With the increasing need to grow business, provide new offerings, reduce overall costs, and maximize profitability and revenues, outsourcing to third-party service providers has become the norm for financial institutions worldwide, concludes research by MetricStream and the Risk Management Association.
"Managing the risks inherent in vendor and other third-party relationships has become critically important in recent years, as the actions of vendors can cause significant financial and reputational impact to organizations, no matter their size or industry," says Edward DeMarco, RMA's general counsel and director of operational risk.
What firms are doing—and not doing
Some key findings of the survey:
• Definition changes. Third-party relationships have evolved beyond traditional models of goods and service providers to include agents, agency agreements, channel and distribution agreements, debt buyers, co-branded products and services, and correspondent bank agreements, among others.
• Not an intimate group of vendors. Some larger organizations surveyed have thousands of supplier relationships to manage, which is extremely difficult without a mature vendor governance framework in place.
• Priorities still not defined by most. The survey found that 97% of the surveyed organizations have either defined—or are in the process of defining—the “critical activities” in their institution.
• Due diligence still not SOP. 67% of the surveyed organizations do not perform due diligence on their fourth parties. 20% of the respondents perform due diligence at the time of sourcing/contracting the third-party, and 13% do it when the primary supplier notifies them of a new material fourth party.
• 1 in 4 don’t evaluate regulatory, risk management functions. Validation of regulatory compliance and effectiveness of the vendor risk management framework is conducted annually by 72% of the responding institutions.
"Companies must keep pace with new sanctions and frequent regulatory changes, increasing operational complexity, and an increasingly risky and diverse multi-tier vendor ecosystem” says Susan Palm, vice-president, industry solutions, at MetricStream. “Organizations must remain especially focused on managing their third parties amidst the backdrop of new and emerging risk areas such as data theft and cyber-crime, along with rising mobility, prolific social media usage, and the introduction of disruptive e-commerce and payments methods."
The survey of more than 100 financial institutions addressed vendor management frameworks, vendor selection and monitoring processes, critical vendors and critical activities, tools and techniques, contracts, regulatory compliance, and fourth-party suppliers.