Banker’s Guide to Third Party Risk Management: Strategic, Complex, and Liable
Abstract
Celent has released a new report titled Banker’s Guide to Third-Party Risk Management: Strategic, Complex, and Liable written by Joan McGowan, a Senior Analyst with Celent’s Banking practice.
Key Research Questions | |||||
1 |
Where does your bank fall on the TPRM maturity curve? |
2 |
Why is rigorous vendor risk management so important? |
3 |
What is the crux of rigorous third-party risk management? |
Regulators continue to question the quality of third party risk management (TPRM) practices and are calling for more in-depth risk assessment, monitoring, and oversight of third parties. This is a big and expensive task. Banks should take advantage of their established risk management practices such as the Three Lines of Defense governance model and adapt operational risk management processes, controls, alerts, and escalation models to police critical and high-risk third party engagements.
Typically, banks manage third party risk on an ad hoc basis through individual business owners, responding to risks as they arise. This approach leaves banks vulnerable to cyberattacks, data breaches, and the ensuing liability. The foundation of a robust TPRM program is a centralized third party management system that enables the bank to identify and manage critical and high-risk active engagements. Such risks need to be identified, assessed, prioritized, monitored, and treated in the same way a bank treats its internal risks.
There are hundreds of relationships on a bank’s book that are inactive or low risk that do not merit risk-based due diligence. An analysis carried out by Oliver Wyman calculates the annual cost to US-based banks and their third parties for risk-based due diligence and assessments on new engagements is approximately $750 million.
“TPRM will remain a priority investment for the banking industry. Better risk management of the growing external ecosystem will raise the soundness and resiliency of a bank and lead to overall improved performance and competiveness within the industry. Operating without a strategic TPRM practice will leave your bank in the hands of fate and the regulators,” McGowan said.
“Overall, banks are still early on in their TPRM maturity levels, and there is a long way to go before they achieve best-in-class practices. By stage four, full maturity, a bank’s TPRM program should resemble the practices of operational risk management and support the enterprisewide risk management strategy,” she added.