This is the first amongst a series of articles that will provide a broad overview of the PRA and FCA's regulations at each stage of the Third-Party Risk Management (TPRM) lifecycle. I will provide key actions that in-scope financial service firms need to take now to achieve compliance and build a resilient supply chain.
In Part 1 I will discuss planning, evaluation and selection.
The use of Third-Party suppliers has become a common practice for most businesses in achieving their aims and objectives. This is reflective of the rapidly changing landscape that financial services and many other industries find themselves in.
More than ever before companies are using third-parties to deliver technology-driven services to improve their operational processes, migrating to cloud-based solutions and transforming their business. It gives organisations access to talent & expertise not available in-house and in most instances reduces costs and risks.
However, outsourcing also introduces significant new risks such as strategic, reputational, operational and financial risks. Hence there are stringent regulatory requirements in order to manage risks associated with third-party relationships.
There are several third-party-specific FCA and PRA regulations and guidance documents that UK businesses must adhere to. This includes SYSC outsourcing requirements, guidance for firms on cloud & technology outsourcing and the PRA’s Outsourcing and Third Party Risk Management amongst others.
Regulation Summary: Plan, Evaluate & Select
Both the PRA and FCA mandate firms to have a robust risk and control environment around third parties; from the inception of the relationship all the way to exit.
During the plan, evaluate and select stage firms are required to:
- Assess and ensure that the third-party arrangement fits the organisation, its reporting structure, business strategy, overall risk profile and ability to meet its regulatory obligations
- Ensure that a process is in place to avoid undue additional operational risk and not to undertake the outsourcing in such a way as to impair materially, its internal controls and regulatory oversight
- Review the materiality and risk of all third-party arrangements and ensure that proportionate and adequate governance and risk-based controls are applied to third-party dependencies
- Establish, implement and maintain a business continuity plan(BCP) and plan for disaster recovery, including periodic testing of backup facilities
- Develop and maintain BCP and documented exit strategies for both stressed and non-stressed scenarios.
- Test BCP and exit plans on a periodic basis
- Assess the risk of sub-outsourcing (4th party providers) and consider the complex chain of sub-outsourcing and their operational resilience
- Manage data risks, where the agreement involves the transfer of data. The PRA expects firms to classify relevant data based on their confidentiality and sensitivity
- Identify potential risks relating to outsourced data and their impact and agree on an appropriate level of data availability, confidentiality and integrity
- Manage security risks so that the firm’s overall security exposure is acceptable
- Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms
- Notify the relevant regulatory agency of material outsourcing and third-party arrangements
- Perform appropriate due diligence on all potential service providers and exercise due skills and care when entering, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions
- Maintain an accurate record of contracts and know which jurisdiction the service provider’s business premises are in and how that affects the firm’s outsourcing arrangements
Key actions to be taken by organisations
During the Plan, Evaluate and Select stages of the third-party lifecycle, organisations should:
- Create a business case to address the use of third-party vs in-house capabilities - weighing the benefits of the arrangement alongside the risks and potential losses
- Perform segmentation, inherent risk and service materiality assessments on all Third-Parties including a security and data protection impact assessment
- Conduct a materiality assessment and segmentation exercise to reflect important business services (IBS) and link in with the Operational Resilience programme
- Develop a risk profile for the prospective third-party, including inherent risk position, proposed risk mitigation and controls (pre- and post-contract)
- Ensure risk assessment methodology includes assessment of concentration risk
- Define roles and responsibilities for internal and external stakeholders
- Establish processes to notify the regulator in advance of undertakings any material third-party arrangements
- Perform due diligence across all applicable risk categories of the prospective third-parties and material fourth-parties, ensuring that the third-party has the appropriate governance and controls and oversight of those fourth-parties
- Implement, as part of the due diligence process, a mechanism to track issues and actions and feed into contracting and monitoring
- Gain assurance in the recovery capabilities of the third-party
- Maintain a record or register of outsourcing and material third-party arrangements and meet concentration risk assessment requirements
- Develop a business continuity plan (BCP) and document an exit strategy for stressed and managed exits, for material outsourcing arrangements, prior to onboarding
- Develop or enhance existing business continuity and exit plans aligned to the regulatory requirements, for material third-party arrangement
How can FourthLine help
FourthLine’s team of third-party risk management specialists can support your firm across all stages of the third-party lifecycle, including the alignment of regulatory requirements.
Please click here to enquire about our TPRM high-impact review.
Download our comprehensive TPRM Technical paper here>
