Third-Party Risk Management Today

Third-party risk management (TPRM) is a structured process designed to identify, assess, mitigate, and monitor risks stemming from relationships with external vendors, service providers, agents, or intermediaries. These risks can span operational failures, compliance breaches, reputational damage, and cybersecurity exposures.

• Scope:  TPRM applies to any external entities handling sensitive operations, accessing private data, or engaging with key organisational functions.
• Objective: The primary goal of third-party risk management is to safeguard operational resiliency, ensure regulatory compliance, and protect an organisation’s reputation by addressing vulnerabilities associated with third parties.
• Example: Consider a financial institution outsourcing IT support to a vendor. If the vendor fails to meet security protocols, the organisation might experience a data breach, impacting customer trust and compliance with data regulations.

1. Regulatory Compliance: 
   
   Industries like banking and finance must comply with frameworks such as the Foreign Corrupt Practices Act (FCPA), General Data Protection Regulation (GDPR), and Anti-Money Laundering (AML). Non-compliance can result in steep penalties and reputational harm.
   
   
2. Operational Continuity:
   
   Third-party failures - such as vendor shutdowns or delivery delays - disrupt operations. TPRM aims to pre-emptively address such risks through contracts and contingency measures.
   
   
3. Reputational Protection:
   
   Collaborating with unethical or non-compliant vendors risks tarnishing an organisation’s brand. Screening tools, like those fromoffered by LSEG Risk Intelligence, enable proactive identification of risky partnerships.
   
   
4. Cybersecurity Defence:
   
   With the rise of digitisation, third-party relationships expose an organisation to cybercrime. Continuous monitoring of vendor cyber hygiene ensures robust defence mechanisms are in place.

1. Governance Structure: Clearly outlined roles and responsibilities ensure accountability and effective decision-making.
2. Policy and Standards: Establish guidelines on onboarding, monitoring, and offboarding third-party vendors to maintain alignment with organisational requirements.
3. Risk Assessment: Evaluating vendors for operational, legal, financial, and compliance risks allows organisations to tier vendors based on risk exposure.
4. Contractual Controls: Embedding risk clauses, such as breach remediation and warranty obligations, in vendor contracts mitigates legal concerns.
5. Monitoring and Reporting: Continuous tracking of vendor performance and risk status ensures prompt escalation and intervention when necessary.

1. Identification: Determine which vendors, suppliers, or intermediaries fall within the scope of TPRM based on their role in sensitive operations.
2. Assessment: Employ due diligence methodologies, such as LSEG’s screening solutions, for risk scoring based on geographic and operational factors.
3. Mitigation: Resolve identified gaps by installing controls, purchasing insurance, or implementing remediation strategies.
4. Monitoring: Engage in periodic reviews using real-time data feeds to gauge vendor compliance and risks.
5. Termination: Conduct safe vendor offboarding by verifying compliance records and ensuring that sensitive data is deleted.

Organisations benefit from leveraging universally recognised TPRM standards:

• ISO 27001: Provides guidelines for supplier controls and information security standards.
• NIST SP 800-161: Addresses supply chain risk management for information security.
• COSO ERM Framework: Integrates enterprise risk management practices.
• Basel BCBS 239: Advises financial risk management.
  

AI and automation represent transformative tools that optimise efficiency and visibility in risk processes:

1. AI-Driven Monitoring: Spot anomalies in third-party behaviours and compliance infractions instantly using AI models trained on data patterns.
2. Machine Learning: Analyse historic risk exposure trends to refine predictive risk scoring.
3. Natural Language Processing (NLP): Extract clauses and flag deviations within vendor contracts faster than manual methods.
4. Automation Processes: From onboarding to rescreening, automated workflows streamline decision-making and free up compliance teams.

LSEG World-Check integrates AI to simplify vendor screening and rescreening tasks while reducing false positives.

Banking entities are under exceptional scrutiny regarding vendor risk due to regulatory expectations, such as Know Your Customer (KYC) and Anti-Money Laundering (AML). Key practices include:

• Fourth-Party Management: Banks evaluate not only direct vendors but also their suppliers to ensure supply-chain transparency.
• Continuous Screening: Ongoing monitoring of vendors aligns with the Basel Committee’s standards for risk governance.

LSEG’s solutions, such as enhanced due diligence reports, help financial institutions meet these stringent regulatory demands.

1. Centralised Data Repository: Create a single platform for storing vendor data and assessments for seamless audit preparation and management.
2. Critical Vendor Prioritisation: Tier vendors based on risk levels, focusing resources on high-risk parties.
3. Periodic Audits: Schedule independent assessments to validate vendors’ compliance with contractual terms and policies.
4. Cross-Department Collaboration: Involve procurement, IT security, and compliance teams to develop a cohesive risk framework.
5. Dynamic Documentation: Maintain up-to-date contracts and policies for swift adaptation to regulatory changes.