The IT-TPRM.com survey on the impact of Digital Transformation ask respondents the specific areas and activities TPRM leaders are taking with regards to Business Continuity. Results so far show a significant separation between oversight and governance tactics versus operational engagement. It appears TPRM professionals have limited interest or involvement in areas necessary to execute the business continuity plan, preferring to focus on assessing effectiveness of contract terms, identification of sub-contractors and alignment across parties.
Do you agree? Does this lead to ineffective business continuity? Does this create an unnecessary void between TPRM and operational execution? Should the FLOD be more engaged in scenario and BIA development?
Responses continue to stream in for the IT-TPRM.com survey on the impact of Digital Transformation on TPRM operations. We remain on track to share the full survey Mid-June!
The survey ask respondents to identify the digital technology dynamics impacting their organization currently or in the coming 12 months. To no surprise, Cloud, Cybersecurity & Automation are consistently identified as the technologies of greatest impact. The surprise so far is how low Blockchain is trending as a key area of focus for TPRM leaders.
At the recent RMW GCOR conference, during the regulator panel they stated the areas of great focus and interest is Cloud, Automation & Distributed Ledger (Blockchain). Are TPRM leaders not seeing what is emerging on the horizon or not clear as yet how it will impact their operations? Share your thoughts! Please take 3 1/2 minutes to take the survey.
IT-TPRM.com has developed a targeted survey with the input and support of multiple TPRM leaders. The purpose of the survey is to identify emerging best practices being employed by TPRM teams to effectively meet the demands of digital transformation. Our plan is to share the complete research results by the end of June with the full TPRM community. Hopefully the results will help risk leaders fine tune their current digital agenda and bring enhanced value to the business.
Thank you for taking 4 minutes to answer the 10 questions on the survey. All results are anonymous and will be reported in aggregate.
The Third Party Risk Management organizational structure of 3 distinct layers of defense (FLOD, SLOD, Audit) is widely recognized as risk best practice. However, as I meet with risk executives and leading advisors focused on this community, there is an all too common opinion the First Line of Defense (FLOD) is less effective in digital and technology settings than designed.
It appears FLOD teams are challenged by the complexity and pace at which third party risk issues must be addressed to support their organizations digital agenda. This dynamic is producing a gap between TPRM and IT operational teams, making the FLOD a disconnected, oversight function versus operational contributor.
The ISACA manual for the Certified in Risk and Information Systems Control (CRISC) designation identifies a possible root cause of this FLOD/TPRM dilemma. Section 1.6 of the CRISC Manual states “The risk practitioner is not expected or required to be a technical expert in the design, implementation or support of IT systems and applications. However, strong knowledge of general IT concepts is invaluable for anyone whose roles and responsibilities require close and ongoing interaction with IT staff. The identification, assessment and monitoring of IT risk, as well as recommendation appropriate responses to the risk that is identified, require that type of close and ongoing interaction.”
To meet business demands, FLOD must establish credibility and be fully engaged with IT operations to become an integral part of the team. TPRM leaders must closely evaluate the skills and capabilities of their FLOD to form this critical linkage. FLOD teams need to feature a blend of IT operations, InfoSec and risk backgrounds. By taking this proactive measure, TPRM leaders enable their FLOD to ‘get in the game’ and contribute at the speed necessary to achieve success and empower digital transformation.
The FFEIC’s Appendix J has placed increased focus among TPRM professionals on Business Continuity. While ‘resilience’ and Cyber-Security quickly become key areas of focus, effective management of Business Continuity must adopt a broader definition of risk with a focus on links and interfaces between individual service contributors.
Historically, BC is a subject negotiated as a contract term with the requirement to deliver a detailed plan for review and approval with a requirement for annual testing. This produces a series of individual tested components of your service or value stream, lacking a comprehensive, all-inclusive proven demonstration of service resilience.
Operational Risk Management leaders are creating dedicated TPRM BC positions to meet increased regulatory focus. To be effective, these new TPRM professionals need to drive a level of transparency and collaboration not typically associated with this subject. Areas of opportunity include:
·Enhanced Contract Terms – rethink the manner in which each individual third party must support individual BC testing and end to end collaborative testing.
·Complete inventory including 4th Party & beyond – create a complete end to end map that includes all parties that could potentially impact or influence service performance.
·Test Multiple scenarios – by segment & end to end – create collaborative participation across contributors
·With the end to end service decomposed, third party ‘Concentration’ and ‘Capacity’ will become evident and point to mitigation actions
It is time to rethink effective Business Continuity management with a comprehensive focus on ensuring end to end coverage with understanding of the interactions and dependencies of each service component.
During a panel discussion of regulators at the RMA’s GCOR conference, a Director from the OCC shared his experience with RPA and Artificial Intelligence platform firms. For TPRM leaders, the remarks shared should serve as a significant warning.
The Director shared automation is a key focus for the OCC. In an effort to become better educated and informed on this important development, the OCC has held multiple meetings with executives of leading RPA technologies. While the sessions have been productive, the Director shared that in his opinion, RPA leaders lack an understanding of the controls and governance activities necessary to satisfy financial institutions regulatory requirements.
What compounds risk exposure for TPRM leaders is the RPA and IA community’s adoption of self-contained Automation Centers of Excellence (CoE) that are accountable for all aspects of automation, including governance. These CoE’s are highly influenced by RPA platform providers and their implementations partners who are technology implementation and maintenance focused. It is likely the CoE’s approach to governance falls short of regulatory requirements and lead to incremental risk exposure.
TPRM leaders must proactively engage their internal automation sponsors, get engaged with the CoE’s and make certain controls and accountability are clearly defined and understood with clear roles and responsibilities. This will risk and automation teams to have a unified and coordinated response when the regulators come calling.
At last weeks RMA GCOR Conference in Cambridge, the final featured session was a panel of representatives from the OCC, FDIC and FRB. During the Q&A session, panelist were asked their opinions of the top areas of focus for their agencies. The leading items identified were:
3rd Party Management
With this insight, TPRM leaders have the opportunity to proactively look at their organization and prepare for the next generation of regulatory bulletins and requirements. FinTech, cloud and advances in automation will place a premium on skills and capabilities that understand operational impact, contracting requirements and effective monitoring of these emerging services.