Tag: Risk management

Unlocking the Value of Third-party Risk Management | Blog

Organizations are increasingly relying on third parties for various functions to cut costs and leverage external expertise, which can introduce significant security risks. This blog explores how effective third-party risk management (TPRM) is crucial for identifying, analyzing, and controlling these risks, ensuring protection against potential breaches and vulnerabilities. Read on, or get in touch if you have specific queries on this topic.

In the rapidly evolving business landscape, there has been a significant transformation in the way businesses operate. This shift includes moving away from traditional methods and adopting SaaS/cloud services, increased remote work, etc., which has led many organizations to rely more heavily on third parties for various functions, ranging from marketing to manufacturing. This approach not only saves costs but also provides a straightforward means to leverage expertise that the organization might not have in-house.

While outsourcing to third parties can help organizations enhance operations efficiently, it also introduces the risk of security breaches. Each third party/vendor has the potential to introduce vulnerabilities by expanding access points into the organization’s digital footprint. Moreover, these third-party attacks and breaches are difficult to detect and more expensive to mitigate compared to a regular incident.

To manage and mitigate these risks, organizations implement third-party risk management (TPRM) programs or strategies, which is the process of identifying, analyzing, reducing, and controlling the risks that are associated with outsourcing to third-party service providers or suppliers. These third parties could include contractors, sub-contractors, vendors, suppliers, joint ventures, business channels, and any noncustomer entity with which the organization has established a relationship to outsource certain functions.  The scope of TPRM programs depends on many factors, including regulatory guidance, industry, etc.

Key factors influencing the evolution of TPRM (not exhaustive)

  1. Growth of remote work and expanding supply chains
  2. Rising prevalence of third-party vulnerabilities
  3. Increasing Cyber threats and regulatory expectations
  4. Complex inter-organizational processes
  5. Lack of up-to-date inventory and security patches

Given the complexity of implementing and managing a TPRM program, it is crucial to understand the best practices and key parameters that influence the sizing of TPRM services. We have observed enterprises often facing challenges in rightly sizing the TPRM ecosystem due to the involvement of multiple factors. Among these, we understand that the number of vendors, their size, and their control lists significantly influence the scope of managed services and, consequently, the managed services pricing.

Challenges faced by enterprises while developing the TPRM program: (not exhaustive)

  1. Lack of standardization: Inconsistent risk assessment methodologies and varying levels of risk tolerance across different departments can lead to fragmented TPRM practices
  2. Data quality and integration: Poor data quality and challenges in integrating data from multiple sources can lead to inaccurate risk assessments and monitoring
  3. Regulatory complexity: Navigating the complexities of various regulatory requirements across different regions and industries can be challenging, especially for global enterprises
  4. Dynamic risk landscape: The ever-changing risk landscape, with new threats and vulnerabilities emerging regularly, requires continuous updates to the TPRM framework, which can be resource intensive
  5. Risk prioritization: Deciding which risks to address first, especially with limited resources, requires a clear understanding of which third parties pose the greatest risk and which areas of risk are most critical to the enterprise

Best practices for third-party risk management

  1. Vendor inventory: Maintaining a detailed record of all third-party vendors associated with the organization helps organizations gain insights into the scope of their external partnerships, making it easier to manage and assess risks effectively
  2. Vendor classification: Classifying vendors into critical tiers can be done based on the level of access/ integration, the risk factor they introduce, and their impact on business operations. This can help organizations to prioritize their risk management efforts
  3. Risk assessment: Risk assessment involves evaluating the potential risks associated with each vendor relationship, such as cyber risks, operational risks, financial risks, compliance risks, etc.
  4. Risk mitigation: Once risks are identified, strategies for risk mitigation should be enforced, such as contractual provisions, security audits, or monitoring activities to reduce the identified risks
  5. Developing risk management framework: Establish clear Policies and Procedures for vendor risk management, including assessment methodologies, reporting requirements, and escalation procedures
  6. Leverage technology, tools, and automation: TPRM tools can help an organization to automate risk assessments, evaluate vendor performance and monitoring, etc., which ultimately enhances the efficiency of the risk management program. They can also provide insights into vulnerabilities and compliance gaps, making it easier to take appropriate actions
  7. Continuous monitoring: Continuous monitoring of vendor relationships is vital to ensure that risks are managed effectively over time. Regular review of vendor performance, security posture, and compliance with contractual agreements should be performed. This proactive approach helps in detecting and addressing emerging risks before they escalate into critical issues

