Obtain the data you need to make the most informed decisions by accessing our extensive portfolio of information, analytics, and expertise. Sign in to the product or service center of your choice.
Reimagining third-party due diligence for financial services
03 December 2020
Financial health. Cybersecurity. Reputation. Compliance.
Covid-19. Risk is everywhere for financial organizations dependent
upon third-party suppliers, making third-party due diligence
crucial in an increasingly unpredictable—and increasingly
regulated—world.
A recent KPMG survey indicated that more than three in four
respondents now make third-party risk management (TPRM) a strategic
priority. But almost the same number of respondents said their
organization's TPRM efforts need to be more consistent. And while
half indicated they don't have enough in-house resources to do the
job well, only a quarter acknowledged the use of technology to ease
these pressures.
Addressing these shortcomings has never been more important:
nearly one in five respondents of a recent
Deloitte survey reported that financial exposure stemming from
inadequate TPRM can climb to more than $1 billion.
Clearly, financial services organizations need to bring greater
rigor, depth, and innovation to TPRM—especially when faced with
the growing expectations of clients, regulators, and internal
stakeholders. But that's easier said than done when facing a potent
combination of increasing data volumes, accelerating data
velocities, a brutally disruptive pandemic, and an ever-growing
list of hundreds—if not thousands—of third-party vendors,
some of which are smaller companies that are easily overlooked.
IHS Markit recently held a roundtable discussion with a select
group of vendor due diligence experts to learn what some of the
world's leading risk professionals are doing to combat these
issues. Hosted by IHS Markit's Alex Golbin, the
panel comprised Eric
Evans of financial health ratings service RapidRatings, Alex Rich of
cybersecurity ratings provider Security Scorecard, Ally Financial's
Charles
Watts, and Google Cloud's Hauke
Vagts.
The conversation surfaced five best practices and emerging
trends for improving the vendor ecosystem in financial
services.
For most organizations, the default strategy is to pick a
recurring day each year to send a third-party risk assessment
questionnaire to a supplier. But a one-in-365-day snapshot simply
isn't enough anymore to address heightened information security
risks. Continuous and ongoing monitoring of various risk signals,
including financial health ratings and cybersecurity ratings, helps
risk teams benchmark and identify longer-term trends or changes in
a supplier's risk factors and track the velocity and severity of
those changes over time. Risk teams can then determine thresholds
that trigger alerts and follow-up actions when a supplier falls
below them.
While ongoing monitoring is vital in all risk areas, it may be
even more important in the cybersecurity realm where new
vulnerabilities and exploits are discovered daily—if not
hourly. Certificates can expire and endpoints can become infected
with malware literally overnight, thereby compromising a seemingly
low-risk company.
<span/>Leverage
technology to filter noise and uncover risk
With a growing number of risk vectors to monitor, most risk
teams make the most of limited time and resources by prioritizing
critical and high-risk vendors. But a small supplier can cause big
problems if their data center is hacked and they end up as
front-page news. Organizations need to be able to keep their finger
on the pulse of every vendor in their supply chain, and technology
has become essential in enabling risk analysts to monitor and
interpret a growing deluge of data.
Arming risk teams with artificial intelligence (AI), automation,
and other technology tools can be a force multiplier that helps
scale their capacity and effectiveness. Automated alerts tied to
cybersecurity and financial ratings, sanctions data, news data,
questionnaire responses, geopolitical risk, and other factors can
free up risk teams to focus on more strategic tasks and improve
their overall effectiveness. Automation can also help organizations
receive cleaner data with less irrelevant noise or false positives,
while generating data-driven analytics and reports in an integrated
risk monitoring platform can drive even greater efficiency.
<span/>Focus on upgrading
the talent on your risk team
Hiring risk analysts is no longer a pro forma exercise. As the
number and complexity of risk factors has grown, the specialized
talent required to manage them has advanced. Many organizations
have traditionally hired entry-level analysts to cover multiple
risk areas, but with the consequences of failure being so high,
this approach is no longer adequate.
Hiring professionals with years of risk experience and subject
matter expertise in one or more risk domains can go a long way when
examining a supplier's policies and procedures. Not only do
seasoned analysts know the right questions to ask, but they can
more easily understand the implications of supplier risk policies
and weigh them against hard evidence such as financial statements
or other documents. More experienced risk specialists are also more
likely to be able to interpret technical risk information and
coherently explain their findings to senior stakeholders in your
organization—a critical skill that helps to communicate the
importance of the risk management function at the highest
organizational levels.
<span/>Shift to
tailored, evidence-based questionnaires
Most suppliers and risk analysts have learned to dread wading
through hundreds or even thousands of questions covering every
conceivable (and often irrelevant) possibility. Not only are these
all-encompassing questionnaires largely a waste of the vendor's
time, but they can also result in inaccurate or misleading
responses as questionnaire fatigue sets in or junior staff are
delegated to provide answers.
To combat these tendencies, analysts should look at creating
smart, dynamic lists of focused questions that reflect a company's
specific risk objectives and perceived areas of weakness. Shifting
from attestation-based questions, where vendors are asked to
confirm that they have specific policies and procedures in place,
to evidence-based questions, where vendors must actually provide
hard evidence to confirm it, is also an important refinement.
Organizations are starting to see significant cost savings and
efficiency gains by adopting a shared risk assessment model, which
essentially involves pooling ongoing risk assessment data and
sharing responsibility for its collection between multiple
organizations.
In one example, a consortium of 12 U.S. regional banks are
working together with a goal to create a more consistent and
efficient risk assessment for both banks and suppliers.
Consolidating the data into a single, shared source can
significantly reduce the workload for vendors and enable financial
institutions to become more efficient—and cost effective—in
their ongoing due diligence.
As the world evolves, TPRM processes must keep pace along with
it—or risk getting left behind. Amid growing volumes of data
and greater exposure to myriad risks, the risk management function
is finding ways to manage the complexity, address redundancies and
gain new efficiencies. As we look to the future, talent and
technology will play a central role, as will innovative models that
bring industry stakeholders together to solve the problem
collectively.
IHS Markit provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.