Featured Insight
The Expanding Universe of Third-Party Risk
The latest trends and topics in third-party risk management were the focus of a discussion at RMA’s recent Annual Risk Management Conference featuring Chris Rafferty, Global Specialty Product Leader for Intellectual Property Solutions at Aon. Read the article published in the Risk Management Business Journal to learn more.
Read Article Here
The latest trends and topics in thirdparty
risk management were the focus of
a discussion at RMA’s recent Annual Risk
Management Conference. The panel covered
the implications of ESG and the supply
chain, cybersecurity risk, intellectual
property, and overall resiliency—including
the risk of concentrated exposure to
critical third parties. As third-party risk
practices mature, regulatory expectations
intensify, and threat actors shift their attention
toward less-protected fourth and
even fifth parties, the panelists agreed,
the scope of risk management’s activities
in this space extends well beyond third
parties to encompass the broader business
ecosystem.
The panel featured:
-
Matthew Buskard, Senior Vice
President and Senior Director of
Enterprise Risk Management at
Fifth Third Bank.
-
Chris Rafferty, Global Specialty
Product Leader for Intellectual
Property Solutions at Aon.
-
Heather Hendershott, Senior Director
for Third Party Risk Management
at Ally.
This session summary was edited for clarity.
ESG
More and more companies, including
banks, are making public, ESG-related
statements that include commitments—
for example, to diverse supply
chains or carbon neutrality. This could
yield challenges, said Aon’s Chris Rafferty.
“Large corporations direct a lot
of dollars to a lot of vendors—there’s
a lot of responsibility there,” Rafferty
said. “That means that firms also have a
lot of responsibility in terms of considering
how corporate purchasing decisions could have potential ESG and
DE&I impacts.”
Technology-related risk
Cybersecurity is a crucial area for
third-party risk management, Rafferty
said, citing an infamous data
breach that compromised millions of
email addresses and personal credit
cards. In that case, a third-party vendor
with access to a retailer’s system
was the locus of the breach. Understanding
the degree of access given to
vendors and their level of penetration
within security systems are important
steps, he said, as well as incorporating
a cybersecurity framework
and incident response plan to promote
resiliency.
Beyond the obvious cybersecurity
threat, a growing technology-related
third-party risk that may be particularly
relevant to banks is connected
to intellectual property. “Banks are
increasingly relying on technology
to engage with their customers in
the way that customers expect these
days. They’re recognizing technology
as a critical asset,” Rafferty said. He
pointed to a recent case in which a
bank was found liable for hundreds
of millions of dollars to a competitor
because one of its vendors was
using technology that infringed on
the competitor’s patents. By some
estimates, Rafferty continued, “over
6,000 financial institutions have used
similar technology from that vendor.
The vendor may have an indemnity
obligation to its customers, but it is
not certain whether a given vendor has
the financial wherewithal to satisfy a
multitude of indemnity obligations.”
Rafferty predicts that banks’ drive
to improve the customer experience
through technology will lead to increasing
reliance on third-party vendors, as they engage in “almost an arms
race with a lot of fintech companies
that are developing really innovative
technology.” Those fintechs are developing
trade secrets and filing patents,
trademarks, and copyrights, leading
to, in Rafferty’s words, “a minefield
of potential litigation and potential
alleged infringement.”
Concentration risk
Concentration risk and critical third
parties are a major focus, said Ally’s
Heather Hendershott. “It’s important
to have an aggregate view of concentration
risk,” she said. “Not all concentration
risk is bad—sometimes
it’s intentional. But understanding
and monitoring those key areas is
extremely helpful.”
Fifth Third Bank’s Matthew Buskard
agreed that banks may have good
reasons for tolerating a degree of concentration
risk. “There’s some benefit
in having end-to-end processes with a
single third party, from a cost perspective
and a monitoring perspective. It’s a
tradeoff. Just like every other risk in this
space, it’s about understanding where
that risk is, and how you want to manage
it. There are certainly things we can
do to mitigate it.”
Areas that Hendershott recommended
for particular attention include
location and service monitoring.
“Monitoring services is a great starting
point—looking to see where you might
have multiple services with one third
party, or perhaps you’re outsourcing
an entire business process. You want
to identify where you’ve got all your
eggs in one basket, and where so much
complexity is built into a relationship,
it might be difficult to exit,” she said.
Having a good view into vendors’
geographic locations and physical sites
is also helpful, Hendershott said. Points to consider include whether the vendor
is centrally located, its potential exposure
to natural disasters, and whether it’s
domestic or international. “When you
think about hurricanes, earthquakes,
natural disasters, and geopolitical risk,
understanding the vendor’s physical
landscape is important,” she said,
advising risk teams to extend their
geographic awareness to fourth-party
vendors as well.
