Using Third Parties: A competitive advantage or a cause for concern?
The risks incurred by Financial Services (FS) institutions that employ third parties, to support delivery of their products and services, is a topic that the non-financial risk community have opined on for many years.
Outsourcing any activity to another firm potentially exposes organisations to all manner of delivery, conduct and reputational risks and impacts, but it is an operational necessity and a commercial reality that they cannot avoid.
Whereas events such as the rapid demise of the multinational facilities management company, Carillion, bring in to sharp focus the downsides associated with third parties, are they really an accurate reflection of the risks involved and do they ignore the benefits? And, most importantly, how can firms manage third parties so that they can be a source of significant competitive advantage, rather than just a cause for concern?
Reducing cost and exploiting expertise, third parties can be a market force for good
Each and every FS institution requires the support of third party providers to run their business. From cleaning and catering services, to physical security and technology, third parties are often responsible for many of the key facilities and processes an organisation needs to provide their core value propositions. Rather than being a luxury they are now a necessity, but they do offer a large number of benefits to those who are able to exploit them.
First and foremost, with downward pressure on margins, third parties enable FS institutions to procure capabilities and amenities at a far better price than they would be able to secure if they were to develop them internally. For example, it’s typically far cheaper to buy in legal counsel as and when you need it rather than employing a full-time team of lawyers who would be permanently on the companies’ payroll, whether or not there was appropriate legal work for them to undertake. As well as this financial benefit, costs are further reduced by the competitive marketplaces for these products and services. Firms providing these services often compete on price in order to secure market share and long-term contracts.
Secondly, whereas cost is important, so is expertise. Not just a route for executing low value tasks, a key driver for third party engagement is the need to acquire specialist skills and knowledge that can make a significant difference to the value of an organisation’s end products and services. Third parties with cutting edge capabilities and tailored offerings can give firms a disruptive advantage in their own industry as their packaged value proposition can amount to something far superior to that which they could develop on their own.
Additionally, third parties can also provide geographic reach, scale and flexibility that even global institutions can’t match. This can be particularly beneficial to institutions that are looking to expand quickly, unwilling to invest in certain locations, or keen to offer services in markets that would be unprofitable if entered using their own sales channels, processing centres and infrastructure.
A final benefit of using third parties, if they are managed effectively, is that they can actually reduce your exposure to operational risk. For example, an asset management company’s core capability should be investing in and managing funds, not necessarily executing and administering trades. By outsourcing those elements to an appropriate provider, they are leveraging expertise they wouldn’t have in-house and, using suitable service level agreements (SLAs), potentially reducing the likelihood of risk events occurring and ensuring that if they do, the third party is responsible for resolving them.
Poor third party management can leave you vulnerable
Whereas outsourcing processes and services can be extremely beneficial to FS institutions, the use of third parties can carry a significant risk. You are, in effect, trusting external firms with key parts of your business and if they fail to deliver, you could fail to deliver as well.
The greater the dependency on third party providers, the larger the ‘third party risk’, and that risk means that the firm is increasingly vulnerable to both the actions (or inactions) of those third parties as well as any internal or external event that affects them. In essence, firms who outsource a large number of activities consequentially become part of a complex, interconnected ecosystem. This complicated arrangement can be further obfuscated by employing niche or bespoke services where the choice is limited and the market less competitive (therefore making it much harder to switch) and made even more complex when you consider the implications of third party providers to the third parties that you’re directly contracting (the so-called fourth or fifth parties in the network).
Such a multifarious environment presents some fundamental challenges, at the centre of which is the need to successfully manage and monitor the third parties and the services they are providing. By outsourcing, you are handing control of parts of your value chain to other firms and even if financial losses are mitigated by contracts, mishandling these elements can cause substantial reputational damage to the firm.
At a time when data privacy and security is of paramount importance, FS institutions must be certain that data is being collected, stored, managed and used in line with all applicable laws and regulations (such as the General Data Protection Regulation – GDPR).
Requesting that adherence in an SLA is one thing, but evidence is required to satisfy risk managers and regulators. Similarly, it is vital that the third parties employed by FS organisations are compliant with their principles of conduct. Customers are right to expect the same conduct standards at all points in their customer journey, so cultural alignment with third party providers is essential, especially where they interact directly with customers.
If these factors create an intricate challenge, then it is exacerbated by an inconsistent, global regulatory environment where different standards are expected by different regulators, communicated via a raft of varying regulations (e.g. the FCA and SYSC 8, the OCC Guidance on Third Party Relationships etc.), and underpinned by different guidance and consultation papers.
Five actions to reduce third party risk
So how can FS organisations manage third party risks? Unfortunately, there is no single, simple solution, but there are five actions that FS organisations can take to mitigate the risks and demonstrate that they are in control:
- Establish a third party risk management framework – The first step to effective third party risk management is the creation of a consistent framework with pragmatic policies and standards. This framework must define ownership principles aligned to the three lines of defence, ensure risk appetite is defined and understood, and place emphasis on preventative rather than detective controls. How the framework is implemented could also determine its effectiveness. De-centralised management will provide greater autonomy for the business but will likely mean less consistency and less common oversight. Hybrid approaches featuring utilities and centres of excellence for priority providers could be an intelligent compromise.
- Implement a comprehensive onboarding process – The onboarding of new vendors is typically the most mature aspect of FS organisation’s third party risk management. Procedures to risk assess each provider, perform financial and operational due diligence, and agree detailed contracts (for pricing, data storage, service standards, legal protections etc.) are already in place, but greater business engagement is needed from the start. Currently too much emphasis is placed on the role of Procurement and other upfront assessors like the IT department who undertake vital initial checks, but aren’t accountable for the ongoing relationship.
- Institute a proactive governance model – Effective, ongoing management of each third party relationship is probably the most important element of a sound risk management strategy. This should consist of an up-to-date, prioritised inventory of engaged third parties and an appropriate approach to governing each relationship. These approaches must successfully manage each firm via a combination of scorecards, frequent reporting, and forward-looking indicators. They should also run ‘fire drills’ on key suppliers and report findings and updates to a board level audience.
- Form appropriate contingency plans – No approach to managing third-parties would be complete without the development of effective contingency plans. FS firms must ensure that they have access to their assets and the outsourced data, should something go wrong. They should also line up alternative providers who can be engaged within an acceptable timeframe to meet agreed service levels or at least plug holes until more permanent solutions can be found.
- Utilise suitable technology – Although there are numerous options available, there is yet to be a market-leading application for third party management. Most organisations use a number of platforms shared between the business, Procurement and risk, but whereas some firms have been tempted to build new systems, most have opted to make some use of their existing Governance, Risk and Compliance (GRC) software, which can also provide a useful link to the rest of their non-financial risk methods and assessments.
Driving minimum standards
With the use of third parties no longer regarded as risk transfer, FS institutions are painfully aware of the risks involved. In the last few years there has been a significant increase in the focus on mitigating those risks and investing in their management. As well as the individual responses, some firms have attempted to outsource the issue, employing specific companies to manage their entire supplier network. Others are pursuing community models collaborating with other industry participants to drive minimum standards and common assessment criteria.
Whatever the approach to third party risk management taken by FS institutions, now is the time to ensure greater benefit is derived through the provision of more information, more tailored solutions and closer working relationships.