Delivery models for TPRM

We’ve observed service providers to typically offer below delivery models:

  1. Build and transfer: Service providers develop only the TPRM framework and capability for the client, which will be ultimately transferred to the client’s team
  2. Managed services: Service providers manage the end-to-end operations of the TPRM program as per the defined SLAs
  3. Staff augmentation: Service providers offer only the skilled resources to the client for their TPRM program
  4. Project-based: Service providers access the third parties of the client for a fixed cost or on a T&M basis

Key factors impacting the criticality of TPRM

  1. Number of vendors: Organizations with a limited number of third-party suppliers can be managed relatively seamlessly, but as the number of suppliers grows, the process needs to be handled more strategically and centralized with a well-defined framework
  2. Size of vendors: Organizations with a higher number of small-sized third-party vendors could be at greater risk compared to organizations with large-sized third-party vendors
  3. Nature of vendors: The type of services provided by third parties also could impact complexity, particularly if they involve sensitive data handling, regulatory compliance, or core business operations
  4. Regulatory environment: The regulatory requirements governing the industry and geographic regions in which the organization operates can impact the complexity, as non-compliance of these regulations can lead to legal and financial repercussions

Pricing models observed across TPRM-managed services

  1. Fixed fee: Most of the service providers follow a fixed fee model for TPRM-managed services based on the number of vendors, number of assessments, complexity of the third parties etc.
  2. Unit-based pricing: Few service providers bill customers based on a per-unit model, such as per assessment, per third-party vendor, per control, etc.

For insights on the TPRM framework, pricing, and benchmarks, please reach out to Ricky Sundrani, Vinamra Shukla, and Vamsi Krishna. You can also access our supplier management toolkit that outlines key steps for risk management in outsourcing, or catch up on the latest risk management insights in our webinar on demand, Mitigating Supplier Risks: The Power Of Advanced Tools And Technologies.

Emerging Risk and Compliance (R&C) Outsourcing Needs | Blog

In the dynamic landscape of banking, financial services, and insurance (BFSI), risk and compliance (R&C) functions have become critical. Read on to explore the growing trend of outsourcing R&C processes, including the strategic advantages, regulatory considerations, and the role of specialized service providers in bolstering operational efficiency and compliance resilience amid evolving industry dynamics. Reach out to us to discuss further.

Risk and compliance (R&C) functions may not directly generate revenue, but they are crucial for the effective execution of business strategies and ongoing operations of banking, financial services, and insurance (BFSI) enterprises. Conventionally, R&C only receive attention when something goes wrong, like regulatory enforcement. It’s time to adopt a proactive and strategic approach.

Recently, there have been rising volumes for processes related to R&C, putting significant pressure on in-house compliance teams of BFSI enterprises, as the cost of failing to meet R&C mandates is extremely high. For example, Binance faced a US$4.3 billion penalty in 2023 due to lapses in anti-money laundering program. Similarly, in 2024 HSBC has been fined £57.4 million for customer deposit protection failings.

So, what’s the solution? While some BFSI enterprises, due to regulatory requirements or other sensitivities, must keep all compliance activities in-house, for others, outsourcing part or all of their compliance functions is a viable alternative. This shift not only addresses immediate pressures but also positions BFSI enterprises for future resilience and competitiveness.

The catch? Regulatory guidance emphasizes that even when compliance activities are outsourced, the company retains accountability for meeting its regulatory obligations. Hence, the need to have a thorough decisioning strategy when it comes to risk and compliance outsourcing.

Traditionally, R&C outsourcing in the BFSI sector has been limited to areas like KYC, AML, credit risk, operational, and third-party risk management, with some audit support services. However, the industry has recently become more open to outsourcing critical processes such as market and liquidity risk, fraud management and chargeback, enterprise risk management, internal audit support, risk consulting, and ESG services.

