Increased Focus on Program Efficiency, Risk Segmentation; Technology Integration and Internal Knowledge Sharing Continue to Pose Challenges
According to a new survey conducted by Ernst & Young LLP, financial services organizations continue to make significant strides in managing third-party supplier risk, even as challenges persist in the areas of overall organizational knowledge, right-sizing staffing models, optimizing cycle times and integrating technologies across the end-to-end third-party lifecycle.
Shifting Toward Maturity, the fifth annual EY study of third-party risk management (TPRM) across the financial services industry, found that as organizations have finally absorbed the initial impact of sweeping regulatory change in 2013 and 2014 and have solved for core process expectations, many organizations are still adjusting the scope and scale of their risk management programs. At the same time, survey respondents cited a lack of knowledge across business functions and a pervasiveness of disintegration across third-party (risk) management tools as significant barriers to greater progress and a focus for the coming year.
“Given the increased regulatory scrutiny, it is not surprising that organizations are taking a closer look at their third-party populations, bringing more of them under the scope of their programs, and focusing more closely on risk segmentation,” said Chris Ritterbush, Executive Director, Ernst & Young LLP. “In this respect, financial services organizations are doing a better job of getting their arms around third-party risk. But there is still a lot to be done, especially in knowledge sharing across business areas and technology, where many organizations continue to rely heavily on spreadsheets to conduct vendor assessments.”
Highlights from this year’s survey:
- Technology: 90 percent of respondents felt neutral or negative about how well TPRM tools integrate and capture the overall risk for reporting purposes.
- Operating model: 41 percent of organizations said that primary ownership of third-party risk management resides within the procurement organization, up from 26 percent in 2014, while 38 percent place it within enterprise or operational risk.
- Business unit support: 71 percent of respondents said they were either neutral or faced challenges with business unit support in executing program requirements, indicating continued challenges in the areas of business risk culture.
- Reporting of breaches: A third (35 percent) of respondents said they report third-party breaches to the board, while 71 percent report them to senior management. In a sign of progress, however, 43 percent said they report critical third parties to board level, up from 26 percent last year.
- Assessments: 71 percent of organizations said they conduct regulatory compliance reviews pre-contract, up from 47 percent in 2014.
- Oversight and governance: Nearly half of all organizations polled (49 percent) said it would take a week or more to pull a report on suppliers using specific criteria, indicating a data challenge underpinned by a disconnect between procurement and third-party risk management systems.
- Third-party populations: 39 percent of organizations surveyed reported that all third parties require some form of risk assessment, a significant increase from 19 percent in the previous year’s survey.
In response to the technology and reporting challenges cited in the survey, organizations have committed to increasing their overall third-party risk management budgets, with more than 95 percent of organizations indicating that they intend to spend the same or more across a number of functional components, including internal staffing, technology/enablement and oversight/governance.
“It is encouraging to see that management has recognized the importance of managing third-party risk and has committed to increasing their investments and resources to help organizations meet the expectations of customers, clients, shareholders and regulators,” added Ritterbush.
The survey of 49 global financial services organizations was conducted between October and December of 2015. Respondents included third-party risk professionals in the retail and commercial banking, investment banking, insurance and asset management sectors.