In March this year, the FCA (Financial Conduct Authority) and Prudential Regulatory Authority (PRA) launched joint policies for Operational Resilience. The PRA released an accompanying supervisory statement (SS2/21) Outsourcing and third-party risk management.
The policy and accompanying statement require an increased level of transparency from regulated firms displaying their awareness and active management of risks related to third-parties as part of the wider expectation of improved operational resilience.
The new regulations require firms to identify their material outsourcing and critical suppliers and to further evidence robust risk management specifically ensuring customer protection, market protection and preventing threats to firm safety and soundness.
This increased regulatory scrutiny will have a direct impact on financial services suppliers both regulated and non-regulated.
The most obvious near-term impact will be a greater degree of supplier assurance which may take the form of the following activities:
- Increased complexity of assurance questionnaires
- Increased evidentiary requirements as part of assurance activities (e.g., cyber penetration test reports)
- Requests for contract amendments to include additional assurance criteria
- Specific requests to include clauses for “the right to audit” by both firms and the regulators
- Requests for supplier participation in resilience scenario testing
All these activities stem directly from the policy requirements on regulated firms. These changes will cascade into procurement and RFP practices, becoming a potential differentiator when assessing suppliers.
Alongside the changes for existing suppliers in scope for assurance, the Resilience Policies make it clear that a more output-driven assessment of supplier criticality is required.
This will bring additional suppliers and/or specialist providers into the scope of the enhanced governance frameworks which they may have no prior experience of responding to at the level required.
In the Medium to long term, the experience of firms through Covid has also raised the wider issue of the level of resilience within supply chains more generally and may see increasing demands for greater resilience planning and reporting from third parties and better oversight and assurance of sub-contracted and fourth-party relationships.
This is especially true for suppliers classified as material outsourcers to regulated firms.
How FourthLine can help:
As part of our continually evolving Operational Resilience delivery, we are actively looking at how 3rd party suppliers can best meet the challenges of this changing governance environment.
The first step is a greater understanding of the new Operational Resilience policies and their impact on firms.
This will enable suppliers to better anticipate the needs of their clients and customers to ensure market-leading approaches and capabilities are aligned with the changing landscape.
You can get in touch here to find out more about our tailored and proportionate responses to Operational Resilience and 3rd Party Risk Management.
Download our 3rd Party Risk Management Insight Deck here>
