Third Party Risk Management and Coronavirus (COVID-19)

The Coronavirus (COVID-19) outbreak continues to develop, with impacts felt globally, affecting daily life and the financial markets.

Firms of all sizes and sectors have been taking urgent steps to prepare and respond, with business continuity and incident management teams heavily engaged. Their work includes a large amount of information sharing, refreshing business continuity plans and refamiliarizing staff. Plans are being tested or invoked, including "work from home" arrangements.

Business Continuity: Assessing Resilience of Third Parties

Banks, other types of financial services firms and, indeed, most major non-financial companies have significant networks of third parties, which include vendors, outsourcing partners, and others. In the financial industry, some of these relationships represent critical dependencies for regulated functions.

In "business as usual" times, procurement and third party risk management teams carry out due diligence and ongoing monitoring on these third parties across a range of risk domains, including information security, and business continuity.

With events such as COVID-19, firms move swiftly to review the vendor population and determine which are critical, operate in affected regions or are likely to be impacted. Those vendors representing the most material operational risk are targets for outreach. This outreach is usually supported by a questionnaire enabling the vendor firm to share details of whether and how they are affected, and the steps they have taken to prepare, mitigate and manage their response.

COVID-19: A Coordinated, Cross-Industry Response

In previous events which challenged business continuity, such as Superstorm Sandy, SARS, and Hurricane Katrina, financial services firms conducted their vendor outreach independent of one another. Vendors were deluged with due diligence requests. In part because each company was asking for different information, the quality of vendor response was uneven and the outreach process inefficient and subject to delays.

Fortunately, things are different in the case of COVID-19, thanks to the Significant Event Notification and Tracking (SENT) system. The SENT Committee comprised of global and regional financial services organizations, decided on March 10 to issue a new event with an agreed set of standard questions to help coordinate a cross-industry response.

This SENT event went live on March 11th and is being used to carry out COVID-19 due diligence across hundreds of vendors.

In contrast to the decentralized approach to assessing vendor resilience in the past, all communications are secure and audited on the platform and vendors can share their questionnaire answers efficiently with any number of customers requesting the information, including attaching any corporate statement they have on the subject.

SENT is part of the KY3P® (Know Your Third Party) third party risk management solution from IHS Markit.

KY3P customers can also efficiently monitor and receive alerts for a range of third party operational health and news sources about their vendors, including negative news, financial stability, sanctions and screening, and cyber health.

Specific Areas of Focus for COVID-19

Multiple factors were considered by the SENT Committee in developing the standardized questionnaire. These included:

Economic Shock: The pressure of cancelled contracts or high levels of unfinished goods and exposure to high risk countries may present a financial stability risk which requires careful monitoring.

Access to Critical Services: Vendors may face impacts due to restricted movement or higher than normal absence levels. Key person risk may be a factor, should employees with specialist expertise become unavailable. Previously shared SLAs may no longer be achievable based on the circumstances of locations where the service is supplied. Fourth parties (suppliers to your suppliers) may be a factor and should be identified and considered.

Access to Critical Goods: Limited availability of parts for critical infrastructure could be a factor. For Financial Services firms, examples of relevant critical goods could include replacement parts for IT infrastructure. Firms will typically be confirming their internal and vendor stock levels and will continue to monitor the situation through the rest of the year.

Risks & Controls: Moving operations to alternative locations carries risks. One example is working from home, which could carry information security risks which need careful management. Compensating controls may need to be re-examined. Any location-specific dependencies such as clean rooms must be understood and continuity plans for these functions examined.

Centralizing the assessment of vendor resilience during periods of disruption and heightened risk represents a major operational advance for the financial industry. It also enables vendors to provide higher quality responses to questionnaires and more fruitfully engage with financial institutions on BCP issues.

Beyond vendor assessments, monitoring and analyzing news and economic developments also plays a vital part in business continuity. This includes sourcing reliable data relating to the outbreak and its economic, political and logistical impacts across the world. It is also important to monitor vendors' current financial stability and company-related news.

IHS Markit's Economics and Country Risk (ECR) team, comprised of 80 full time country risk analysts and 110 economists, provides quantifiable forecasts and analysis on emerging political, economic, operational, and security risks in 211 countries around the world. With global risk monitoring and coverage, ECR is helping clients to quantify and assess the current impacts of COVID-19 to their operations, to forecast how their risk profiles may change in the coming months, and to develop more resilient and profitable strategies for the future.

Links

Know Your Third Party

IHS Markit Economics & Country Risk

Posted 12 March 2020 by Will Kendal, Director, Product Management, KY3P, IHS Markit

IHS Markit provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.

Follow Financial Services