In my role with Global SRN, I am leading a major market research program to identify the impact Intelligent Automation and Business Analytics is having on current TPRM operations. We are very pleased to share that in all we have 30 TPRM Executives from large global financial organizations, 13 TPRM community partners and 3 academic partners helping develop, distribute and interpret the research results.
As I speak with leaders in each of these areas of the TPRM community, a consistent theme has emerged: TPRM organizations are struggling to secure the skills necessary to support todays operations and are highly concerned about the ability to identify and attract the skills necessary to transform their operations to meet business and regulatory demands. The core issue being how to evolve a community of operational risk professionals from a ‘rule-based’ orientation to a ‘judgment-based’ capability.
With the adoption of Business Analytics and Intelligent Automation, TPRM leaders will require First Line of Defense teams that understand the dynamics of their assigned Line of Business combined with analytical skills to quickly identify patterns and irregularities to take proactive measures. With the population of FLOD associates today primarily having operational risk backgrounds, there is likely a significant re-alignment on the horizon.
TPRM Forum’s recent survey of TPRM leaders identified effective collaboration of FLOD operations with Vendor Management, Strategic Sourcing and Procurement as the leading area of focus for improvement. Alignment across the cross-functional teams has the potential to achieve comprehensive vendor life cycle management and evidence support. The issue though is how to centralize and coordinate activity.
Looking specifically at the ‘monitoring’ phase of Third Party Risk & Vendor Management, we quickly see there are a number of activities, if coordinated and managed centrally, will provide regulators and audit the evidence required to substantiate effective TPRM operations. It also drives a productive level of collaboration and in essence, bonds the teams.
Third Part Risk Management ‘Monitoring’ Life Cycle Phase includes, but is not limited to, the following activities:
Vendor Management Organization:
Contract Management – collection and maintenance of the Deliverable & Obligation tracker with a structured, formal calendar of events. Artifacts stored in central, accessible location. This could include annual Insurance certificate, SOC II Type II Audit, DR Annual Test Results, Policy revisions etc.
4th Party Management – definition and approval of 4th party sub-contractors and execution of proper onboarding and offboarding by the Third Party
Performance Management – SLA & KPI’s associated with the contracted services
Operational Service Management – onsite assessments of the technology services aligned to CMMi, ITIL, NIST or similar independent methodology
Third Party Risk Management – FLOD:
Third Party Classification
Ongoing, dynamic monitoring (Business dimensions)
RCSA management &/or coordination
Regulatory environment changes and Legal Impacts
Regulator response support
Centralized reporting/vendor profile
Contract Currency – Revision and Amendment Maintenance
TPRM Forum recommends consistent, ongoing collaborative sessions between parties to ensure activities and schedules are maintained and a central, accessible repository is continually updated. This is a great opportunity to work with your GRC platform team to ensure activities and artifact collection is incorporated into workflow with artifacts accessible through a central dashboard.
Responses continue to stream in for the IT-TPRM.com survey on the impact of Digital Transformation on TPRM operations. We remain on track to share the full survey Mid-June!
The survey ask respondents to identify the digital technology dynamics impacting their organization currently or in the coming 12 months. To no surprise, Cloud, Cybersecurity & Automation are consistently identified as the technologies of greatest impact. The surprise so far is how low Blockchain is trending as a key area of focus for TPRM leaders.
At the recent RMW GCOR conference, during the regulator panel they stated the areas of great focus and interest is Cloud, Automation & Distributed Ledger (Blockchain). Are TPRM leaders not seeing what is emerging on the horizon or not clear as yet how it will impact their operations? Share your thoughts! Please take 3 1/2 minutes to take the survey.
Global Banks and Financial Institutions are under severe pressure to reduce operating cost while at the same time deliver on a Digital Transformation agenda that enhances customer experience and produces new revenue streams through expanded product offerings. To meet this challenge, these organizations are increasingly turning to Automation (RPA/AI) to gain operational efficiency and FinTech platforms to satisfy their digital agenda; both introduce incremental risk to their enterprise risk profile.
This dynamic is forcing Enterprise and Operational Risk leaders to re-think the treatment of technology third parties. As technology solutions have expanded beyond IT and are engaged across operations, Technology Third Party Risk Management first line and second line teams are being challenged to move beyond vulnerability and resilience to address the full spectrum of an expanded technology portfolio. To do so, FLOD and SLOD will need to be dedicated, multi-discipline teams. FLOD focused on collaboration across key internal parties with SLOD providing oversight and coordination with Audit, Compliance and enterprise leaders.
Working closely with procurement, Technology TPRM leaders need to establish clear positions on Right of Survivorship, Change in Ownership, Termination and other likely events when dealing with micro-venture backed companies. This will enable rapid contracting establish consistent risk categorization and support regulator expectations.
In preparation to design a targeted survey for Technology Third Party Risk Management (TPRM) emerging trends and best practices, I have had the opportunity to interview a dozen Enterprise Risk and Operational Risk leaders at major global banks and financial institutions. Based on the insights gained in these conversations, the following areas were continually voiced as areas of top priority for effective Technology TPRM execution. We will dig into each of these areas with the upcoming research effort.
·Effective TPRM of technology partners is at the forefront of enterprise and operational risk leader’s agendas
·Technology TPRM is more than Vulnerability Assessments and Threat Management
·Algorithm-centric risk practices are inadequate to assess Technology TPRM
·Comprehensive First Line of Defense (FLOD) execution is necessary for Second Line of Defense (SLOD) to effectively achieve goals and objectives
·SLOD leaders must be able to effectively communicate and collaborate across IT leaders, procurement, audit and compliance. Knowledge of the services, intended processes and contract terms are key.