The Basel Committee for Banking Supervision (BCBS) has released its Principles for the sound management of third-party risk[1] for public consultation. While the guidance was developed with larger banks in mind, the Committee notes that smaller banks might actually have a higher reliance on third parties.
Even if you aren’t a bank but you are struggling with managing your third parties, you could probably replace the word ‘bank’ with ‘organisation’ and still apply many of the principles. As digitisation continues to evolve, effective third party risk management is an integral component of operational resilience.
In this blog we will cover:
- The background and key definitions
- The principles of the standard
- Some of the key callouts
To find out more about how to build an effective vendor risk management programme for your organisation, download Protecht’s free Vendor Risk Management eBook:
The background
The document is intended to supersede the Outsourcing in financial services paper, issued almost 20 years ago. One driver for the update is that while outsourcing is a subset, there has been an increase in dependency on all types of third parties. This aligns with some regional regulators who’ve already made a similar shift, such as the US Federal Reserve’s Interagency Guidance on Third Party Relationships[2] and the integration of material service providers in the Australian Prudential Regulation Authority’s CPS 230 operational risk management standard[3].
It's also aligned with some of BSBS’ other guidance, such as Principles for Operational Resilience and Operational Risk Management[4]. Increasingly these disciplines need to be integrated, both to ensure a comprehensive approach, but also to drive efficiencies by having integrated and repeatable processes.
The principles
There are 12 principles in the guidance, three of which are aimed at supervisors. Let’s focus on the nine that apply directly to banks:
Principle 1: The board of directors has ultimate responsibility for the oversight of all Third Party Service Provider (TPSP) arrangements and should approve a clear strategy for TPSP arrangements within the bank’s risk appetite and tolerance for disruption
Principle 2: The board of directors should ensure that senior management implements the policies and processes of the third-party risk management framework (TPRMF) in line with the bank’s third-party strategy, including reporting of TPSP performance and risks related to TPSP arrangements, and mitigating actions
Principle 3: Banks should perform a comprehensive risk assessment under the TPRMF to evaluate and manage identified and potential risks both before entering into and throughout a TPSP arrangement
Principle 4: Banks should conduct appropriate due diligence on a prospective TPSP prior to entering into an arrangement
Principle 5: TPSP arrangements should be governed by legally binding written contracts that clearly describe rights and obligations, responsibilities and expectations of all parties in the arrangement
Principle 6: Banks should dedicate sufficient resources to support a smooth transition of a new TPSP arrangement in order to prioritise the resolution of any issues identified during due diligence or interpretation of contractual provisions
Principle 7: Banks should, on an ongoing basis, assess and monitor the performance and changes in the risks and criticality of TPSP arrangements and report accordingly to board and senior management. Banks should respond to issues as appropriate
Principle 8: Banks should maintain robust business continuity management to ensure their ability to operate in case of a TPSP service disruption
Principle 9: Banks should maintain exit plans for planned termination and exit strategies for unplanned termination of TPSP arrangements
These are all good principles – though they can be challenging to consistently put into practice. The guidance states that it is technology-agnostic, but without appropriate tools it will hard to provide assurance that the principles are being met.
The details
The full guidance expands on the above principles, with the following notable callouts:
Concentration risk
In addition to assessing risk of each individual arrangement on an individual basis, you should consider concentration risks:
- At the organisation level, where one provider supports a range of critical services, such that failure of the provider would cause significant disruption or impact
- At a systemic level. The guide acknowledges banks may not know the full extent of reliance by the market on a service provider, but should take reasonable endeavours or understand who those parties are.
When assessing an arrangement, banks should consider whether it results in unacceptable concentration risk.
Supply chain and nth parties
Banks should consider not just their direct third parties, but also their nth parties: those which support the ultimate delivery of the critical services offered by the bank. In practice, this can be a challenge. A common first step is to monitor your own TPSP’s management of their third parties. The guidance suggests that contracts should include the right to obtain information about fourth parties.
The guidance also highlights that concentration risk and supply chain are related. It’s not just concentration of your direct third parties you need to be worried about, but also concentration further down in the supply chain.
Proportionality
Definitions include whether services, and therefore the third parties that support them, are critical. This is further supported by the concept of proportionality, which is inherent in a principles-based document that can be applied globally. Organisations will need to develop their third party risk management program to match the complexity and scale of their business model and the risks that their third parties might pose to them.
Intragroup arrangements
Intragroup arrangements should be treated the same as other arrangements – or to use the guidance’s own words, to not treat intragroup arrangements as if they are less risky than other arrangements. One shorthand is to consider if part of the group was sold off or acquired – would existing arrangements remain sufficient? While some efficiencies can be gained when services are provided within the group, these formalities should still be in place.
Centralisation
Banks are expected to maintain an up-to-date register of third party arrangements and nth parties as appropriate. They are also expected to map dependencies and interconnections related to arrangements, providing a strong link to operational resilience guidance. This is impractical if these records are not centralised across the organisation.
While not articulated in the guide, centralisation of these records improves the ability to assess the banks ability to remain within the risk appetite related to third parties as defined by the board.
Onboarding and resourcing
Having a good onboarding process isn’t news, but the guide does place emphasis on having sufficient resources to facilitate it. Not just people in terms of numbers, but their competency. In addition, this includes ensuring the TPSP has sufficient understanding of the bank’s needs.
Business continuity planning
It goes without saying that BCPs should be in place for critical TPSPs. This can include internal exit strategies, contingencies or compensating controls, and assurance over the TPSP’s own BCP arrangements. These should support the banks own tolerance for disruption. Ideally, joint BCP testing should be conducted where appropriate.
Conclusions and next steps for your organisation
The principles and guidance are currently in draft form, but provides a solid foundation for any organisation to build on.
While some organisations may already be applying these principles broadly, they should consider the scope of their third party risk management programmes: if they only consider traditional outsourcing and not other critical service providers, there may be some risk exposures that are not as well understood. If the existing scope is narrow, it may also ignore concentration risks which are becoming more prevalent in our interconnected world.
An effective vendor risk management programe offers numerous benefits to organisations, which can be grouped into three categories:
- Improved risk management and resilience (including avoiding supply chain disruption)
- Efficiency and cost savings
- Enhanced visibility (including regulatory compliance)
To find out more about how to build an effective vendor risk management programme for your organisation, download Protecht’s free Vendor Risk Management eBook:
References
[1] Basel Committee on Banking Supervision, July 2024: https://www.bis.org/bcbs/publ/d577.pdf
[2] Federal Reserve, June 2023: https://www.federalreserve.gov/supervisionreg/srletters/SR2304a1.pdf
[3] APRA, July 2023: https://www.apra.gov.au/sites/default/files/2023-07/Prudential%20Standard%20CPS%20230%20Operational%20Risk%20Management%20-%20clean.pdf
[4] Basel Committee on Banking Supervision, March 2021: https://www.bis.org/bcbs/publ/d516.htm