Many regulated firms rely on third parties for services such as accounting, external audit or human resources, through to developing products and services, networking arrangements, payment processing, use of services provided by affiliates, joint ventures, and subsidiaries.
The current operating environment has forced us all to find rapid solutions to remote working and business continuity. This has increased their reliance on third parties and exacerbated regulatory concerns about the risks associated with using third parties.
Benefits of using third parties
Third party relationships can bring multiple benefits especially if you work in a small or medium sized firm. Benefits can include cost savings, innovation, improved or quicker processes, and sometimes an enhanced product or service proposition for your clients. You can often increase those benefits when you invest in technology.
Changing risk profile
Globally regulators have long held concerns about how regulated firms engage third parties. The UK has cited extreme examples where there has not even been any written agreement in place between the parties. More commonly the regulators are concerned about the extent to which regulated firms manage, govern, and oversee the third parties that they engage.
Commercially, the current operating environment is enhancing the benefits of using third parties. However, it is also exacerbating the risks of third-party relationships and the associated issues of business continuity planning, cybersecurity, data protection, operational resilience, and risk management.
This changing risk profile is both commercially sensitive primarily due to the reputational damage as well as the risks of financial resilience being tested in a severe, prolonged economic downturn. This is drawing increased regulatory attention.
The year-end provides a good opportunity to take stock when reviewing your own arrangements and incorporate any changes needed in your plans for 2021. You could start with using our checklist.
The current operating environment may have accelerated your reliance on certain services provided by third parties such as providers of information and communication technology.
You may have one video conferencing provider or are moving your data storage to the Cloud. Your risk mitigation and business continuity plans do not need to go so far as to always engage two parties. But if the unexpected happens you should know what you will do and when.
Demand and supply has changed in a way that many of us may not have expected. Market volatility is one such example where system capability and bandwidth can suddenly become overwhelmed and cause disruption to services potentially to the detriment of your clients.
The Financial Stability Board has highlighted the importance of ensuring that external services providers and / or critical suppliers are taking adequate measures and are sufficiently prepared for a scenario in which there will be heavy reliance on their services. One recommendation being that you treat providers of core services as key workers, so they can operate critical functions, on-site if necessary, to ensure continuity of services during the pandemic.
The Japanese Financial Services Agency and the Bank of Japan has asked their regulated firms to update their contact lists at third parties and to reconfirm their incident response procedures.
Risks in Supply Chains
Third parties may use sub-contractors or have a supply chain. Your third-party agreements may only apply to your company and that of the third party. It may not apply to any of their suppliers or sub-contractors. This could limit your ability to understand risks further down that chain and so manage your business to respond to emerging risks that could cause disruption to your business.
The US Federal Financial Institutions Examination Council has urged financial institutions to monitor and identify weakness in supply chains and develop potential alternatives for obtaining critical services.
The current operating environment is changing the likelihood and impact of systemic risks. The number of firms relying on certain providers could increase the concentration risk in those providers. If those services are critical or difficult to substitute at short notice it could major disruption.
Key for ensuring that the impact of systemic risks on your business is ensuring that you have a clear plan for any disruption. Ensure that individuals are clear about their responsibilities from monitoring and tracking emerging risks through to executing your contingency plans to creating backups and knowing how to restore those backups quickly.