Governing Third Party Risk Management & Operational Resilience with OpRes
Published by Ben Saunders - OpRes Founder
Roughly a 4-minute read
Introduction:
In addition to their policies outlining the requirements on firms to establish sound practices for operational resilience, the Financial Conduct Authority and European Banking Authority have been increasing their focus on the material outsourcing of critical services to third-party suppliers. Third-Party Risk Management has grown in importance for firms and organisations across the world in the last 18-months. With the global pandemic showing just how fragile supply chains are across multiple industries and financial services is no different.
Amidst this heightened focus is a perception that there is a growing concentration risk across financial services, with a subset of trusted public cloud service providers. As well as the increasing adoption of FinTech solutions, which themselves, are often underpinned by public cloud compute power. Furthermore, the Solarwinds attack which occurred between 2020 and 2021, has further demonstrated the need for firms to apply the necessary oversight of their third-party suppliers and the software development processes they apply to their products.
As such, firms are required to establish outsourcing frameworks that enable them to demonstrate they have conducted the requisite due diligence of their suppliers. As well as the ongoing assurance that those suppliers are fit and proper to underpin the delivery of a firm's important business services. Particularly when they are deemed to be providing “critical” services to a firm's products and offerings. Whilst the cloud and outsourcing to a trusted 3rd party provider can accelerate the delivery of a business outcome. It can, on occasion, reduce the level of visibility a firm has into the software delivery lifecycle or technical infrastructure that powers the services they procure.
Therefore, it is imperative that firms gather as much evidence to ensure that the services they are procuring are built on solid foundations. This can be achieved through a number of means. Initially ensuring that the correct levels of service coverage, availability and performance requirements are captured in their contractual agreements is essential. Whilst this may also be achieved by requesting industry-standard certifications from suppliers. Evidence of annual business continuity testing, software development metrics, or the ongoing management of critical suppliers through periodical governance and service review meetings.
However, this is ultimately down to having a sound procurement capability that works in conjunction with a firm's 1st and 2nd line control frameworks. Over the course of this blog, we will explain how firms can apply OpRes to establish the foundations of their third-party risk management framework.
How can OpRes help with third-party risk management reporting?
The criticality of a supplier is greatly dictated by the important business services and financial functions that they underpin. Indeed, this can be exacerbated further by the volume of firms that consume the same service or collection of services for their respective products (e.g., a public cloud service provider). Or alternatively an individual firm's overall market hold for a specific business service or product set (e.g., the volume of current accounts or trading volume for a specific asset class).
Furthermore, the management, governance, and oversight of critical suppliers can be a challenging and burdensome exercise for firms. This is particularly the case when firms procure services from hundreds if not thousands of suppliers and are required to demonstrate and evidence that they are compliant with standards and policies such as PCI, ISO, or SOX. As well as keeping on top of monthly service governance metrics, software release notes, business continuity testing, and penetration testing results. Or potentially, ESG related data points, which are becoming increasingly important across financial services when vetting suppliers.
To support this objective, we are developing a new module within OpRes to capture the requisite evidence that a firm's suppliers are fit and proper to underpin their important business services. Whilst we are aiming to take the pain out of this activity for 1st/2nd line risk and the vendor management teams that they work with by introducing some lightweight workflow automation, notification and dashboard capabilities. We are currently calling this module “Supplier Compliance Documentation”.
To illustrate how this will look within OpRes, we have posted one of our early screen designs below for the module.
By using this module firms will be able to:
Upload documents that support the capturing of compliance evidence with their third-party suppliers.
Set criticality levels for the documents. Which in turn will apply a workflow automation rule in order to notify internal stakeholders and suppliers when a document has been uploaded to demonstrate a supplier's compliance in a particular area (e.g., ISO, PCI, etc). Or when a document is approaching the end of its compliance lifespan. Or ultimately, when a document has breached its compliance lifespan. With OpRes we have established a framework that allows users to set a criticality for a document ranging from “Very High” importance to “Low” importance and this then drives notification and alerts to internal and external stakeholders based on predefined rulesets.
The out of the box rule-sets we apply are as follows:
Very High - When the user sets a document’s criticality as Very High, they will be notified that the document needs to be updated 80 days ahead of the compliance window ending.
High - When the user sets a document’s criticality as High, they will be notified that the document needs to be updated 60 days ahead of the compliance window ending.
Medium - When the user sets a document’s criticality as Medium, they will be notified that the document needs to be updated 40 days ahead of the compliance window ending.
Low - When the user sets a document’s criticality as Low, they will be notified that the document needs to be updated 20 days ahead of the compliance window ending.
As a standard, we have assumed that compliance documents will require to be updated every 365 days. However, users can overwrite this rule and set their own conditions and notification timeframes.
Get instant compliance insights by utilising a RAG reporting dashboard. Enabling firms to understand where they need to act and address a supplier's reporting posture.
Users can see how many days are left remaining on a specific document's compliance.
Users can set additional notifications and send tailored updates to internal and external stakeholders at predefined junctures via email. As illustrated Illustrated below.
Over time, our intention is to introduce the concept of “Compliance Templates” where users can set predefined rulesets for specific compliance needs. So that instant rules, reporting, notification and update requirements are placed on certain types of compliance documents for specific reporting needs. As an example, if a firm requires PCI compliance evidence from all of their payments aligned suppliers, the user will be able to set a workflow rule in place, save it as a template and apply the workflow to all of the relevant suppliers. In turn, saving administrative overhead and consolidating tracking and audit requirements into a single reporting funnel.
By applying these concepts and capabilities, we expect firms will be able to;
Increase the visibility and transparency of the information they are requesting from their third party suppliers.
Enhance the service delivery insights they capture from their suppliers and surface potential risks and operational resilience gaps faster.
Simplify and standardise reporting for their third party risk management procedures.
Unify and consolidate their evidence into a single source of truth for regulatory reporting.
Reduce administrative overheads by introducing simple workflow automation practices to their third party risk management frameworks.
If you have any questions about the topics we have covered during the course of this blog, then please feel free to get in touch via hq@opres.uk.
Thanks for reading,
Ben