailored and risk proportionate to the potential risk third parties pose. Not all third parties can have the same impact on your business, and the processes for assessing them should consider the service they support to deliver and the impact to your firm if this was disrupted.
How can you adapt the standard process? By redesigning the pre-onboarding and monitoring process for your most critical third parties to be focused on scenarios rather than ‘yes/no’, controls based due diligence. By doing this you are more likely to understand the end-to-end incident response journey and potential impacts of a third-party disruption. For example, a scenario-based questionnaire could cover what controls, response escalations and recovery actions are in place against a disruption to data availability (due to ransomware or technology outage). While it is helpful to know that a third-party has ISO:27001 or how remote access is managed, by seeking to run through a scenario you can better understand impacts to your business and have confidence in the third party’s resilience capabilities.
Working together to identify sector-wide risks
Attendees of the PA and UK finance roundtable on TPRM stated that a lack of cooperation and transparency between third parties and firms is a key concern. Holding workshops where controls and mitigations are discussed and challenged can support firms in understanding the risks that a third-party disruption poses to their customers and services. By speaking directly with Information Security, Resilience or Risk peers, you can hear straight from the third-party how a disruption could impact your services and the controls in place to support resilience.
Third parties are often not forthcoming in letting firms know when they make changes to their environment or where their fourth parties become critical in the end-to-end process. By engaging directly with third parties, through pooled audits or hosted group workshops, firms can lower the potential cost and resources needed to understand critical suppliers and instead seek to understand the risks of disruption to outsourced services or functions. The focus should be on the “so what” to your business, and not if the third-party can pass an audit.
Firms should use their operational resilience programme as the jumping off point to understand what third-parties are critical to the normal operation of your business. These are likely to be the ones considered material by the PRA, you can then use an assurance questionnaire to create a baseline view of each third-party. By knowing who your most critical third-parties are, for example the ones who underpin all your IBS or solely perform a Business Service, you can supplement the assurance questionnaire with scenario based questions. This will tailor the assessment to your firm and more fully understand the risk third-party disruption can have on your services and your customers. Fulfilling regulatory requirements but also enhancing your incident response and resilience capabilities, saving you time and resources should a disruption occur.