When COVID-19 hit, financial institutions were quick to pivot toward work-from-home solutions for their onshore workforces. But they've been slower to enable their third-party partners to work from home. What's more, government-imposed restrictions in some countries, such as India, have made it difficult for global third-party providers that service financial institutions to become completely remote and continue supporting business as usual.
At the same time, COVID-19 has dramatically increased risk levels including compliance, reputational, operational, cybersecurity, and information security risks. And third-party partners are far from exempt from these risks. Many financial institutions outsource their critical functions, such as claim settlements and underwriting. So, it is important for them to minimize risks among the third-party partners they use to provide these services. This is particularly true as third-party risks impact an institution's overall operational resilience, or ability to protect and sustain its core business processes and services, especially during periods of disruption.
In recent years, many regulators – including the Office of Comptroller of the Currency in the US, the European Banking Authority, and the Australian Prudential Regulation Authority – have homed in on third-party risks impacting operational resilience and laid down guidelines.
It's imperative for financial institutions to focus on the role third parties play in their operational resilience. To this end, we have identified five steps to help your institution minimize third-party risk and maximize operational resilience:
- Identify critical services: First, ask yourself: for which core services, such as lending and loan services or other important consumer services, does your institution use third parties, fourth parties, and beyond?
- Reassess risks associated with third parties: Next, look at the risks associated with those critical providers. Of course, you should consider typical risks such as financial and information security risks. But don't stop there. For example, be sure to consider geopolitical and concentration risks associated with your partners' physical locations. Identify which risks are high priority for your organization, reassess your risk appetite, and determine your tolerance for core service disruptions. Then, integrate this information into your operational resilience plans.
- Review existing service-level agreements (SLAs): Given the nature of the current scenario, it's important to reevaluate existing third-party SLAs based on impact tolerances. In addition, remember to consider the amount of work done by fourth parties and beyond (as part of the service provided by the third party) and update the SLAs for periodic monitoring.
- Reevaluate and enhance the existing third-party continuous monitoring methodology: Update due diligence questionnaires to include any additional risks associated with operational resilience, such as geopolitical and concentration risks. Alternatively, use supplemental questionnaires, such as the pandemic questionnaire, to assess the third parties, fourth parties, and beyond.
- Enhance use of third-party risk management technologies: Third-party risk management technologies, especially those providing real-time monitoring or early warning systems for supply chain risk events, can help conduct virtual assessments of third parties. Third-party risk management is not 'one and done'. So, using technologies such as data analytics will not only help you gain insights but also continuously monitor the effectiveness of the third-party operational resilience programs. Also be sure to internally publish periodic risk matrices and reports.
It's time to unlock your financial institution's operational resilience. And a risk-based approach to assessing the criticality and potential impact of each third party, especially in an adverse situation such as the COVID-19 pandemic, is key.