Integrated Third-Party Risk Management: Collaborative, Coordinated and Continuous

Third-party risk management (TPRM) is increasingly a major point of discussion in boardrooms across the globe. Recent disruptions, including the collapse of several U.S. regional banks and the supply chain cyberattack on X-Trader – which led to another supply chain attack through 3CX – emphasize why an integrated TPRM program is critical not only for financial institutions, but for all organizations, as disruption does not discriminate.

Organizations must have more visibility into their third-party ecosystems and the roles that each of their third parties play in delivering core products and services to customers.

This is not an entirely new phenomenon. Over the past several years, organizations have realized their growing reliance on third parties, with 87% in a Deloitte survey reporting that they’ve faced a disruptive incident with their third parties over the past three years.

It has been proven time and again that organizations can no longer just react when disruptions occur. They must plan for, anticipate and mitigate potential disruptions before they occur to minimize downtime and prevent potential leaks of sensitive client data.

Regulations Raising the Stakes

As third-party risks increase, regulators have taken action to secure financial institutions from compounding disruptions by enforcing TPRM mandates. Specifically, the EU Digital Operational Resilience Act (DORA) requires organizations to expand third-party risk frameworks and practices to their vendors by 2025. This includes third-party criticality assessments for existing vendors and robust due diligence for new vendors.  

Fusion Risk Management’s Jordan Johnson: “An essential component of compliance.”

The magnified regulatory focus on TPRM means that risk management is not only an issue of protecting the institution's reputation, but also an essential component of compliance that can result in severe monetary penalties if organizations don’t meet regulatory requirements. TPRM must become a strategic priority for financial institutions, and it now demands a new approach to risk identification, monitoring and preparedness.

Yet, in Deloitte's 2022 TPRM survey, only 36% of financial services respondents had integrated processes across their entire organization. Siloed risk functions are insufficient amid the evolving risk and compliance landscape, so firms must work to build a more comprehensive view of resilience, including TPRM, in order to remain competitive and compliant.

From Reactive to Proactive

Evaluating current TPRM procedures and practices to find areas of improvement and drive efficiencies is crucial. The shift from a reactive to a proactive risk management posture requires organizations to take a new approach to managing their third parties. A robust TPRM program must include:

• Vendor criticality assessments – These are essential for prioritizing resources and mitigation strategies on those third parties that would significantly impact the delivery of core products and services to customers, as well as for evaluating secondary options if required. By harnessing technology, firms can reduce errors and move beyond redundant manual tasks and static data to achieve a 360-degree view of critical third parties and their associated risks.
• Ongoing monitoring – TPRM cannot be a point-in-time exercise. Disruptions happen in real time, and tracking, anticipating and reacting to disruptions on third parties simultaneously is crucial. Daily alerts and event monitoring connected to operational assets can help organizations better understand real-time risks.
• Vendor due diligence – Due diligence is an integral component of the third-party onboarding process, but it often relies on manual questionnaires that can leave key details out of the complete picture. Leveraging data brokers can help to provide a more holistic view and can assist in making quick, confident decisions.

A robust TPRM program also enables organizations to anticipate risks before they can cause organization-wide disruptions and to implement necessary mitigation tactics to keep downtime to a minimum. With a thorough understanding of the risk ecosystem and ongoing monitoring of critical third parties, organizations can significantly reduce operational risk, exceed compliance standards and thrive through future disruptions.  

Integrated and Enterprise-Wide Engagement

Siloed approaches to TPRM have proven to be ineffective. The lack of a holistic viewpoint results in inefficiencies and overlooked risks. A 360-degree view across departments and heightened collaboration help to better inform third-party risk mitigation efforts. Furthermore, cross-departmental coordination promotes accountability and streamlines established processes for third-party risk management.

In view of the various disruptions of the past few years, it is important to remember that a single third-party disruption can have cross-functional effects throughout an enterprise. Risk mitigation techniques should be thought of in the same manner.

Cross-departmental data sharing is essential to illuminate third-party dependencies across teams. Cross-functional working groups can help make informed decisions to manage risks proactively, and an integrated approach provides a holistic view of operational risks which enables more accurate and effective TPRM.

TPRM should not be approached as a “check-the-box exercise” just to satisfy regulators, but rather as a strategic investment in improving the organization’s risk and resilience posture. The only way to achieve a complete enterprise-wide view of risk is to make risk management a part of every employee’s remit. Both regulated and non-regulated entities should shift their focus today to prioritize TPRM, ensuring the organization can deliver on its brand promise to customers even when faced with third-party disruptions.

Jordan Johnson is Senior Product Marketing Manager of Risk Solutions at Fusion Risk Management. She is a PMA (Product Marketing Alliance) certified product marketing leader with experience in effectively driving product differentiation and a strong focus in risk management product positioning. She prides herself in her proven ability to understand an audience, translate market needs, develop value propositions, and support cross-functional teams with tactical prioritization of simultaneous projects – all while balancing demand in a rapidly evolving business environment.