With the use of third and fourth parties increasing across the financial services sector in the last three years, most firms rely on third parties to support or completely deliver critical processes and services to their customers.
The growth of third-party usage has drawn close attention from regulators and March 2021 saw the release of policy documents and supervisory statements relating to Outsourcing & Third-Party Risk Management. With objectives to complement the focus on Operational Resilience and align with the EBA’s approach to Third-Party Risk, the regulation gave in-scope firms a one-year implementation period to 31 March 2022.
Whilst strongly acknowledging the benefits of outsourcing, there is a great deal of concern from regulators that “the increasing criticality of the services that Critical Third Parties provide…poses a threat to financial stability in the absence of greater regulatory oversight”. They hint that stronger controls and additional policy measures will be required, due to be published in a Discussion Paper in 2022.
The statistics point to a gap between regulatory scrutiny and action on the ground.
According to KPMG's November 2020 global Third-Party Risk survey, over 60% of senior managers highlighted the failure of third parties as the biggest risk to firm reputation and 75% said that improvements to Third-Party Risk were a strategic priority.
However, 78% of those same managers claimed a lack of investment in resources and technology, and more than two-thirds suggested that their approach requires improvement, which suggests that Third-Party Risk is the weak link in the Resilience chain.
With technology and investment focused on the front end, i.e., due diligence and supplier onboarding, firms are also failing to pick up ongoing third-party risks. Gartner identifies that 83% of managers surveyed had identified risks after supplier onboarding.
It’s a perfect storm. The increase in third-party usage has led to greater Regulator activity which in turn has increased the required level of compliance and monitoring of third-party risks. All this at a time when firms have a concentration of competing business and regulatory priorities, and any significant spending requires a higher level of sign-off.
Unfortunately, inaction is not an available option, but firms can build a proportionate approach which;
- Strengthens the business case for investment by helping the business to understand the importance of the interplay between Third-Party Risk and Operational Resilience
- Creates a bespoke, consistent methodology with templates and tools which identify levels of materiality and assess risk
- Reduces manual and inefficient processes
- Improves third party monitoring to reduce risks in the ongoing relationships
How FourthLine can help:
FourthLine is working with financial services clients to help them achieve compliance and react to the challenges of Outsourcing & Third-Party Risk Management, through a mixture of consulting and resourcing propositions.
Download our Outsourcing & Third-Party Risk Management insight deck here>
