The Third Party Risk Management organizational structure of 3 distinct layers of defense (FLOD, SLOD, Audit) is widely recognized as risk best practice. However, as I meet with risk executives and leading advisors focused on this community, there is an all too common opinion the First Line of Defense (FLOD) is less effective in digital and technology settings than designed.
It appears FLOD teams are challenged by the complexity and pace at which third party risk issues must be addressed to support their organizations digital agenda. This dynamic is producing a gap between TPRM and IT operational teams, making the FLOD a disconnected, oversight function versus operational contributor.
The ISACA manual for the Certified in Risk and Information Systems Control (CRISC) designation identifies a possible root cause of this FLOD/TPRM dilemma. Section 1.6 of the CRISC Manual states “The risk practitioner is not expected or required to be a technical expert in the design, implementation or support of IT systems and applications. However, strong knowledge of general IT concepts is invaluable for anyone whose roles and responsibilities require close and ongoing interaction with IT staff. The identification, assessment and monitoring of IT risk, as well as recommendation appropriate responses to the risk that is identified, require that type of close and ongoing interaction.”
To meet business demands, FLOD must establish credibility and be fully engaged with IT operations to become an integral part of the team. TPRM leaders must closely evaluate the skills and capabilities of their FLOD to form this critical linkage. FLOD teams need to feature a blend of IT operations, InfoSec and risk backgrounds. By taking this proactive measure, TPRM leaders enable their FLOD to ‘get in the game’ and contribute at the speed necessary to achieve success and empower digital transformation.
The FFEIC’s Appendix J has placed increased focus among TPRM professionals on Business Continuity. While ‘resilience’ and Cyber-Security quickly become key areas of focus, effective management of Business Continuity must adopt a broader definition of risk with a focus on links and interfaces between individual service contributors.
Historically, BC is a subject negotiated as a contract term with the requirement to deliver a detailed plan for review and approval with a requirement for annual testing. This produces a series of individual tested components of your service or value stream, lacking a comprehensive, all-inclusive proven demonstration of service resilience.
Operational Risk Management leaders are creating dedicated TPRM BC positions to meet increased regulatory focus. To be effective, these new TPRM professionals need to drive a level of transparency and collaboration not typically associated with this subject. Areas of opportunity include:
· Enhanced Contract Terms – rethink the manner in which each individual third party must support individual BC testing and end to end collaborative testing.
· Complete inventory including 4th Party & beyond – create a complete end to end map that includes all parties that could potentially impact or influence service performance.
· Test Multiple scenarios – by segment & end to end – create collaborative participation across contributors
· With the end to end service decomposed, third party ‘Concentration’ and ‘Capacity’ will become evident and point to mitigation actions
It is time to rethink effective Business Continuity management with a comprehensive focus on ensuring end to end coverage with understanding of the interactions and dependencies of each service component.
During a panel discussion of regulators at the RMA’s GCOR conference, a Director from the OCC shared his experience with RPA and Artificial Intelligence platform firms. For TPRM leaders, the remarks shared should serve as a significant warning.
The Director shared automation is a key focus for the OCC. In an effort to become better educated and informed on this important development, the OCC has held multiple meetings with executives of leading RPA technologies. While the sessions have been productive, the Director shared that in his opinion, RPA leaders lack an understanding of the controls and governance activities necessary to satisfy financial institutions regulatory requirements.
What compounds risk exposure for TPRM leaders is the RPA and IA community’s adoption of self-contained Automation Centers of Excellence (CoE) that are accountable for all aspects of automation, including governance. These CoE’s are highly influenced by RPA platform providers and their implementations partners who are technology implementation and maintenance focused. It is likely the CoE’s approach to governance falls short of regulatory requirements and lead to incremental risk exposure.
TPRM leaders must proactively engage their internal automation sponsors, get engaged with the CoE’s and make certain controls and accountability are clearly defined and understood with clear roles and responsibilities. This will risk and automation teams to have a unified and coordinated response when the regulators come calling.
At last weeks RMA GCOR Conference in Cambridge, the final featured session was a panel of representatives from the OCC, FDIC and FRB. During the Q&A session, panelist were asked their opinions of the top areas of focus for their agencies. The leading items identified were:
- Distributed Ledger
- 3rd Party Management
With this insight, TPRM leaders have the opportunity to proactively look at their organization and prepare for the next generation of regulatory bulletins and requirements. FinTech, cloud and advances in automation will place a premium on skills and capabilities that understand operational impact, contracting requirements and effective monitoring of these emerging services.
Now is the time to prepare!
Over the past several months, I have had the fortunate opportunity to speak with a growing community of TPRM leaders. Based on these discussions, two consistent challenges to TPRM operations have emerged.
1. Investment in TPRM is not keeping pace with demand and expectation. TPRM and Operational Risk Management is viewed as an expense with little return. This perspective makes it difficult to secure incremental funding to support the expanding TPRM agenda.
2. Attracting and retaining TPRM skills is difficult. Identifying and retaining the necessary skills for a comprehensive TPRM operations is a challenge. Attrition impacts stability, consistency and ability to mature operational capability.
In many ways, these two key drivers fueled the growth of outsourcing and development of managed service offerings. Technology leaders identified task where efficiencies could be gained, allowing them to focus their limited resources and skills in the areas of greatest visibility and value.
Some ideas for improved TPRM operational efficiency include:
· We are fortunate in the TPRM community to be supported by expert advisory and consulting operations who are investing in platforms and skills to augment operations. TPRM managed service could potentially bring efficiencies and consistent operations and focus your resources on strategic activities.
