As the events of 2020 unfolded, operational risk teams around the world were provided a real-life ‘stress test’. In the process, many organizations realized that third-party risk management (TPRM) is much more than simply a regulatory requirement - it is, in reality, a material part of business resilience.
Now, many organizations are reevaluating how their TPRM programs can not only comply with a surge of new regulations, but also cope better with emerging risks, and build greater resilience in their supply chains.
TPRM leaders are being challenged to do this fast. This means they must have their eye on the horizon and understand what’s ahead. Here we discuss five trends that TPRM leaders should have on their radar.
1. Programs are becoming more holistic and cross-functional
If you’re running your third-party management program in silos, or confining your program coverage to a single risk domain – it’s time to think more broadly. Programs are now becoming more holistic and cross-functional.
Rather than operating in departmental silos (such as procurement, compliance, risk, information security, data privacy etc.) that do not collaborate, more organizations are now looking to develop a cross-functional approach to monitoring and managing third-party relationships.
Just as operational silos are being broken down – so too are risk silos. Programs are now expected to monitor multiple risk domains, including cyber security, data privacy, anti-bribery and corruption, ESG, quality, and more.
Programs are also extending deeper into supply chains to address these risks – it’s not just third parties that need to be accounted for – but 4th parties, 5th parties and beyond.
2. Environmental, Social, Governance (ESG)
If ESG is not on your third-party risk radar – it should be. ESG is being catapulted up the board agenda, with renewed focus and vigor from regulators, particularly those in the EU. Increasingly, organizations will need to consider not just their own footprint, but also understand and monitor their third parties' and suppliers' footprint and social impact.
In March 2021, the European Parliament voted for the adoption of a binding EU law that requires companies to conduct environmental and human rights due diligence along their full value chain or face concrete fines, sanctions and/or civil liability. It is likely that this law will come into force in the 2021-2022 timeframe.
Germany is also set to introduce fines, under its Due Diligence Act, for companies procuring parts or materials abroad from suppliers who fail to meet minimum human rights and environmental standards.
Unlike some of the other laws that seek to shine light on modern slavery and human trafficking in supply chains (such as the current UK Modern Slavery Act and California's Transparency in Supply Chains Act) these new acts are not just a reporting requirement. These have teeth and will require organizations to conduct the appropriate risk-based approach to due diligence and address issues, or face penalties.
It’s also likely that these regulations will have global implications: acts from the EU are typically broad in nature. Companies that are headquartered outside of the EU will still be in scope if they have operations and employees within the EU.
3. Operational Resilience
COVID meant operational risk plans received a real-life stress test. Employees (both internal and those at third-party organizations) were instructed to work from home, and global restrictions on travel and transit resulted in significant disruptions to physical supply chains. Plans were found wanting – and this has brought operational resilience (and more broadly business resilience and organizational resilience) front of mind.
Operational Resilience is more than Business Continuity Management (BCM). It’s more than Operational Risk Management. It’s more than Supply Chain Resilience or Third-Party Risk Management. It’s a combination of all of these, but is taken from a critical, service-driven approach to managing risk, response, and recovery.
Operational Resilience has been creeping up the agenda, particularly with Financial Services regulators, for some time. We’ve recently seen a number of Principles, Frameworks and Guidance documents published by the regulators, including:
EBA: Guidelines on Outsourcing Arrangements
FCA/PRA: Operational Resilience: Impact Tolerance for Important Business Services
PRA: Outsourcing and Third-party Risk Management
ECB: The European Union’s Digital Operational Resilience Act (DORA)
ECB: Cyber Resilience Oversight Expectations for Financial Market Infrastructure
OCC: Bulletin 2020-94 Operational Risk: Sound Practices to Strengthen Operational Resilience
FSB: Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships: Discussion paper
There are a range of drivers behind this focus on operational resilience:
The threat landscape is growing in complexity and variety (which includes everything from the threats associated with the pandemic, state sponsored cyber supply chain hacks, geopolitical volatility, to extreme weather);
A greater reliance on vendors, third parties, and outsourced providers to support organizations’ critical services;
The momentum of digital transformation projects, which are in many cases outpacing organizations’ ability to accommodate change;
The growing threat of cyberattacks which has also led to a stronger formalization of the relationship between BCM and cybersecurity.
All of these factors mean organizations need a comprehensive solution to plan and prepare for continuity of operations and services as well as to monitor threats, prevent incidents where possible, and execute associated response, recovery and restoration plans. A core component of resilience involves the ability to manage the risks associated with third parties, 4th parties and beyond (nth parties), including concentration risks associated with these.
The approach to operational resilience also needs to be holistic and cross-functional.
4. Cyber Security and Cyber Supply Chain Risk Management (C-SCRM)
When it comes to third-party risk management programs, cyber security is always top-of mind. And this should come as no surprise – more often than not, security breaches stem from a third-party vulnerability. A recent survey by the Ponemon Institute and SecureLink found that over half of organizations (51%) have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information. And the criminals exploiting flaws in controls are creative and resourceful – from Target’s HVAC breach to criminals hacking a fish tank to steal data from a casino! When there’s a will (and a weakness) there’s a way.
Now it’s cyber supply chains that are increasingly under attack. SolarWinds demonstrated that sophisticated state players are targeting digital supply chains (including third-party applications). And, more recently, security researchers discovered a software supply chain vulnerability at Composer, the main tool used to manage and install dependencies for PHP, which could put millions of websites at risk. These types of vulnerabilities, and the attacks exploiting them, hit the headlines every week.
This means TPRM programs need to evolve to better manage cyber risks further into their supply chain. To support this, NIST recently published guidance: Key Practices in Cyber Supply Chain Risk Management: Observations from Industry, which sets out 8 key best practices designed to help organizations of all sizes and industries build a robust program.
5. Intelligent Automation
Finally, all the above - the growing range of risks to manage, increased regulatory emphasis, the need to manage risks further into physical and digital supply chains - mean that smarter automation for TPRM programs is essential. There is simply too much data and too many complex business processes to manage programs manually.
TPRM leaders need to harness the power of technology, and be aware of the tools and technologies that can support their programs. AI and Machine Learning capabilities are now embedded in some of the market’s leading TPRM technologies, which provide added efficiencies to programs, and ensure resources are focused on the more strategic aspects of your program, rather than the administration.
While TPRM remains dynamic, one thing remains constant – and that’s ongoing expectation by global regulators for robust third-party risk management programs. With the volume and velocity of change, TPRM programs must be agile and adaptable. Having a view of trends that will affect how third-party risks are managed helps you prepare for tomorrow, today, and build greater business resilience in the process.