In this 14-minute podcast, Protiviti Managing Director Christopher Monk discusses third party risk management in the financial services industry.
In the financial service industry today, as well as in many other industries, one of the key topics on the minds of executives and even board members is third parties and, specifically, third-party risk management. We’re going to be talking a little bit about that today in the latest installment of Powerful Insights. This is Kevin Donahue, a senior director with Protiviti. I’m pleased to be talking today with Chris Monk. Chris is a managing director with Protiviti’s Business Performance Improvement group, and among his many, many roles is serving as a leader in our third-party risk management practise. Chris, thanks for joining me today.
As always, Kevin, it’s a pleasure to be here.
Chris, let me ask you right off here, why does third-party risk management continue to be such a hot topic, particularly in the financial services industry?
Kevin, without getting into too much detail, third-party risk has been on the forefront of the minds of risk officers, compliance officers, information security officers, heads of procurement, and even CFOs of banks and other financial institutions for well over a decade. It really ramped up in the 2012, 2013 time frame, when the CFPB, the OCC and the Fed all came out with specific guidance around managing third parties, managing outsource providers, followed by the FFIEC releasing the well-known Appendix J, which covered resilience about source technology service providers, and then again came to the forefront in 2017, when the OCC issued its supplemental examination procedures on its original 2013-29 guidance.
What sounds like alphabet soup to some, the string of regulatory guidance has caused a massive shift in the regulatory landscape within the industry in the way that banks are approaching how they deal with third parties. On top of just good business sense that these regulations outlined, the banks continued to get hammered by the regulators for noncompliance. They were spending considerable resources of dollars to improve not only their overall third-party risk management programmes but also how they specifically manage the risk domains around things like compliance, business continuity and information security.
Seriously, a lot of that is on the minds of the leaders in the financial services industry today, especially when it comes to this third-party risk management issue. Chris, Protiviti participated in a vendor and third-party risk management conference last month that took place in two cities, New York and London. Talk a little bit about those events and what you saw as some of the similarities and some of the differences between the U.S. and the U.K. markets right now.
Yes, absolutely. The conference was sponsored by the Center for Financial Professionals, or CeFPro, and was the third annual conference. We’ve attended both the New York and London events over the last couple of years. While the topic is the same and the agenda is the same, the talking points, the make-up of the audience and the specific discussion topics do tend to be slightly different based on the region. Let me start off talking about some of the commonalities and similarities between the two conferences and the discussion points.
Number one, there’s still a lot of focus on what I would call blocking and tackling, due diligence, tiering process and methodology, and monitoring of third parties. There’s a lot of discussion both around the operating model, where third-party risk rolls up within the organisation, the use of centralised or shared services, a 1.5 line of defense to support the business, and the execution of the activities. That operating model is driven by concerns and challenges around the lack of engagement and the requisite knowledge and skill sets of the people that own and manage those vendor relationships in the lines of business and making sure that they have what they need to effectively fully understand what that risk profile looks like, assessment monitoring risk with third parties, as opposed to just managing the relationships.
There are lots of discussion around how to make the process more automated, how to make it more efficient, what role procurement plays within this process, and not just managing risk or managing the vendor management office, but the concept of procurement, moving from just buying stuff to really being risk managers for the enterprise. Other topics that we heard a lot about in both sessions include consortium and third-party risk management at the service, which is really popping up now, and, of course, GDPR and understanding the data flow and how that is impacted by the use of third parties – obviously, a very hot topic with GDPR going live here recently. And I would say there is still generally a lack of understanding on how far to drill down on things like concentration risks and fourth parties.
Now, when you think about the differences between the two sessions, a couple of things stood out. Number one, I would say that the U.S. regulations are more explicit. The U.S. has probably a three- to five-year head start from a regulatory mind-set and then a reaction to that. There was a poll that was conducted during the conference, one thing that was striking. One of the questions after the poll was, “Who has a complete inventory of all third parties?” This was a live poll of people in the room at the conference and had built on some of the results between a recent study that Aravo and CeFPro conducted – we’ll talk more about that in a minute. But from this poll, the number-one key building block of third-party risk is, first of all, knowing who your third parties are.
