Business resilience
Oct 07, 2020

Five ways banks can lower third-party risk to drive operational resilience

When COVID-19 hit, financial institutions were quick to pivot toward work-from-home solutions for their onshore workforces. But they've been slower to enable their third-party partners to work from home. What's more, government-imposed restrictions in some countries, such as India, have made it difficult for global third-party providers that service financial institutions to become completely remote and continue supporting business as usual.

At the same time, COVID-19 has dramatically increased risk levels including compliance, reputational, operational, cybersecurity, and information security risks. And third-party partners are far from exempt from these risks. Many financial institutions outsource their critical functions, such as claim settlements and underwriting. So, it is important for them to minimize risks among the third-party partners they use to provide these services. This is particularly true as third-party risks impact an institution's overall operational resilience, or ability to protect and sustain its core business processes and services, especially during periods of disruption.

In recent years, many regulators – including the Office of Comptroller of the Currency in the US, the European Banking Authority, and the Australian Prudential Regulation Authority – have homed in on third-party risks impacting operational resilience and laid down guidelines.

It's imperative for financial institutions to focus on the role third parties play in their operational resilience. To this end, we have identified five steps to help your institution minimize third-party risk and maximize operational resilience:

  1. Identify critical services: First, ask yourself: for which core services, such as lending and loan services or other important consumer services, does your institution use third parties, fourth parties, and beyond?
  2. Reassess risks associated with third parties: Next, look at the risks associated with those critical providers. Of course, you should consider typical risks such as financial and information security risks. But don't stop there. For example, be sure to consider geopolitical and concentration risks associated with your partners' physical locations. Identify which risks are high priority for your organization, reassess your risk appetite, and determine your tolerance for core service disruptions. Then, integrate this information into your operational resilience plans.
  3. Review existing service-level agreements (SLAs): Given the nature of the current scenario, it's important to reevaluate existing third-party SLAs based on impact tolerances. In addition, remember to consider the amount of work done by fourth parties and beyond (as part of the service provided by the third party) and update the SLAs for periodic monitoring.
  4. Reevaluate and enhance the existing third-party continuous monitoring methodology: Update due diligence questionnaires to include any additional risks associated with operational resilience, such as geopolitical and concentration risks. Alternatively, use supplemental questionnaires, such as the pandemic questionnaire, to assess the third parties, fourth parties, and beyond.

About the authors

Rohit Goel

Rohit Goel

Third-Party Risk Management Expert

Follow Rohit Goel on LinkedIn

Philip  Doran

Philip Doran

Risk and Compliance Consulting Practice Leader, Australia and New Zealand

Follow Philip Doran on LinkedIn