It is increasingly common for financial institutions to rely heavily on external third parties for the provision of key infrastructure, services, and support for critical processes. This means that the resiliency of their organizations are often intertwined with the resiliency of the third party. As a result of the ripple effect impact on their critical business services, businesses must have robust contingency plans to manage the risks associated with disruptions.
Therefore, the fourth critical area that should be reassessed when analyzing your operational resilience program is the third-party risk management (TPRM) function.
A post-crisis review should focus on changes in the risk profiles of existing third parties used in critical business processes, as well as the emergence of new third parties that provide essential services in a remote work environment.
At a minimum, this review should include the following:
- After gaining an understanding of how they have been affected by the crisis, evaluate and update the third-party risk assessment of key vendors and any essential dependencies that they have, and steps they have taken to mitigate and manage these risks.
- Review incidents or failures attributable to the under- or non-performance of third parties, and if backups were needed to replace or support. For example, if cloud servers were overloaded from a world-wide shift to working remotely and the organization had to source additional capacity from alternative vendors, such as Amazon or Microsoft.
- Determine if any actions taken by third parties were not part of the original TPRM resiliency plan and if additional risk assessments are required to be performed on the backup third parties. For example, an organization’s compliance risk would increase if their outsourced know your customer (KYC) services provider had to themselves outsource work due to increased loan demand from the CARES Act.
TPRM is a critical part of an operational resilience program and therefore a crucial part of enterprise risk management. Any changes in the risk profiles of third parties will ultimately change the risk profile of the organization. This risk must be fully understood across the organization when a crisis occurs that tests the resiliency of all parties.
Now that your organization has reassessed your TPRM function, we will next look at performing a post-crisis analysis of the cybersecurity and privacy function.
Learn more about operational resilience in our series here, including topics such as:
- Reassessing regulatory compliance
- Reassessing the governance framework
- Identifying critical business processes
- Business continuity and disaster recovery