It’s been nearly three years since the release of OCC Bulletin 2013-29 with risk management guidelines for evaluating third-party relationships. At that time, some financial institutions were already well on their way towards adopting best practices around third-party risk, while other organizations had not yet begun the process. Regardless the impetus, banks are making significant progress in the areas of third-party risk management according to Ernst & Young’s recent study, Shifting Toward Maturity.
EY’s fifth annual survey, conducted between October and December in 2015 of 49 global financial services organizations, showed that banking organizations have continued to make significant strides in third-party risk management (TPRM), surpassing their insurance and asset management counterparts. While there’s always room to grow, EY’s survey demonstrated 4 areas of maturity worth mentioning.
4 Areas of Considerable Progress for Third-Party Risk Management
Greater Focus on Risk Assessment
Third-party risk awareness is on the rise considering 39% of organizations surveyed reported that all third parties require some form of risk assessment; a significant increase from 19% reported in 2014. This increase in third-party risk assessment goes beyond the pre-contract due diligence process with 57% of organizations continuing to conduct assessments post-contract. Not only does this continuous risk assessment meet compliance regulations, but it also increases operational efficiency and profitability, maintains business continuity, and protects brand reputation.
More Granular Approach to Segmenting Third Parties
Organizations are moving away from the basic “high,” “medium” and “low” risk classification, and taking a more comprehensive approach to identify and categorize potential risks. The proportion of organizations with four or five risk tiers has increased from 22% to 39%. Organizations are also diving deeper into the ranks, with 90% of them maintaining a list of critical third parties who could have the greatest impact on their bottom line. This is a sign of TPRM maturity that will allow them to make better risk decisions.
Increase in Identification and Monitoring of Fourth-Party Relationships
Organizations are realizing that their risk management doesn’t need to end with third-parties. Instead, they’re expanding their horizons. This year’s survey showed that nearly 90% of organizations said they identify or maintain an inventory of fourth parties, and they’re identifying them earlier. 78% of organizations identify fourth parties within the contracting phase, up from 60% the year before. Moreover, 75% are turning to their third-parties to manage and evaluate fourth-parties through controls or contractual terms, a huge increase from 36% last year.
Continued Investment in Technology
Investment in Third-Party Risk is on the rise as more than 95% of organizations said they will spend the same or more on their risk management efforts moving forward. While organizations reported dissatisfaction with the level of tool integration, they also recognize that efficient third-party risk management requires consistency, repeatability, and scalability that can only be achieved through technology. Consistent with this sentiment, 54% are planning to spend more on technology, up from 40% last year.
While the regulatory change in 2013 and 2014 has clearly pushed the industry to improve, many organizations are still experiencing growing pains as they get used to their risk management programs. Oversight and governance is among the top indicators of Third-Party Risk maturity from a regulatory standpoint, however, two-thirds of the survey respondents do not report emerging risks or incidents involving third parties to their Board of Directors. Nearly three quarters (71%) of the surveyed organizations report third-party risk data to senior management, but only 43% report that same information to the Board. However, that’s up from 26%, which is a move in the right direction.