The Basel Committee for Banking Supervision (BCBS) has released its Principles for the sound management of third-party risk[1] for public consultation. While the guidance was developed with larger banks in mind, the Committee notes that smaller banks may actually have a higher reliance on third parties. The mandate of the BCBS and its international committee of regulators is to strengthen the regulation, supervision, and practices of banks worldwide to enhance financial stability.
Even if you aren’t a bank but are struggling with managing your third-party vendors, you could probably replace the word ‘bank’ with ‘organization’ and still apply many of the principles. As digitalization in enterprise risk management continues to evolve, effective third-party risk management (TPRM) is an integral component of operational resilience.
In this blog, we will cover:
- The background and key definitions
- The principles of the standard
- Some of the key callouts
To find out more about how to build an effective vendor risk management program for your organization, download Protecht’s free Vendor Risk Management eBook:
The background
The Basel Committee's document is intended to supersede its Outsourcing in financial services paper, issued almost 20 years ago. One driver for the update is that while outsourcing is a subset, there has been an increase in dependency on all types of third parties. This aligns with regulators that have already revised similar TPRM guidance, such as the U.S. Federal Reserve’s Interagency Guidance on Third Party Relationships[2] and the integration of material service providers in the Australian Prudential Regulation Authority’s CPS 230 operational risk management standard[3].
The consultative document is also aligned with some of BCBS’s other guidance, such as Principles for Operational Resilience and Operational Risk Management[4]. Increasingly, these risk management disciplines need to be integrated both to ensure a comprehensive approach and to drive efficiencies by having integrated and repeatable processes.
The principles
There are 12 principles in the Basel Committee guidance, three of which are aimed at supervisors. Let’s focus on the nine that apply directly to banks:
Principle 1: The board of directors has ultimate responsibility for oversight of all Third Party Service Provider (TPSP) arrangements and should approve a clear strategy for TPSP arrangements within the bank’s risk appetite and tolerance for disruption.
Principle 2: The board of directors should ensure that senior management implements the policies and processes of the third-party risk management framework (TPRMF) in line with the bank’s third-party strategy, including reporting of TPSP performance and risks related to TPSP arrangements, and mitigating actions.
Principle 3: Banks should perform a comprehensive risk assessment under the TPRMF to evaluate and manage identified and potential risks both before entering into and throughout a TPSP arrangement.
Principle 4: Banks should conduct appropriate due diligence on a prospective TPSP prior to entering into an arrangement
Principle 5: TPSP arrangements should be governed by legally binding written contracts that clearly describe rights and obligations, responsibilities and expectations of all parties in the arrangement.
Principle 6: Banks should dedicate sufficient resources to support a smooth transition of a new TPSP arrangement in order to prioritize the resolution of any issues identified during due diligence or interpretation of contractual provisions.
Principle 7: Banks should, on an ongoing basis, assess and monitor the performance and changes in the risks and criticality of TPSP arrangements and report accordingly to board and senior management. Banks should respond to issues as appropriate.
Principle 8: Banks should maintain robust business continuity management to ensure their ability to operate in case of a TPSP service disruption.
Principle 9: Banks should maintain exit plans for planned termination and exit strategies for unplanned termination of TPSP arrangements
These are all good principles – though they can be challenging to consistently put into practice. The guidance states that it is technology-agnostic, but without appropriate tools it will hard to provide assurance that the principles are being met.
The details
The full Basel Committee guidance expands on the above principles, with the following notable callouts:
Concentration risk
In addition to assessing the risk of each individual arrangement on an individual basis, you should consider concentration risks:
- At the organization level, where one provider supports a range of critical services, such that failure of the provider would cause significant disruption or impact
- At a systemic level. The guidance acknowledges banks may not know the full extent of reliance by the market on a service provider, but should take reasonable endeavors or understand who those parties are.
When assessing an arrangement, banks should consider whether it results in unacceptable concentration risk.
Supply chain and nth parties
Banks should consider not just their direct third parties, but also their nth parties: Those that support the ultimate delivery of the critical services offered by the bank. In practice, this can be a challenge. A common first step is to monitor your own TPSP’s management of their third parties. The guidance suggests that contracts should include the right to obtain information about fourth parties.
The guidance also highlights that concentration risk and supply chain are related. It’s not just the concentration of your direct third parties you need to be worried about, but also the concentration further down in the supply chain.
Proportionality
Definitions include whether services, and therefore the third parties that support them, are critical. This is further supported by the concept of proportionality, which is inherent in a principles-based document that can be applied globally. Organizations will need to develop their third-party risk management program to match the complexity and scale of their business model and the risks that their third parties might pose to them.
Intragroup arrangements
Intragroup arrangements should be treated the same as other arrangements – or to use the guidance’s own words, to not treat intragroup arrangements as if they are less risky than other arrangements. One shorthand is to consider if part of the group was sold off or acquired – would existing arrangements remain sufficient? While some efficiencies can be gained when services are provided within the group, these formalities should still be in place.
Centralization
Banks are expected to maintain an up-to-date register of third-party arrangements and nth parties as appropriate. They are also expected to map dependencies and interconnections related to arrangements, providing a strong link to operational resilience guidance. This is impractical if these records are not centralized across the organization.
While not articulated in the guidance, centralization of these records improves the ability to assess a bank's ability to remain within the risk appetite related to third parties as defined by the board.
Onboarding and resourcing
Having a good onboarding process isn’t news, but the BCBS guidance does emphasize having sufficient resources to facilitate it. Not just people in terms of numbers, but their competency. In addition, this includes ensuring the TPSP has sufficient understanding of the bank’s needs.
Business continuity planning
It goes without saying that business continuity plans (BCP) should be in place for critical TPSPs. This can include internal exit strategies, contingencies or compensating controls, and assurance over the TPSP’s own BCP arrangements. These should support the bank's own tolerance for disruption. Ideally, joint BCP testing should be conducted where appropriate.
Conclusions and next steps for your organization
The principles and guidance are currently in draft form, but provide a solid foundation for any organization to build on.
While some organizations may already be applying these principles broadly, they should consider the scope of their third-party risk management programs: If they only consider traditional outsourcing and not other critical service providers, there may be some risk exposures that are not as well understood. If the existing scope is narrow, it may also ignore concentration risks, which are becoming more prevalent in our interconnected world.
An effective vendor risk management program offers numerous benefits to organizations, which can be grouped into three categories:
- Improved risk management and resilience (including avoiding supply chain disruption)
- Efficiency and cost savings
- Enhanced visibility (including regulatory compliance)
To find out more about how to build an effective vendor risk management program for your organization, download Protecht’s free Vendor Risk Management eBook:
References
[1] Basel Committee on Banking Supervision, July 2024 https://www.bis.org/bcbs/publ/d577.pdf
[2] Federal Reserve, June 2023 https://www.federalreserve.gov/supervisionreg/srletters/SR2304a1.pdf
[3] APRA, July 2023 https://www.apra.gov.au/sites/default/files/2023-07/Prudential%20Standard%20CPS%20230%20Operational%20Risk%20Management%20-%20clean.pdf
[4] Basel Committee on Banking Supervision, March 2021 https://www.bis.org/bcbs/publ/d516.htm