From our experience of reviewing and implementing financial services operational resilience, the Third-Party pillar usually requires action to enhance the approach and close urgent regulatory gaps.
Our observations fall into common categories:
- The operational risk register does not include third-party risk management and often internal operational risk standards and RCSAs are not extended to third parties
- Lack of a defined third-party framework leads to an inconsistent approach and no definition of roles and responsibilities throughout the supplier lifecycle (assessment, onboarding, monitoring, management, offboarding)
- Missing or incomplete third-party register in accordance with regulatory requirements
- Poorly defined or non-existent approach to risk assessing and segmenting all suppliers in accordance with regulatory requirements
- Inconsistent risk assessment, oversight, monitoring and management of material outsourcers or suppliers
- Incomplete exit plans and business continuity for material suppliers in accordance with regulatory requirements
- Supplier monitoring does not ensure third parties are aligned to key business services and performance is within impact tolerances
For firms that are concerned about regulatory gaps and their exposure to third-party risk, we’d suggest an urgent internal audit review to give you a clear picture of the required actions.
If that’s not possible, FourthLine can provide a ten-day high-impact review where our expert team:
- assesses existing Outsourcing and Third-Party artefacts and approach
considers audit findings (if applicable)
- reviews third-party requirements aligned to the operational resilience programme and investment plan
- assesses the approach against regulatory requirements
- benchmarks your programme against best practice and peer approaches
- provides a report and recommendations outlining gaps and suggested actions
Please click here to enquire about our TPRM high-impact review.