Managing third-party risk is high on the priority list for financial services firms in 2021, and for PRA regulated firms, the added requirement to comply with the new regulatory regime (SS2/21) means a fast-approaching deadline to focus minds.
As firms start to tackle the work of identifying material outsourcers and carrying out thorough due diligence on those suppliers, one thing they must consider is the fourth-party risk or sub-outsourcing. Firms should note that whilst SS2/21 only requires a firm to have direct oversight of the third-party, “a firm is expected to ensure that its service provider appropriately manages any material sub-outsourcing.”
Whilst firms are aware of their third-party oversight responsibilities in terms of direct supplier relationships, many aren’t clear that SS2/21 requires them to have the additional layer of oversight, i.e. their material third-party providers must have appropriate oversight of sub-outsourcers.
A firm must consider fourth-party risk in their outsourcing framework and more importantly, require their third party to be able to evidence strong fourth party assurance.
Where that expectation on third parties isn’t apparent, it’s easy to see how oversight of Sub-Outsourcers can be overlooked, and that lack of oversight can lead to issues.
- Without appropriate oversight of third parties, it’s difficult to identify weaknesses in the outsourcer’s supplier (i.e. sub-outsourcing) onboarding processes
- If the sub-outsourcer is a material supplier to several third parties in the supply chain, that creates a significant and often unforeseen concentration of risk
- If there are a large number of sub-outsourcers in the supply chain, it can make active oversight of your material third parties challenging. As the PRA points out (in PS 7/21); “...complex and high volume of sub-outsourcing arrangements can impact on your ability to provide effective oversight of your third party."
- The PRA highlights operational resilience as another factor. If your Important Business Services(IBS) are underpinned by a large number of sub-outsourcers acting without appropriate oversight, then this may have a “potential effect on their ability to remain within impact tolerances during operational disruption.”
It can be daunting to dig into the seemingly infinite number of sub-outsourcers once firms start to consider fourth-party risk.
However, the key to tackling fourth-party risk has a straightforward starting point. It lies in the third-party risk framework and specifically, the contractual obligations expected of third-party suppliers.
By creating a robust third-party risk framework, with inbuilt fourth-party risk controls which are reflected in supplier agreements, firms are able to clearly define and document how they expect those fourth-parties to be managed.
Particular attention should be paid to three key areas when drafting agreements with third parties:
- What level of due diligence is expected from third parties when they onboard a fourth party into your supply chain?
- How does that due diligence form part of the oversight of your third party?
- Oversight and assurance
- What level of oversight and assurance are your third parties prepared to commit for fourth parties?
- Based on the importance of that service to your business, what is a proportionate expectation?
- What MI do you require from your third parties to evidence that oversight?
- Exit strategies
- Consider the importance of fourth parties in your supplier exit strategy. If your third-party outsources one of your important business services to a fourth party, and that agreement is terminated, then there must be provision in your third-party agreement to protect against service disruption.
Download our free Outsourcing and 3rd Party Insight Deck here>
Book onto our new Outsourcing & Third-party Risk Management workshop here>
If you're interested in how FourthLine can support you in your Outsourcing and 3rd Party Risk management strategy, click here>