Identifying and managing the critical risks of third-party providers

“Outsourcing and other third-party relationships can bring multiple benefits to FIs, including: enhanced operational resilience; faster and more tailored financial products and services; cost reduction; greater innovation; and improved internal processes. However, outsourcing and third-party relationships can give rise to new or different risks to FIs and potentially to financial stability that need to be adequately managed.” 

Prior to the 1990s, a reference to third-party risk management (TPRM) in a financial institution (FI) meant you were talking about oversight of outsourced technology providers — whether they were financially viable, reputable, reliable, and had adequate privacy and information security safeguards. Cybersecurity controls weren’t part of these earlier discussions, since the word cybersecurity didn’t even enter the English lexicon until 1989. Decisions to engage outsourced technology providers were often broadly distributed throughout a FI, and attempts to compile a complete listing of an institution’s third-party technology providers were often futile. 

Much has changed in three decades. Today, it is commonly understood that third-party providers to FIs include a broad array of technology and other service providers (although the lack of a universal definition does complicate compliance efforts) and that identifying and managing the risks of these providers require a coordinated and continuous effort. And while long-recognised risks remain important, many other risks, such as concentration risk, also require attention. Given the risk landscape and the realization that large financial institutions may have close to 50,000 suppliers,  it is little wonder that TPRM is a global industry and regulatory priority. 

Download now to read the full issue and learn about the common risks third-party service providers face.