Reimagining third-party due diligence for financial services
Financial health. Cybersecurity. Reputation. Compliance. Covid-19. Risk is everywhere for financial organizations dependent upon third-party suppliers, making third-party due diligence crucial in an increasingly unpredictable—and increasingly regulated—world.
A recent KPMG survey indicated that more than three in four respondents now make third-party risk management (TPRM) a strategic priority. But almost the same number of respondents said their organization's TPRM efforts need to be more consistent. And while half indicated they don't have enough in-house resources to do the job well, only a quarter acknowledged the use of technology to ease these pressures.
Addressing these shortcomings has never been more important: nearly one in five respondents of a recent Deloitte survey reported that financial exposure stemming from inadequate TPRM can climb to more than $1 billion.
Clearly, financial services organizations need to bring greater rigor, depth, and innovation to TPRM—especially when faced with the growing expectations of clients, regulators, and internal stakeholders. But that's easier said than done when facing a potent combination of increasing data volumes, accelerating data velocities, a brutally disruptive pandemic, and an ever-growing list of hundreds—if not thousands—of third-party vendors, some of which are smaller companies that are easily overlooked.
IHS Markit recently held a roundtable discussion with a select group of vendor due diligence experts to learn what some of the world's leading risk professionals are doing to combat these issues. Hosted by IHS Markit's Alex Golbin, the panel comprised Eric Evans of financial health ratings service RapidRatings, Alex Rich of cybersecurity ratings provider Security Scorecard, Ally Financial's Charles Watts, and Google Cloud's Hauke Vagts.
The conversation surfaced five best practices and emerging trends for improving the vendor ecosystem in financial services.
<span/>Go beyond point-in-time monitoring
For most organizations, the default strategy is to pick a recurring day each year to send a third-party risk assessment questionnaire to a supplier. But a one-in-365-day snapshot simply isn't enough anymore to address heightened information security risks. Continuous and ongoing monitoring of various risk signals, including financial health ratings and cybersecurity ratings, helps risk teams benchmark and identify longer-term trends or changes in a supplier's risk factors and track the velocity and severity of those changes over time. Risk teams can then determine thresholds that trigger alerts and follow-up actions when a supplier falls below them.
While ongoing monitoring is vital in all risk areas, it may be even more important in the cybersecurity realm where new vulnerabilities and exploits are discovered daily—if not hourly. Certificates can expire and endpoints can become infected with malware literally overnight, thereby compromising a seemingly low-risk company.
<span/>Leverage technology to filter noise and uncover risk
With a growing number of risk vectors to monitor, most risk teams make the most of limited time and resources by prioritizing critical and high-risk vendors. But a small supplier can cause big problems if their data center is hacked and they end up as front-page news. Organizations need to be able to keep their finger on the pulse of every vendor in their supply chain, and technology has become essential in enabling risk analysts to monitor and interpret a growing deluge of data.
Arming risk teams with artificial intelligence (AI), automation, and other technology tools can be a force multiplier that helps scale their capacity and effectiveness. Automated alerts tied to cybersecurity and financial ratings, sanctions data, news data, questionnaire responses, geopolitical risk, and other factors can free up risk teams to focus on more strategic tasks and improve their overall effectiveness. Automation can also help organizations receive cleaner data with less irrelevant noise or false positives, while generating data-driven analytics and reports in an integrated risk monitoring platform can drive even greater efficiency.
<span/>Focus on upgrading the talent on your risk team
Hiring risk analysts is no longer a pro forma exercise. As the number and complexity of risk factors has grown, the specialized talent required to manage them has advanced. Many organizations have traditionally hired entry-level analysts to cover multiple risk areas, but with the consequences of failure being so high, this approach is no longer adequate.
Hiring professionals with years of risk experience and subject matter expertise in one or more risk domains can go a long way when examining a supplier's policies and procedures. Not only do seasoned analysts know the right questions to ask, but they can more easily understand the implications of supplier risk policies and weigh them against hard evidence such as financial statements or other documents. More experienced risk specialists are also more likely to be able to interpret technical risk information and coherently explain their findings to senior stakeholders in your organization—a critical skill that helps to communicate the importance of the risk management function at the highest organizational levels.
<span/>Shift to tailored, evidence-based questionnaires
Most suppliers and risk analysts have learned to dread wading through hundreds or even thousands of questions covering every conceivable (and often irrelevant) possibility. Not only are these all-encompassing questionnaires largely a waste of the vendor's time, but they can also result in inaccurate or misleading responses as questionnaire fatigue sets in or junior staff are delegated to provide answers.
To combat these tendencies, analysts should look at creating smart, dynamic lists of focused questions that reflect a company's specific risk objectives and perceived areas of weakness. Shifting from attestation-based questions, where vendors are asked to confirm that they have specific policies and procedures in place, to evidence-based questions, where vendors must actually provide hard evidence to confirm it, is also an important refinement.
<span/>Consider a shared assessment model
Organizations are starting to see significant cost savings and efficiency gains by adopting a shared risk assessment model, which essentially involves pooling ongoing risk assessment data and sharing responsibility for its collection between multiple organizations.
In one example, a consortium of 12 U.S. regional banks are working together with a goal to create a more consistent and efficient risk assessment for both banks and suppliers. Consolidating the data into a single, shared source can significantly reduce the workload for vendors and enable financial institutions to become more efficient—and cost effective—in their ongoing due diligence.
As the world evolves, TPRM processes must keep pace along with it—or risk getting left behind. Amid growing volumes of data and greater exposure to myriad risks, the risk management function is finding ways to manage the complexity, address redundancies and gain new efficiencies. As we look to the future, talent and technology will play a central role, as will innovative models that bring industry stakeholders together to solve the problem collectively.
S&P Global provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.
This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.