When it comes to systemic risks—
areas in which failure could cause an
industry-wide crisis—banks are focused
on mitigation, rather than elimination,
Hendershott said. Payment and
settlement systems are a clear example
of systemic risk. But there are other
areas of concentration risk. She cited
concentration of spending, potential
reverse spending, and staff augmentation,
among others. In the case of
reverse spending, the idea is to understand
whether the third party derives a
significant portion of its revenues from
another institution. That could jeopardize
its business, causing a critical failure
in your own bank if the other institution
were to end the relationship. In the case
of staff augmentation, the risk could
take the form of externalizing crucial
knowledge and expertise outside the
firm. “The bottom line is understanding
your risk exposure if a third party
goes out of business,” Hendershott said.
Achieving resiliency
The OCC and the Federal Reserve have
highlighted resiliency as key supervisory
priorities. Meeting those expectations
means carefully considering the full array
of critical activities, stacking those
up against regulations, and ensuring
that “we’ve got a great line of sight into
their impact,” said Hendershott. The
information that banks extract up front,
as part of this core activity, can be “incredibly
helpful” when banks seek that
knowledge while forming relationships
with third parties, and build contractual
provisions into their relationships
to help them address both current and
evolving needs.
When contemplating orderly transitions
connected to a vendor relationship,
“You can build provisions into
contracts that anticipate potential exit
strategies,” Hendershott said, and make
backup plans for such an eventuality.
Questions like “If we had to, could we
shift the services in-house?” and “Could
we shift to another third party that we
already have a relationship with?” need
to be asked.
Disorderly transitions—for example,
the aftermath of a cyberattack—call for
further preparation upfront regarding
third parties that provide critical services.
Identifying potential options in
such a scenario—or recognizing the
fact that there are no other options—
are helpful to consider when forming a
third-party relationship, Hendershott
said. This creates an opportunity to
include provisions such as transition
assistance, coordinated testing, and
right to audit into contracts, weaving
risk-related planning into the fabric of
the relationship from the beginning.
At the highest level, achieving resiliency
requires appropriate measurement
and reporting. “It’s key to have the data
to be able to do the analysis, including
metrics/limits,” said Hendershott. It
is also important to provide aggregate
reporting to the board in order to assess
comfort with certain exposures
and, where risk is deemed excessive, to
develop plans to manage it.
Fourth-party risk—and beyond
Buskard pointed out that third-party
risk management has evolved from a
reductionist view focused on sourcing
to a more expansive view, in which third
parties are “an extension of our network
and business.” While many institutions
have made great strides in managing
third-party risks, fourth-party risk is
“coming very quickly behind,” Buskard
said. “It’s just an extension of the
network.”
As third-party vendors establish more
and more business relationships of their
own, “you have more people touching
your data, talking to your customers,
connected to your network, and involved
in your process,” Buskard said.
All the risks that third-party relationships
are prone to can accumulate
among fourth parties, including technology-
related risk and concentration
risk. Buskard said regulators expect
that organizations will have a methodology
for managing fourth-party
risk that “is commensurate with the
risk they have. It’s something we have
to pay attention to, and it’s something
that we have to make sure our third
parties pay attention to.”
In the early days of third-party risk
management, Buskard said, “We had
to build inventories of the third parties
that we use. Who are they? Where
are they? What are they doing? That
shifted to: How reliant are you on
that third party? These are all things
we should be considering for fourth
parties as well.” Given the number of
fourth parties in play for a given institution,
a risk-based approach to their
management is crucial “so that you
can focus your energy and resources
on material fourth parties,” he said.
While deep diligence on all material
fourth parties could be challenging,
banks can employ techniques to help
alert them to issues so they know where
to dig deeper. “We’re doing negative
news monitoring,” Buskard said. “All
of us can think of recent cyberattacks
and vulnerabilities in the industry.
Many have been related to parties
deep in the supply chain. Threat actors
have started to realize that banks
are no longer a weak link in the chain.
So they’re going after those fourth and
fifth parties.”
Ultimately, Buskard said, “You
have to have a methodology. We can’t
manage fourth-party risk haphazardly,
any more than we could manage any
other risk haphazardly. You have to be
intentional about how you’re going
to identify, understand, and manage
fourth-party risk, so that you do it in
a structured way, and you’re focusing
on the areas of greatest risk to
your organization.”