Third-party Resilience – ‘To have and to hold’, the important Partnership with your service providers

By Hasintha Gunawickrema, Chief Control Officer, HSBC

With organisations moving into some form of normality after the pandemic they are now facing the harsh reality of economic downturn and geopolitical uncertainties…creating a need for firms to start focusing on their return on investment, and specifically on serving customers while managing costs as a key priority.

This is where Third Party engagement model is absolutely a game changer for many firms.

However, as the third party network expands and the impact surface of organizations increases, it has become necessary to also increase the depth and breadth of risk evaluation for the extended ecosystem. So how can firms overcome the inherent complexity or risks the Third Party, (including 4th, 5th) party network brings on while managing it’s resilience and customer outcome?

There are multiple solutions and multiple approaches a firm can follow in addressing these complex relationships and related risks. Some of these approaches could be complementary to each other while the others could be supplementary. Therefore, it is important for a firms to have clear visibility of the service they receive from all service providers (i.e. 3rd,4th or nth party) and the types of risks these relationships will expose the organisation into.

The golden rule in building a strong risk oversight and culture is the acceptance that ‘one can only outsource tasks to another party, but not the risks’

Therefore, more clarity and knowledge a firm holds on its Third-party providers it gives your firm visibility on the performance and possible future challenges these service providers will bring on.

With all this in mind firms must evolve from ‘service providers or Third parties’ mindset into more of a Partnership relationship with all service providers and predominantly those who support you in delivering critical or important business services.

This concept makes us ask the important question from the board members and C-Suit …Do strategy execution discussions include the need to gain insight into your critical third party resilience and recovery capabilities?

There is no argument or doubt that the resilience of your third parties (or any service provider)and their ecosystem is acritical component of your business resilience plans.

This is why firms have to focus on having a robust ‘Risk management framework’ with clear oversight on the inherent risks the third parties (or nth parties) carry, type of internal controls they have to address those risks and what is the residual position of these risks ; most importantly the assessment of ‘how aligned are these residual risks to the firm’s risk appetite’.

The golden rule in risk management is not to wait till a real crisis is at your doorstep, but to build continuous improvement strategy on your risk management process. It has proved true for many organisations during the pandemic, that trying to build an operational resilience model in the middle of a crisis is not an easy activity and therefore organisations need to understand three critical elements before getting into any form of third-party relationship.

  1. Having anend to end understanding of the operating model and processes the third party supports.
  2. Types of risks this relationship will expose your organisation into (inherent risk).
  3. Controls already in place and what new controls are required.

Once you have visibility or understanding on these three elements, it’s a in your gift to make a clear call on ‘can the controls bring the inherent risk to a position that is within your risk tolerance level- i.e residual risk is within tolerance’

It is important not to forget our learnings from the global pandemic. In an un expected crisis (e.g.: global pandemic) , the very real test of systems and processes resilience, firms had to build or enhance their current operating model and evidence that they are operationally resilient, to themselves, regulators and most importantly to their customers.

This brings me to the final touch point , how has Third-party and partnering with them in critical business processes evolved especially with the ones that provide essential services ?

This is the point where designing operational resilience or contingency planning is vital. My personal experience makes me believe firms should ask 4 key questions:

  1. Have I got a catalogue of end to end operations and supply chain and third party engagement?
    For example – having a catalogue of Third-parties, and their relationship across the organisation’s operations/supply chain, Visibility of the third party relationship and the contract, Who is accountable and responsible for individual supplier/Third party relationship within the organisation.

While it is a fundamental need this is not an activity that can be turnaround in a short space of time, however this is a very critical and useful model to operate so firms can run stress testing during a crisis to understand most significant/ material relationships and risks attached to any failure of such critical relationships. (Eg: Customer onboarding and KYC)-data privacy, cyber security infrastructure.

  1. Have I got a robust Third Party Governance and monitoring capability, including data /MI?

For example, What are the Key Risk/Performance indicators you monitor – Eg Resourcing and capacity, IT infrastructure testing timelines, system breakdowns, customer complaints attached to services provided by Third-Parties.

What is the frequency of these MI/Data to be available (daily, weekly, monthly)
What is the escalation model in place – both to senior management and the regulators on any significant deviations.

  1. Have I got regulator testing capability and skill sets across the three lines of defence (business, compliance functions and internal audit teams)

For example, identified critical operational activities with focus on ‘impact to customers and market integrity’ and carry out structured control testing.
Work with relevant third-party teams to get access to their operating systems to carry out audits. Through your partnership model continue to focus on frequent update sessions with the Third Parties to understand their challenges (eg: financial resilience, resource challenges).

  1. Have I got visibility of your third-party providers training, coaching and rewarding, system investment plans – i.e.culture? Can I influence.

Always remember, you carry the risks…and the most important element is your firm’s ‘Reputation’.  Unfortunately, many Third-party onboarding frameworks do not give enough focus on the ‘Culture’ of the service providers you bring onboard to serve your customers.

In summary, I want you to pause and reflect on two aspects of building Third party Resilience model.

  1. Build a Partnership based model: This is not just a ‘contract’ with your third parties, so start with the Culture and build your Risk management framework to support your growth strategy.
  2. Own the Risk: Always go with the ‘mantra’, your customers/clients expect you to deliver at pace, therefore you are the owner of the risks…and you hold the responsibility to build a strong Third Party risk management framework.

Hot Topics

Related Articles