Risk and compliance

Exhibit 1: Risk and compliance value chain as defined by Everest Group

The rising propensity to outsource R&C processes is driven by a multitude of factors, including:

Current macroeconomic headwinds: The ongoing recessionary pressures are putting cost constraints on BFSI enterprises as they navigate a high-interest environment. Outsourcing R&C promises much-needed cost-effectiveness when compared to maintaining an in-house compliance team.

Rising volumes of R&C requirements: Current geopolitical scenarios, such as the Israel-Palestine and Russia-Ukraine conflicts, along with major global elections, have heightened the need for processes like sanction screening and Politically Exposed People (PEP) monitoring. Additionally, the macroeconomic environment, where many are living paycheck-to-paycheck, has led to an increase in fraud and chargeback instances. Outsourcing to specialist firms can help increase efficiencies due to economies of scale and a clear operational focus.

The increasing complexity of R&C processes: Fraudsters have become tech-savvy, and the global regulations keep on evolving. Outsourcing can provide quicker access to advanced systems, such as compliance analytics and AI-based risk models, that might be costly or time-consuming to develop in-house. By outsourcing compliance tasks, BFSI enterprises can focus on their core capabilities and strategic goals, thereby increasing productivity and competitiveness.

Access to specialized talent: As BFSI enterprises expand their compliance efforts and integrate them within core business operations, the demand for skilled compliance talent has risen. Effective compliance management now requires not only financial, legal, and analytical skills but also strong operational experience, a combination that is in short supply and can be complemented by an R&C specialist outsourcing partner.

Evolving enterprise priorities within risk and compliance

The COVID-19 pandemic forced BFSI enterprises to rapidly adapt their operations. As the pandemic evolved into an economic crisis, it triggered unemployment and social unrest, presenting challenges like business disruption, remote work, data security, cyber threats, and increased risk and compliance monitoring.

Failures of major banks such as Silicon Valley Bank, Credit Suisse, Silvergate Bank, and First Republic Bank highlighted the urgent need for continuous investment in legal, risk, audit, and compliance functions amid rising inflation and asset/liability mismatches.

Enhanced regulatory scrutiny is another key factor, as highlighted below:

  • AI and external data use control: The EU Artificial Intelligence Act, the first comprehensive legal framework for AI, was adopted on March 13, 2024. The new Colorado Division of Insurance regulations require insurers to test AI/data systems for bias
  • Cybersecurity and data safety: The Consumer Financial Protection Bureau (CFPB) proposed rules on consumer-authorized financial data-sharing, and New York’s expanded cybersecurity rule mandates annual reviews of written policies by a governance committee
  • Capital and solvency oversight: The Financial Stability Oversight Council (FSOC) finalized a framework for assessing risks to US financial stability, including non-bank financial companies and payment systems. The CFPB proposed supervision of digital wallet and payment apps, while the National Association of Insurance Commissioners (NAIC) seeks to protect consumers by ensuring the solvency of life insurers through revised risk-based capital requirements

This more stringent supervisory environment pressures banking organizations to accelerate remediation efforts and operate with less room for error.

The road ahead

Outsourcing broader R&C is similar to the early days of IT outsourcing, where companies gradually outsourced processes one or two at a time. BFSI enterprises should strategically decide which compliance activities to outsource, ensuring these processes are already stable and effective in-house, as outsourcing alone won’t fix existing issues.

As the R&C landscape evolves, financial institutions must proactively adapt by assigning clear compliance responsibilities, integrating technology (AI, analytics, automation), and establishing robust risk management frameworks. Service providers will be essential in supporting these compliance efforts.

For more on R&C outsourcing trends and achieving regulatory compliance, contact Dheeraj Maken ([email protected]), Kriti Gupta ([email protected]) and Ritwik Rudra ([email protected]), or download our report, “High Tide of Transformation – Financial Crime and Compliance (FCC) State of the Market 2024.”

Don’t miss our webinar, What’s Next in Financial Services? Driving Transformation Through Sourcing, Technology, and Operations, to learn how BFSI firms are driving business transformation in response to the macroeconomic environment, evolving customer needs, the tightening regulatory landscape, and the rapid adoption of AI and cloud technologies.

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

"*" indicates required fields

Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.
This field is for validation purposes and should be left unchanged.