Within the U.S., 87 percent of the audience said, yes, they have a complete inventory of their third parties, while 13 percent said no, which is in mind with what I would have expected. Shockingly, in the U.K., 59 percent of the group said yes, as opposed to the 41 percent saying no. Almost a 90-10 split versus a 60-40 split, and just indicative of the U.S. being a little bit more advanced in some of the topics. Another thing I would say is that U.S. regulators do seem a bit more aggressive on notices from the reviews, and, surprisingly, the U.K. seemed more open to a decentralised or a federated operating model in terms of where the third-party risk management function resides.
Chris, a quick follow-up on that – by “federated approach,” do you mean that these organisations are spreading the management of third parties among the different functions and their specific parties, or am I misinterpreting that?
Federated, from the standpoint that they are still pushing out the activities farther down into the organisation, into the lines of business, rather than centralising it into a single group. There’s guidance being provided, but, very much, they’re still pushing that down to the vendor managers, the relationship owners within the business.
I see. That makes perfect sense. Chris, to wrap up our discussion here, I wanted to ask you a little more about the CeFPro/Aravo study you mentioned. What are some of the other highlights and insights that came from that study?
Yes, certainly. I would encourage people to go search for and download the entire study. It was very well done. The study is called Taking the Polls of Third-Party Risk Management. As you mentioned, it was sponsored by CeFPro and Aravo, a third-party risk management technology provider. The study focused on the journey toward maturity that companies are taking.
A couple of things in terms of the key findings: Number one, most organisations are still relatively early in the stages of maturity, which, given the context and points I’ve raised earlier, is a bit surprising given how long this topic has been around. On a five-point maturity scale, 43 percent of the companies that participated in the study rated themselves at a level two or below in terms of overall programme maturity, 43 percent at a level two or below on a five-point scale. Then, 67 percent, or two-thirds, put themselves at a level three or below. Still a lot of work to do, and I think those results, again, are a bit surprising given just how long the topic has been around.
Another key finding: While regulatory compliance is the primary driver for half of the organisations, business and cost benefits were the primary drivers for about 40 percent, which is good news and something that we talk a lot about with our clients in the market – and which, as I mentioned earlier, just makes good business sense. There are some things that the regulators are requiring that may drive a level of rigor that can be interpreted as maybe overkill, but at the end of the day, applying the level of rigour and oversight into the vendors that you’re selecting, higher managing those vendors, how they’re managing your customers and your data, again, it’s just good business sense.
On top of that, that additional focus of rigour we’re also seeing is attributed to improving the performance of these vendors and third parties. It’s actually leading to spend reduction because in many cases, the banks are leveraging their spend with a smaller amount of third parties, which not only reduces the risk profile but then also can leverage their spend for better pricing. The business and cost benefits that we see are primary drivers for about 40 percent of the people in the study. Organisations are gravitating toward locating their third-party functions within risk management – again, specifically, we’re talking mostly about financial services here. The study did indicate that centralised structure is the most common, and, aligning with the organisation’s overall approach to risk management, that’s not surprisingly there. Organisations are still struggling with basic components of third-party risks.
Back to the point earlier about the level of maturity, capturing all third parties in single inventory, conducting comprehensive due diligence, overall reporting, the basic blocking and tackling components of third-party risk is an area where companies are still struggling. Many of these challenges, of course, can be attributed to a lack of technology. That’s where we’re starting to see the market trend – get the structure in place and then become more scalable, more automated, more efficient through the use of technology. On that point, two-thirds of the study participants indicate they’re using spreadsheets for all or part of the third-party risk management programme; almost half are using SharePoint. It’s a very rudimentary tool, and certainly an opportunity to advance that.
Then, finally, the last key finding I’ll point out is that third-party risk management teams are still very concerned about being able to keep up with regulatory change and the growing demands of the extended enterprise. Kevin, I think it’s that last point that really caused third-party risk management to have staying power – an increasing need for managing complex third-party ecosystems, the ever-changing regulations across different geographies, the need to correctly and effectively monitor and analyse not only vendor performance but risk and compliance – not only within banks, but distinct power really has impacts on service providers and consulting firms, third party as a service and, obviously, technology partners as well. For those reasons, I think the topic is here to stay.
Yes. Chris, based on your explanation, undoubtedly it sounds like it is here to stay. I want to thank you very much, Chris, for sharing your insights with us today on third-party risk management and some of the differences between the U.S. and the U.K. markets and how the financial services industry is viewing those today. I want to invite our audience to visit Protiviti.com/bpi, where you can find more information from Protiviti on this and other performance-related topics.