As more organizations here in North America and overseas increasingly utilize third party vendors with a global presence to perform critical functions, process key transactions and provide exposure to sensitive proprietary information, those organizations with mature third party risk (TPR) programs are receiving a loud call to provide assistance to those new to the TPR field.
In my recent travels speaking to various industry groups regarding the importance of performing due diligence on your third party vendors within the US, the United Kingdom and Canada, I began to witness first-hand how this topic is increasingly on the minds of all at C-suite and board levels, regardless of industry. This issue is also not a US-centric challenge; organizations globally are struggling with standardization as well. I have conversed with dozens of senior executive professionals who have made one thing abundantly clear; which is that if you are in a regulated industry, the regulators are very serious when they say they are coming to check on your cyber and business resilience strategies, including your strategies that involve your vendors.
Speaking in June at a Centre for Financial Professionals (CEFPRO) conference in London, Robin Jones, of the UK's Financial Conduct Authority (FCA), discussed the fact that innovation in technology is receiving the strongest emphasis in the prudential specialists unit and that the unit is focused on those issues that surround events that involve an organization's third parties (1). He further added his unit is paying renewed focus on technology resiliency and outsourcing (termed "TRO") and that the FCA's Cyber Risk Team is monitoring these elements of soundness and risk with the industry.
Jones further indicated the risk spotlight for his group includes:
• Technology and association risks.
• Cyber risks.
• Monitoring the growth of Fintech (product innovation and new ways to deliver services), which is defined by the FCA as a "project innovate" that brings both benefits and risks along with innovation, including risks associated with use of the Cloud.
• Ensuring financial organizations are aware of UK guidance such as SYSC 4.1 (Business Continuity) and SYSC 8 (for Outsourcing which includes transition to new suppliers and concentration risk).
Jones additionally noted that the FCA will continue to review financial organizations to "ensure appropriate risks are identified and managed" and this is also at the third party processors as well.
So serious and important is this matter that one head of procurement from a large British bank pointedly said to me after my presentation "We are looking to you (i.e., the US) for guidance on this topic." A moment of clarity set in indicating the United States is leading the way in third party risk tools, techniques and strategies, and has been for quite some time. The call from our cousins across the pond - as well as other internationals - must be heard and we, for the good of all industry, must be willing to assist in sharing ideas and collaborating on strategies to address this important type of risk. I received a similar reception speaking at various engagements in Canada, which included the International Association of Privacy Professionals (IAPP) Privacy Conference in Toronto and the Payments Canada conference in Calgary. Organizations from a variety of industries at both conferences additionally evidenced that they were either unaware of third party risk completely or, for those who understood it, were challenged as to how their roles can assist in mitigating this risk. Various participants at the CEFPRO conference shared that they produced their own internally customized solutions of approaching third party risk, but no evidence of standardization could be detected. And, while guidance is sought from regulators by industry members, it was interesting to note that an onsite poll taken at the CEFPRO conference indicated that attendees prefer government to publish principles instead of rules by an enormous margin of 70% to 30%.
For the good of both industry and consumers worldwide, it is our duty to assist organizations new to third party risk by adopting and promoting standardized strategies, tactics, and tools that are of benefit to all of us to ensure such exposed processes and data are truly handled with care.
1) The Prudential Regulation Authority (PRA) is responsible for the prudential supervision and regulation of banks, building societies, credit unions, insurers and investment firms.