A recent directive to financial institutions in Ghana the Bank of Ghana underscored the importance of risk management to the health of banks including Rural Banks and other deposit taking institutions in Ghana.
Banks are enjoined to set up a risk management department to identify, isolate and mitigate risks inherent in their day-to-day transactions and contracts they may enter into with other third parties. In this article I will attempt to highlight some few areas regarding the exposure of financial institutions to third-party risks.
The article will identify some few risks, and how to identify and mitigate their effect on their activities.
What is a Third-Party?
A Third-Party is an entity that an organization works with. These include suppliers, business partners, distributers, agents etc. For example, many financial institutions have employed third party companies to provide them with IT backbone infrastructure, bulk cash movement, security, janitors and even tellers.
Third-party risk management (TPRM) is a form of risk management that focuses on analyzing, identifying and minimizing risks relating to outsourcing to third-party or service providers.
Third-party risk management is sometimes used interchangeably with other terms, such as vendor risk management (VRM), supplier risk management, or supply chain risk management. However, TPRM often encompasses all types of risks associated with all types of third party or other levels of parties involved with transacting the business needed by the principal.
The impact of third parties on the operations of banks and other financial institutions is constantly increasing as they are increasingly outsourcing services the Banks hitherto had been providing themselves. Organizations including banks are constantly seeking to deliver value for money to their investors and are therefore shedding non-core services to third parties that are specialized in such services.
Outsourcing non-core aspects of their operations to specialized service providers is a sure way to increasing their exposure to third-party risks. Financial institutions must be aware of the dangers of exposures to third party vendors and have in place management processes and policies not only for external vendors but also their counterparties.
Third-Party Risk exposure management processes and policies must be designed to give the bank management and employees an understanding of the risks third parties pose, and what safeguards are in place to protect the banks, their assets and human resources.
Identifying Third-Party Risk in the Financial institutions
Third party risks are potential risks the financial institutions face relative to their staff, exposure of customer data, the bank’s own financial data and operations to other outside sources or vendors that provide services to the banks. Third-party vendors that have access to confidential or privileged information or data may not have the same security restrictions that a bank’s own employees may be subjected to.
The importance of Third-Party Risk Management
While third-party risk is not a new concept, recent events have brought the practice into the forefront like never before. Disruptive events, such as the raging pandemic, the world financial meltdown, the housing bubble bust etc have impacted almost every business and their third-party vendors.
In addition, data breaches or cyber security incidents involving third-party vendors are common. Security risks and breaches that occur in many organizations most times have third party vendors and their employees at the heart of it. Many financial institutions rely on third parties to keep their operations running smoothly.
Therefore, a security breach of a vendor or its inability to deliver can have devastating impacts on the bank. For instance, if the IT vendors of the banks have their systems compromised it could lead to delays in responding to systems problems. The result could be stranded customers in the banking halls leading to loss of customer confidence and distrust. A situation like this will undoubtedly negatively impact the bottom line and reputation of the bank.
Outsourcing has become a necessary component of running a modern business. It not only saves a business money, but it’s a simple way to take advantage of expertise that a third-party can undertake at a cost that make more economic sense. The downside is that if a proper third-party risk management program is not in place, relying on third parties to run certain aspect of the bank can leave it vulnerable and compromised.
Undertaking a Third-Party Risk Management
There are endless third-party risk management best practices that can help institutions build a better program, regardless of whether the organization is just beginning to make TPRM a priority, or it wants to understand where its existing tools could be strengthened. Generally, senior management and the board will decide on the ways that are most relevant to them, number of vendors employed, and information security policies. Common solutions and methods include security ratings, security questionnaires, penetration testing, and virtual and onsite evaluations.
Levels of risks posed by third-party vendors
Every financial institution has suppliers or vendor that undertake services such as systems repairs and maintenance, customized stationery suppliers, cleaning services, and even health providers. These must be put in an inventory and periodically assessed for their readiness to provide their services when needed and the level of their security exposure to the services of the banks.
However, it must be noted that not all vendors are equal in importance. Therefore, it is essential to categorize them according to how critical their services are to the smooth operations of the financial institutions.
The vendors could be categorized thus:
- Tier 3: Low risk, low criticality
- Tier 2: Medium risk, medium criticality
- Tier 1: High risk, high criticality
It is important financial institutions to focus resources on Tier 1 (high risk) vendors first as they require a more stringent due diligence and higher than average security assessment. Examples of such vendors may include Cheque Book printers, other deposit or withdrawal slips printers, ATM card manufacturers and printers of customized stationery such as letter heads. These vendors must be assessed critically on the risk levels they can expose the banks to.
