Technology TPRM Forum is pleased to share the results of the survey covering the impact Digital Transformation is having on TPRM operations. We hope you enjoy the survey findings and it brings value to your TPRM efforts.
The IT-TPRM.com survey on the impact of Digital Transformation ask respondents the specific areas and activities TPRM leaders are taking with regards to Business Continuity. Results so far show a significant separation between oversight and governance tactics versus operational engagement. It appears TPRM professionals have limited interest or involvement in areas necessary to execute the business continuity plan, preferring to focus on assessing effectiveness of contract terms, identification of sub-contractors and alignment across parties.
Do you agree? Does this lead to ineffective business continuity? Does this create an unnecessary void between TPRM and operational execution? Should the FLOD be more engaged in scenario and BIA development?
The FFEIC’s Appendix J has placed increased focus among TPRM professionals on Business Continuity. While ‘resilience’ and Cyber-Security quickly become key areas of focus, effective management of Business Continuity must adopt a broader definition of risk with a focus on links and interfaces between individual service contributors.
Historically, BC is a subject negotiated as a contract term with the requirement to deliver a detailed plan for review and approval with a requirement for annual testing. This produces a series of individual tested components of your service or value stream, lacking a comprehensive, all-inclusive proven demonstration of service resilience.
Operational Risk Management leaders are creating dedicated TPRM BC positions to meet increased regulatory focus. To be effective, these new TPRM professionals need to drive a level of transparency and collaboration not typically associated with this subject. Areas of opportunity include:
· Enhanced Contract Terms – rethink the manner in which each individual third party must support individual BC testing and end to end collaborative testing.
· Complete inventory including 4th Party & beyond – create a complete end to end map that includes all parties that could potentially impact or influence service performance.
· Test Multiple scenarios – by segment & end to end – create collaborative participation across contributors
· With the end to end service decomposed, third party ‘Concentration’ and ‘Capacity’ will become evident and point to mitigation actions
It is time to rethink effective Business Continuity management with a comprehensive focus on ensuring end to end coverage with understanding of the interactions and dependencies of each service component.
During a panel discussion of regulators at the RMA’s GCOR conference, a Director from the OCC shared his experience with RPA and Artificial Intelligence platform firms. For TPRM leaders, the remarks shared should serve as a significant warning.
The Director shared automation is a key focus for the OCC. In an effort to become better educated and informed on this important development, the OCC has held multiple meetings with executives of leading RPA technologies. While the sessions have been productive, the Director shared that in his opinion, RPA leaders lack an understanding of the controls and governance activities necessary to satisfy financial institutions regulatory requirements.
What compounds risk exposure for TPRM leaders is the RPA and IA community’s adoption of self-contained Automation Centers of Excellence (CoE) that are accountable for all aspects of automation, including governance. These CoE’s are highly influenced by RPA platform providers and their implementations partners who are technology implementation and maintenance focused. It is likely the CoE’s approach to governance falls short of regulatory requirements and lead to incremental risk exposure.
TPRM leaders must proactively engage their internal automation sponsors, get engaged with the CoE’s and make certain controls and accountability are clearly defined and understood with clear roles and responsibilities. This will risk and automation teams to have a unified and coordinated response when the regulators come calling.
At last weeks RMA GCOR Conference in Cambridge, the final featured session was a panel of representatives from the OCC, FDIC and FRB. During the Q&A session, panelist were asked their opinions of the top areas of focus for their agencies. The leading items identified were:
- Distributed Ledger
- 3rd Party Management
With this insight, TPRM leaders have the opportunity to proactively look at their organization and prepare for the next generation of regulatory bulletins and requirements. FinTech, cloud and advances in automation will place a premium on skills and capabilities that understand operational impact, contracting requirements and effective monitoring of these emerging services.
Now is the time to prepare!
Over the past several months, I have had the fortunate opportunity to speak with a growing community of TPRM leaders. Based on these discussions, two consistent challenges to TPRM operations have emerged.
1. Investment in TPRM is not keeping pace with demand and expectation. TPRM and Operational Risk Management is viewed as an expense with little return. This perspective makes it difficult to secure incremental funding to support the expanding TPRM agenda.
2. Attracting and retaining TPRM skills is difficult. Identifying and retaining the necessary skills for a comprehensive TPRM operations is a challenge. Attrition impacts stability, consistency and ability to mature operational capability.
In many ways, these two key drivers fueled the growth of outsourcing and development of managed service offerings. Technology leaders identified task where efficiencies could be gained, allowing them to focus their limited resources and skills in the areas of greatest visibility and value.
Some ideas for improved TPRM operational efficiency include:
· We are fortunate in the TPRM community to be supported by expert advisory and consulting operations who are investing in platforms and skills to augment operations. TPRM managed service could potentially bring efficiencies and consistent operations and focus your resources on strategic activities.
· If your organization has other global facilities, perhaps you can explore adding staff at these locations to support TPRM activities as well as RCSA execution.
· Explore ways to enhance Third Party ‘Rules of Engagement’ across business units and product teams for risk priority.
· Coordinate with Audit, Vendor Management & Procurement to ensure activities are properly aligned to ensure there are no gaps or redundancies and explore if there is an opportunity for a shared GRC platform.
Please share other budget relieving approaches and ideas that have helped your TPRM efforts!
Global Banks and Financial Institutions are under severe pressure to reduce operating cost while at the same time deliver on a Digital Transformation agenda that enhances customer experience and produces new revenue streams through expanded product offerings. To meet this challenge, these organizations are increasingly turning to Automation (RPA/AI) to gain operational efficiency and FinTech platforms to satisfy their digital agenda; both introduce incremental risk to their enterprise risk profile.
This dynamic is forcing Enterprise and Operational Risk leaders to re-think the treatment of technology third parties. As technology solutions have expanded beyond IT and are engaged across operations, Technology Third Party Risk Management first line and second line teams are being challenged to move beyond vulnerability and resilience to address the full spectrum of an expanded technology portfolio. To do so, FLOD and SLOD will need to be dedicated, multi-discipline teams. FLOD focused on collaboration across key internal parties with SLOD providing oversight and coordination with Audit, Compliance and enterprise leaders.
Working closely with procurement, Technology TPRM leaders need to establish clear positions on Right of Survivorship, Change in Ownership, Termination and other likely events when dealing with micro-venture backed companies. This will enable rapid contracting and establishing consistent risk categorization.