Aon  |  Financial Institutions Practice
The Expanding Universe of Third-Party Risk

The latest trends and topics in thirdparty risk management were the focus of a discussion at RMA’s recent Annual Risk Management Conference. The panel covered the implications of ESG and the supply chain, cybersecurity risk, intellectual property, and overall resiliency—including the risk of concentrated exposure to critical third parties. As third-party risk practices mature, regulatory expectations intensify, and threat actors shift their attention toward less-protected fourth and even fifth parties, the panelists agreed, the scope of risk management’s activities in this space extends well beyond third parties to encompass the broader business ecosystem.

ESG

More and more companies, including banks, are making public, ESG-related statements that include commitments— for example, to diverse supply chains or carbon neutrality. This could yield challenges, said Aon’s Chris Rafferty. “Large corporations direct a lot of dollars to a lot of vendors—there’s a lot of responsibility there,” Rafferty said. “That means that firms also have a lot of responsibility in terms of considering how corporate purchasing decisions could have potential ESG and DE&I impacts.”

Technology-related risk

Cybersecurity is a crucial area for third-party risk management, Rafferty said, citing an infamous data breach that compromised millions of email addresses and personal credit cards. In that case, a third-party vendor with access to a retailer’s system was the locus of the breach. Understanding the degree of access given to vendors and their level of penetration within security systems are important steps, he said, as well as incorporating a cybersecurity framework and incident response plan to promote resiliency.

Beyond the obvious cybersecurity threat, a growing technology-related third-party risk that may be particularly relevant to banks is connected to intellectual property. “Banks are increasingly relying on technology to engage with their customers in the way that customers expect these days. They’re recognizing technology as a critical asset,” Rafferty said. He pointed to a recent case in which a bank was found liable for hundreds of millions of dollars to a competitor because one of its vendors was using technology that infringed on the competitor’s patents. By some estimates, Rafferty continued, “over 6,000 financial institutions have used similar technology from that vendor. The vendor may have an indemnity obligation to its customers, but it is not certain whether a given vendor has the financial wherewithal to satisfy a multitude of indemnity obligations.”

Rafferty predicts that banks’ drive to improve the customer experience through technology will lead to increasing reliance on third-party vendors, as they engage in “almost an arms race with a lot of fintech companies that are developing really innovative technology.” Those fintechs are developing trade secrets and filing patents, trademarks, and copyrights, leading to, in Rafferty’s words, “a minefield of potential litigation and potential alleged infringement.”

Concentration risk

Concentration risk and critical third parties are a major focus, said Ally’s Heather Hendershott. “It’s important to have an aggregate view of concentration risk,” she said. “Not all concentration risk is bad—sometimes it’s intentional. But understanding and monitoring those key areas is extremely helpful.”

Fifth Third Bank’s Matthew Buskard agreed that banks may have good reasons for tolerating a degree of concentration risk. “There’s some benefit in having end-to-end processes with a single third party, from a cost perspective and a monitoring perspective. It’s a tradeoff. Just like every other risk in this space, it’s about understanding where that risk is, and how you want to manage it. There are certainly things we can do to mitigate it.”

Areas that Hendershott recommended for particular attention include location and service monitoring. “Monitoring services is a great starting point—looking to see where you might have multiple services with one third party, or perhaps you’re outsourcing an entire business process. You want to identify where you’ve got all your eggs in one basket, and where so much complexity is built into a relationship, it might be difficult to exit,” she said.

Having a good view into vendors’ geographic locations and physical sites is also helpful, Hendershott said. Points to consider include whether the vendor is centrally located, its potential exposure to natural disasters, and whether it’s domestic or international. “When you think about hurricanes, earthquakes, natural disasters, and geopolitical risk, understanding the vendor’s physical landscape is important,” she said, advising risk teams to extend their geographic awareness to fourth-party vendors as well.