· If your organization has other global facilities, perhaps you can explore adding staff at these locations to support TPRM activities as well as RCSA execution.
· Explore ways to enhance Third Party ‘Rules of Engagement’ across business units and product teams for risk priority.
· Coordinate with Audit, Vendor Management & Procurement to ensure activities are properly aligned to ensure there are no gaps or redundancies and explore if there is an opportunity for a shared GRC platform.
Please share other budget relieving approaches and ideas that have helped your TPRM efforts!
Global Banks and Financial Institutions are under severe pressure to reduce operating cost while at the same time deliver on a Digital Transformation agenda that enhances customer experience and produces new revenue streams through expanded product offerings. To meet this challenge, these organizations are increasingly turning to Automation (RPA/AI) to gain operational efficiency and FinTech platforms to satisfy their digital agenda; both introduce incremental risk to their enterprise risk profile.
This dynamic is forcing Enterprise and Operational Risk leaders to re-think the treatment of technology third parties. As technology solutions have expanded beyond IT and are engaged across operations, Technology Third Party Risk Management first line and second line teams are being challenged to move beyond vulnerability and resilience to address the full spectrum of an expanded technology portfolio. To do so, FLOD and SLOD will need to be dedicated, multi-discipline teams. FLOD focused on collaboration across key internal parties with SLOD providing oversight and coordination with Audit, Compliance and enterprise leaders.
Working closely with procurement, Technology TPRM leaders need to establish clear positions on Right of Survivorship, Change in Ownership, Termination and other likely events when dealing with micro-venture backed companies. This will enable rapid contracting and establishing consistent risk categorization.
An interesting and predictable market dynamics occurs when an industry segment and profession become a top corporate priority: training and certification businesses as well as industry associations establish certification programs with ongoing CE requirements to establish professional consistency. The TPRM community is an excellent example of this phenomena.
CRISC, CGEIT, CISA, CTPRP, CRVPM, CISSP, COP, CCSA, and CRCM certifications represent a sampling of designations with a presence in the TPRM profession. Each has a unique focus or area of emphasis with varying degrees of required experience, annual CE levels and out of pocket investment. The challenge for TPRM leaders is identifying which of these certifications is most relevant as we build our organizations.
I believe the short answer is – all of them!
When you consider the breadth of areas focused on by the OCC, CFPB, FRB and other regulators, TPRM expertise is required across the full third party life cycle encompassing core vendor management and procurement disciplines, sourcing strategy, IT operations, cyber security, audit and assessments, business continuity accountability, contract audit and other risk requirements, governance, controls and more. Diversity of TPRM team member certifications will produce diversity in perspective, covering more of the TPRM lifecycle to better support regulatory request and overall program effectiveness.
TPRM leaders need to orchestrate a team with multiple skills and background to ultimately meet the challenge of operational risk management in this age of digital transformation.
Digital transformation is driving widespread change and disruption across the global financial and banking community. To keep pace while effectively monitoring and measuring risk, Second Line of Defense (SLOD) organizations must be able to bring solutions and recommendations to their LOB leaders in addition to credible challenges that are based on insight and knowledge of the underlying operations.
Risk leaders must assess the background, perspective and experience of their organization. Team composition will be key to anticipating tendencies and how they will perform when the pressure is on.
· Teams dominated with risk and audit experienced professionals may struggle to have credible challenges with LOB leaders and understand operations.
· Cybersecurity dominated teams may struggle with broader third-party issues crucial to meeting OCC and CFPB requirements.
· Vendor Management and Procurement experienced team members will understand the tactics to contract, monitor and assess ongoing performance but may lack risk insights.
· IT operations experienced members will understand the required process workflows and identify breakdowns that lead to potential threats but face difficulty to put these in terms of measured risk.
To provide effective credible challenges and insightful recommendations, risk leaders should assemble balanced teams with comprehensive understanding of the multiple dynamics impacting TPRM. Leverage this multi-disciplined perspective to produce business value and reinforce ERM & ORM as a partner who brings value and provides solutions.
We will work to balance the Perspective (blog) and Interview portion of IT-TPRM with targeted, brief research surveys designed to provide broader insight to TPRM opportunities.
As Operational Risk Management (ORM) leaders are rapidly establishing dedicated Technology Third Party Risk Management organizations, they are being challenged by their executives to address the accelerated pace of Digital Transformation. The need is to establish process, procedures, terms and assessments necessary to effectively assess risk of digital technology adoption, such as FinTech, while satisfying regulator expectations.
To be truly effective, Enterprise and Operational Risk leaders must seize the opportunity to establish themselves as strategic facilitator of the digital agenda. By doing so, ORM leaders reduce the strain on their organizations and enable improved focus and execution. Consider these steps to enable a comprehensive and effective Digital TPRM program.
1. Facilitate a focused Digital Transformation dialogue across leadership
- Include Corporate Executives, Business, Product, Procurement, Audit, Technology leaders to establish a common vision.
- Get clarity – move beyond technology to specific third parties in each area of category
2. Bring this detailed message to the operational leaders in each functional area.
- Drive alignment between executive vision and operational execution
- Challenge third party non-conformance
3. Clarify ‘risk must-haves’ for third parties to establish Minimum Viable Risk (MVR) tolerance
4. Establish process by which third parties are engaged with defined roles and responsibilities
5. Create frequent reporting to enhance transparency, status, gaps and corrective measures
Creating a dedicated Digital TPRM program separate from or a sub-set of the Technology TPRM will create the focus necessary for ORM leaders to meet accelerating business time expectations with identified risk.