Home Slider Third-Party Risk Management: A Critical Component for Financial-Services Firms

Third-Party Risk Management: A Critical Component for Financial-Services Firms

by internationalbanker

By Richard Cooper, Global Head of Financial Service Go-To-Market, Fusion Risk Management





In the past few years, financial-services firms have had to navigate a series of unprecedented challenges. From geopolitical turmoil to cyberattacks and bank failures, these crises have not only impacted the firms themselves but also profoundly affected their third parties and suppliers.

Financial-services firms’ increasing reliance on third parties to perform critical operations is a trend with significant implications. This reliance has been a double-edged sword. On one hand, it has spurred rapid innovation and digitization within the sector. Conversely, it has opened these firms to a spectrum of new risks. Regulatory bodies, recognizing the critical nature of these developments, have responded with proactive measures.

DORA: Paving the way for digital risk mitigation

Numerous recently enacted regulations require financial-services firms to be operationally resilient. A prime example of this regulatory response in the European Union (EU) is the Digital Operational Resilience Act (DORA). Slated for implementation in January 2025, DORA represents a concerted effort to unify and enhance information and communications technology (ICT) risk requirements. Its objective is to establish a uniform standard for mitigating the risks associated with digital operations. DORA covers a broad range of financial institutions, underscoring the necessity for these firms to be well prepared to handle all ICT-related disruptions and threats.

Furthermore, DORA introduces a comprehensive oversight framework targeting critical third-party providers, such as cloud-service providers. This aspect of the regulation is particularly significant as it extends the scope of regulatory vigilance beyond financial institutions to include the vital third parties on which they depend. This requirement underscores the important role that third parties play in helping the financial sector achieve operational resilience. It reflects an understanding that the security and stability of financial-services firms are inextricably linked to the reliability and resiliency of their third parties.

Focusing solely on a firm’s internal risk management is no longer adequate. Expanding this focus to encompass the entire supply chain is urgent, ensuring operational resilience through comprehensive third-party risk management (TPRM).

Adapting to an evolving risk landscape

In today’s evolving and complex risk environment, a reactive approach to risk management is no longer sufficient. Continuous monitoring of risk landscapes and third parties’ performances is crucial. It’s insufficient to rely solely on due-diligence questionnaires completed during vendor onboarding.

Governance structures, technologies and third parties’ resilience are continually evolving. Information that was accurate six months ago may no longer be valid, underscoring the need for ongoing monitoring processes. Risk teams should establish key risk indicators for continuous surveillance, including vendor-performance metrics, security vulnerabilities and compliance postures. Collaborations between third parties and a firm’s risk-management, IT (information technology) and procurement teams are also vital to ensure active engagements throughout the continuous monitoring process and inform a proactive risk-management approach.

Strengthening resilience with a comprehensive TPRM strategy

In a recent report by the Ponemon Institute and CyberGRX titled “The Cost of Third-Party Cybersecurity Risk Management,” the authors highlighted that, on average, an organization has 5,800 vendors. An effective TPRM program offers a panoramic view of the firm’s entire supply chain, delineating the role of each third party in delivering essential services. By thoroughly mapping this ecosystem, firms can link critical vendor offerings to the services they deliver to their customers. This allows them to identify potential weaknesses and vulnerabilities through which disruptions could harm core operations. TPRM enables firms to move from a reactive approach, scrambling to manage crises as they arise, to a proactive approach with well-established plans and procedures, allowing for agility and responsiveness in times of crisis.

Beyond mere risk mitigation, a strategic approach to TPRM can provide a significant competitive advantage. Firms adept at proactive risk management are better equipped to handle future uncertainties while maintaining their customers’ and crucial stakeholders’ trust. TPRM is a foundational pillar of a holistic business-continuity and operational-resilience strategy and is vital for ensuring long-term organizational success.

By transferring services to a third party, financial-services firms are not also transferring the risks to the third party. The reality is that no firm is immune to the impacts of third-party risks. Events ranging from the MOVEit cyberattack to escalating geopolitical tensions and the global pandemic have underscored firms’ vulnerability to external shocks. An integrated risk-management approach is essential, tying TPRM into broader operational-resilience and business-continuity frameworks. This alignment breaks down functional silos across different risk-management teams, providing a comprehensive and unified understanding of risks across the extended enterprise. It is also imperative to align internal understandings with external threat-intelligence data services that indicate potential risks, such as financial viability, IT-security breaches and geopolitical issues in areas from which the third party delivers services.

In this complex global financial-market ecosystem, achieving this type of integration requires establishing clear communication channels and fostering a culture of risk awareness at each of the firm’s levels. Solutions that aggregate critical risk information from diverse teams, such as cyber-risk and TPRM teams alongside external-threat intelligence data services, ensure a holistic view of the firm’s risk posture. An effective integrated strategy demands well-defined strategic objectives, risk-scoring criteria and continuous monitoring to provide a common risk language across all teams. Standard reporting and escalation practices are also crucial for timely risk remediation. Training and capacity building are equally essential to ensure that staff across various functions can consistently and proactively address and manage potential risks.

Leveraging AI in TPRM

Agility and adaptability have become paramount considerations in TPRM strategies in an era during which disruptions are a matter of when, not if. Real-time data and flexible protocols are essential for a firm’s TPRM approach to be effective. The rapid evolution of artificial intelligence (AI) and machine learning (ML) tools is transforming risk management, offering predictive-analytics capabilities and the ability to simulate potential future scenarios. This type of proactive preparation not only equips firms with the resources to respond effectively to third-party disruptions but also demonstrates to key stakeholders their preparedness and commitment to continued success.

AI is revolutionizing firms’ agility by automating time-intensive tasks and identifying potential areas of concern. Algorithms can sift through vast amounts of data, including contracts, financial statements, regulatory filings and public information, to identify third-party risks quickly. Real-time analyses enable firms to detect risks within their supply chains rapidly, prioritize them and implement remediation strategies for critical vulnerabilities. The risk-management team can concentrate on high-level decision-making and analysis by automating these processes, freeing time from manual tasks and allowing deep-dive reviews of highlighted probable issues. Additionally, AI can detect patterns and anomalies, aiding teams in identifying emerging threats and reducing response times.

Embracing TPRM for a stronger financial future

Effective risk management is about identifying risks and setting clear pathways for their remediation. This begins with securing the necessary executive buy-in and allocating resources for an integrated risk-management program that permeates the firm through process implementation and technology adoption. Firms must systematically assess risks, adopt relevant technologies and establish communication protocols with third parties for continuous monitoring. Developing a robust TPRM program is not a one-time initiative but an ongoing strategy that must evolve with the firm, its vendors and the ever-changing risk landscape.

Today, TPRM is not just about maintaining a competitive edge; it has become a critical component of regulatory compliance. TPRM should be a central element of strategic operations, consistently reinforced by organizational leadership and embraced by employees at every level.

One-time due diligence is inadequate in today’s rapidly changing environment. Customers and stakeholders increasingly seek assurances of strength and resilience from their financial-services providers. A single, unexpected disruption can have severe economic and reputational repercussions. Consequently, the imperative for integrated TPRM has never been greater. With a continuous approach to third-party risk monitoring while leveraging real-time data, firms can ensure compliance, sustain growth and maintain resilience amidst the ever-evolving threat landscape.



Richard Cooper spearheads Fusion’s business strategy for the global financial market, fostering trusted top-level relationships within the financial-services sector. His expertise lies in delivering thought leadership, market intelligence and best-practice insights, guiding firms through innovation and transformation.


Related Articles

Leave a Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.