Indirect risk or third-party risk management (TPRM) is becoming increasingly complex and attracting attention from regulators. There are many examples of where this has led to deep financial implications for banks, such as when a group of leading credit card organizations paid $525 million to settle complaints of deceptive selling by their third-party suppliers or when a financial major had to pay $770 million due to credit card add-ons partially attributable to third-party vendors who misled customers.
The vendor base that banks have today is very complex, and includes direct and indirect spending with multiple vendors across the globe. Regulators now require organizations to assess their relationship with vendors, assess inherent risks, and add controls to further mitigate risk. It is therefore no surprise that regulators such as the Federal Reserve, CFPB, and FINRA have turned their attention to TPRM.
Traditionally, banks have been more familiar with exposure to direct lending or equity investments, but they haven't completely understood TPRM. In addition, issues like data privacy, information security, and control reviews make this function very challenging. It is a pressing need to have the right partner, and ideally a one-stop shop utility model, to solve for TPRM.
So what does a world-class TPRM framework look like?
A world-class third-party risk management framework needs to be self-sustainable. It should ideally have four components:
- As in any lending environment, there needs to be a vendor strategy in place. Which vendors do we need to work with? What kind of risk ready mechanisms should we have? How many vendors do we need for which functions?
- Next comes, design of policies and procedures. Most banks have credit policies in place for retail and commercial banking divisions. There is a need to have policies in place for third parties as well.
- Once the policies are created, there needs to be an active way of managing risk. This must be done at a transactional level as well as an aggregated portfolio level. Therefore, there needs to be a strong rating mechanism with effective reporting in place.
- Technology plays a role, too, as all data needs to be captured in a centralized system from where it can be easily and regularly reported and audited.
Third-party risk management lifecycle
A good, robust TPRM program needs to have lifecycle-based processes; without it, the risk assessment and management would be sub-optimal, the rigor of risk management would vary due to the lack of standardization, and it would be difficult to integrate technology and demonstrate robust processes to regulators. A typical lifecycle has the following steps:
Ideally there should also be a centralized utility in order to better manage TPRM, comply with regulations, and have a stronger handle on the data in order to derive insights from it. A global technology platform with pre-integrated, best-of-breed components, strong security, and modern architecture would serve as the foundation.
For a more detailed view of a world-class TPRM framework and the components of a global technology platform, please view our webinar here.