Financial services organizations continue to make significant strides in managing third-party supplier risk, according to an Ernst and Young LLP survey.
However, challenges persist in the areas of overall organizational knowledge, right-sizing staffing models, optimizing cycle times, and integrating technologies across the end-to-end third-party lifecycle.
“Given the increased regulatory scrutiny, it is not surprising that organizations are taking a closer look at their third-party populations, bringing more of them under the scope of their programs, and focusing more closely on risk segmentation,” says Chris Ritterbush, executive director, Ernst and Young LLP.
Taking hold, but tasks remain
The fifth annual EY study of third-party risk management across the financial services industry found that as organizations have finally absorbed the initial impact of sweeping regulatory change in 2013 and 2014 and have solved for core process expectations, many organizations are still adjusting the scope and scale of their risk management programs.
At the same time, survey respondents cited a lack of knowledge across business functions and a widespread lack of integration across third-party risk management tools as significant barriers to greater progress and a focus for the coming year.
“Financial services organizations are doing a better job of getting their arms around third-party risk,” says Ritterbush. “But there is still a lot to be done, especially in knowledge sharing across business areas and technology, where many organizations continue to rely heavily on spreadsheets to conduct vendor assessments.”
The survey of 49 global financial services organizations included professionals in the retail and commercial banking, investment banking, insurance, and asset management sectors.
Digging into the details
Key insights from this year’s survey include:
• Financial organizations are becoming more alert to supplier risk: 71% of organizations said they conduct regulatory compliance reviews pre-contract, up from 47% in 2014.
And 39% of organizations surveyed reported that all third parties require some form of risk assessment, a significant increase from 19% from 2014.
• Business unit support continues to be challenging: 71% of respondents said they were either neutral or faced challenges with business unit support in executing program requirements. This indicates continued challenges in the areas of business risk culture.
• Many organizations lack the right tools: 90% of respondents felt neutral or negative about how well third-party risk management tools integrate and capture the overall risk for reporting purposes.
Additionally, nearly half of all organizations polled (49%) said it would take a week or more to pull a report on third parties using specific criteria. This points to a data challenge underpinned by a disconnect between procurement and third-party risk management systems.
• Communication—especially with the board—is improving: 35% of respondents said they report third-party breaches to the board, while 71% report them to senior management. In a sign of progress, however, 43% said they report critical third parties issues to the board, up from 26%.
“It is encouraging to see that management has recognized the importance of managing third-party risk and has committed to increasing their investments and resources to help organizations meet the expectations of customers, clients, shareholders, and regulators,” Ritterbush says.