The assessment must include but not limited to how safe it is to expose the vendor to:
- proprietary or confidential business information
- customer personal data
- sensitive business data
- any other party linked to the vendor who is not a party to any agreement between the bank and the vendor but whom the vendor may have to depend on to execute its contract with the bank.
Types of Third-Party Vendor Risks
Many Organizations rely heavily on third parties for improved profitability, easier market penetration, competitive advantage, and decreased costs. However, third-party relationships are fraught with multiple risks that include:
- Strategic Risk – Risk arising from adverse business decisions, or the failure to implement appropriate business decisions consistent with strategic goals.
- Reputation Risk– Risk arising from negative public opinion. Third-party relationships that result in dissatisfied customers, inconsistent policies that may have negative effects, security breaches resulting in the disclosure of customer information and violations of laws and regulations.
- Operational risk: The risk of a third-party causing disruption to the business operations. This is typically managed through contractually bound service level agreements (SLAs), and business continuity and incident response plans. Depending on the criticality of the vendor, you may opt to have a backup vendor in place which is common practice in the financial services industry.
- Legal and Compliance Risk –Risk arising from violations of laws, rules, or regulations, or from intentional or inadvertent non-compliance with internal policies or procedures or with Bank of Ghana regulatory standards. This risk exists when the products or activities of a third party vendors are not consistent with governing laws, rules, regulations, policies or ethical standards.
- Information Security Risk –Risk arising from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take.
- Cybersecurity risk: The risk of exposure or loss resulting from a cyberattack, security breach, or other security incidents. Cybersecurity risk is often mitigated via a due diligence process prior to onboarding a vendor and continuous monitoring throughout the vendor lifecycle.
- Financial risk: The risk that a third-party will have a detrimental impact on the financial success of your organization. For example, your organization may not be able to sell a new product due to poor supply chain management.
It is important for financial institutions to craft a risk management policy that responds adequately to all these third-party risks.
Third-party risk management life cycle
The third-party risk management life cycle is a series of steps that outlines a typical relationship with a third party. Third-Party Risk Management lifecycle follows roughly the following steps.
- Vendor Identification
- Evaluation & Selection
- Risk assessment & Mitigation
- Contracting and Procurement
- Performance Assessment
To identify vendor for a particular contract the vendor inventory for already existing vendors must be used. However, the financial institution must leverage on industry portals or regulators of groupings such as the AGI etc to select or invite a potential vendor for a new contract when no existing vendor has the capacity or capability to undertake it.
At the vendor evaluation and selection stages, consideration must be given to vendors who exhibit the capacity to provide the service. Then comes the Risk Assessment and mitigation stage. This stage includes using benchmarks to assess their performance of the vendors over a period. This requires identifying the level of risk is acceptable to the principal. Risk mitigation includes:
- Risk flagging
- Evaluation of risk against the financial institutions’ risk acceptance levels
- Treatment and control validation
- Monitoring for changes in risk levels and taking mitigating actions
A critical phase in the TPRM lifecycle is the Vendor Offboarding. After a thorough vendor assessment some vendors may have to be let go, other may have outgrown the financial institutions or may have changed company trajectory. In all of these situations a vendor must not just be let go but must be properly offboarded. Offboarding is critical for security purposes.
The leaving company must demonstrate compliance with all regulatory or exit requirements and properly audited to ensure all bank materials in their possession have been handed over and their access clearance to systems and premises are properly and securely revoked. Passwords and access keys must all be changed and no keys to proprietary codes and software, even if they are obsolete, must be left with the leaving vendor.
The performance of a third-party has a great influence on the bottom-line financial institutions and critical attention must be paid to managing them. Fortunately, many financial institutions in response to the Bank of Ghana have established Risk departments to take care of these.
These departments must be staffed with experienced and knowledgeable personnel to protect the banks from avoidable risks. Risk officers must also be up to date with the ever-changing risk exposures and must arm themselves with cutting-edge tools to be able to identify, isolate and mitigate any known or unknown risks in the industry. This is the only way financial institutions in Ghana would be protected from or be able to withstand any upheavals in the financial world.
Francis is a researcher in current trends in Human Resources Management and Development and Leadership and Rural Banking.
Email: [email protected], Cell: +233 050 636 3388