When it comes to systemic risks— areas in which failure could cause an industry-wide crisis—banks are focused on mitigation, rather than elimination, Hendershott said. Payment and settlement systems are a clear example of systemic risk. But there are other areas of concentration risk. She cited concentration of spending, potential reverse spending, and staff augmentation, among others. In the case of reverse spending, the idea is to understand whether the third party derives a significant portion of its revenues from another institution. That could jeopardize its business, causing a critical failure in your own bank if the other institution were to end the relationship. In the case of staff augmentation, the risk could take the form of externalizing crucial knowledge and expertise outside the firm. “The bottom line is understanding your risk exposure if a third party goes out of business,” Hendershott said.

Achieving resiliency

The OCC and the Federal Reserve have highlighted resiliency as key supervisory priorities. Meeting those expectations means carefully considering the full array of critical activities, stacking those up against regulations, and ensuring that “we’ve got a great line of sight into their impact,” said Hendershott. The information that banks extract up front, as part of this core activity, can be “incredibly helpful” when banks seek that knowledge while forming relationships with third parties, and build contractual provisions into their relationships to help them address both current and evolving needs.

When contemplating orderly transitions connected to a vendor relationship, “You can build provisions into contracts that anticipate potential exit strategies,” Hendershott said, and make backup plans for such an eventuality. Questions like “If we had to, could we shift the services in-house?” and “Could we shift to another third party that we already have a relationship with?” need to be asked.

Disorderly transitions—for example, the aftermath of a cyberattack—call for further preparation upfront regarding third parties that provide critical services. Identifying potential options in such a scenario—or recognizing the fact that there are no other options— are helpful to consider when forming a third-party relationship, Hendershott said. This creates an opportunity to include provisions such as transition assistance, coordinated testing, and right to audit into contracts, weaving risk-related planning into the fabric of the relationship from the beginning.

At the highest level, achieving resiliency requires appropriate measurement and reporting. “It’s key to have the data to be able to do the analysis, including metrics/limits,” said Hendershott. It is also important to provide aggregate reporting to the board in order to assess comfort with certain exposures and, where risk is deemed excessive, to develop plans to manage it.

Fourth-party risk—and beyond

Buskard pointed out that third-party risk management has evolved from a reductionist view focused on sourcing to a more expansive view, in which third parties are “an extension of our network and business.” While many institutions have made great strides in managing third-party risks, fourth-party risk is “coming very quickly behind,” Buskard said. “It’s just an extension of the network.”

As third-party vendors establish more and more business relationships of their own, “you have more people touching your data, talking to your customers, connected to your network, and involved in your process,” Buskard said.

All the risks that third-party relationships are prone to can accumulate among fourth parties, including technology- related risk and concentration risk. Buskard said regulators expect that organizations will have a methodology for managing fourth-party risk that “is commensurate with the risk they have. It’s something we have to pay attention to, and it’s something that we have to make sure our third parties pay attention to.”

In the early days of third-party risk management, Buskard said, “We had to build inventories of the third parties that we use. Who are they? Where are they? What are they doing? That shifted to: How reliant are you on that third party? These are all things we should be considering for fourth parties as well.” Given the number of fourth parties in play for a given institution, a risk-based approach to their management is crucial “so that you can focus your energy and resources on material fourth parties,” he said.

While deep diligence on all material fourth parties could be challenging, banks can employ techniques to help alert them to issues so they know where to dig deeper. “We’re doing negative news monitoring,” Buskard said. “All of us can think of recent cyberattacks and vulnerabilities in the industry. Many have been related to parties deep in the supply chain. Threat actors have started to realize that banks are no longer a weak link in the chain. So they’re going after those fourth and fifth parties.”

Ultimately, Buskard said, “You have to have a methodology. We can’t manage fourth-party risk haphazardly, any more than we could manage any other risk haphazardly. You have to be intentional about how you’re going to identify, understand, and manage fourth-party risk, so that you do it in a structured way, and you’re focusing on the areas of greatest risk to your organization.”