Welcome back to the ‘A Guide to TPRM Regulation’ series. This is the 3rd article in the series where I summarise TPRM regulations and provide key actions organisations need to take in order to be compliant with the regulations. In the last article, we discussed the Contracting & Onboarding phase.
In this edition of the series, we will focus on the Managing & Monitoring phase of the Third Party lifecycle. This includes an overview of the regulations applicable to this stage and key actions that need to be taken by organisations to achieve compliance.
The Managing and Monitoring phase of the Third Party lifecycle addresses both existing risks identified in the first two phases as well as any new risks arising from the third-party arrangement, including the oversight of fourth parties involved in the services provided.
Regulators expect organisations to manage these risks on an ongoing basis and have mandated certain regulations and guidelines.
Regulation Summary: Manage and Monitor
- Firms to apply adequate governance and controls to all third-party dependencies that can impact their statutory objectives. Where the Third Party falls under ‘material’ or ‘high risk’ categories they should have proportionate risk-based controls.
- The service provider must properly supervise the outsourced functions, and adequately manage the risks associated with the outsourcing. Appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements.
- Firms are expected to periodically re-assess and take reasonable steps to manage their overall reliance on third parties (including fourth parties), concentration risks and vendor lock-in risks.
- Ensure access, audit, and information rights are used appropriately to support firms’ identification, assessment, management, and mitigation of risks relating to the third-party service.
- Firms must develop, maintain, and test business continuity plans and exit strategies, that should cover and differentiate between situations where a firm exits an outsourcing agreement in stressed circumstances, (e.g. following the failure or insolvency of the service provider), and through a planned and managed exit due to commercial, performance, or strategic reasons.
- Firms are expected to implement robust controls to manage data security. Depending on the materiality and risk of the arrangement, these controls may include a range of preventative and detective measures.
- Firms are expected to notify the regulators when there is a significant change in the third-party service throughout the service lifecycle.
- The regulators expect the firm's board to receive clear, consistent, robust, timely MI with appropriate levels of detail to facilitate effective oversight.
Key actions to be taken by organisations
- Implement approach and processes to monitor service risks and controls on an ongoing basis throughout the duration of the third-party arrangement. Processes should include tracking and follow-up on actions and issues.
- Monitoring should include devices, information, systems, and networks used for providing the outsourced service.
- Ensure the assessment of third-party risk and controls framework for oversight are robust and proportionate to the service provided.
- Implement a process to review the third party and its capabilities, risk assessments (including security), BCP and Exit Plan throughout the life of the third party service on an ongoing basis, ensure the contract reflects requirements and notify the regulators (where required).
- BCP and Exit Plans for material outsourcing arrangements and material non-outsourcing arrangements that's supporting an IBS should align and support and be a component of Scenario Testing for Operational Resilience.
- Develop processes that use access, audit and information rights to drive identification, assessment and appropriate management of risks.
- Governance committee is in place and the ‘Board’ receives robust and consistent third-party performance and risk data to be able to make effective decisions.
Please click here to enquire about our TPRM high-impact review.
