By Greg Matthews – Partner at KPMG
KPMG has observed three major evolutions of organisations’ third party risk management risk (TPRM) segmentation programmes over the past five years in the financial services sector.
1. Initial focus on obtaining buy-in and design of the programme
2. Implementation of the programme (addition of headcount and increased effort dedicated to TPRM activities both pre and post contracting)
3. The recalibration and optimisation of the programme
This third phase of recalibration and optimisation of the programme is largely a response to the need to be more efficient and more effective, in the face of both increased public reputational impacts caused by third party failures and continued business pressure for cost reduction and reduced cycle time for onboarding third parties.
Key activities for right-sizing and rebalancing the risk segmentation and risk assessment processes include:
- Strengthening third party relationships and reducing third party costs through third party rationalisation efforts and establishing preferred-provider agreements
- Reducing the number of questions being asked of the business in inherent risk questionnaires (IRQs) and of third parties in due diligence questionnaires (DDQs)
- Re-thinking internal roles and responsibilities to focus risk subject matter experts on the highest value components of the risk assessment process
- Tailoring programme requirements for specific types of third parties that share distinct characteristics that are different from traditional third parties (e.g. affiliate service providers, law firms)
- Fine tuning the requirements for the TPRM programme to expedite onboarding of third parties (e.g. fintechs), so that they are quickly on-boarded to support business needs
- Determining which risk categories should be assessed at a service level v. legal entity level, as well as determining the periods in which an assessment is deemed valid in order to rationalise assessment activities (e.g. financial viability assessment to be performed at legal entity level and would be valid for one year)
- A rebalance away from point-in-time risk assessments to an initial deep dive scan with more emphasis on continuously monitoring the nature of the third party service (e.g. volumes, types of data shared, etc) and risk profile of the third party (e.g. negative media, breaches, etc)
- Exploring third party support or involving TPRM utilities (e.g KY3P, TruSight) to facilitate on-site reviews. The combined result of these efforts is a reduction in both the effort required for individual risk assessment and the volume of third-party risk assessments that are conducted overall
Recalibration and optimisation activities must be in accordance with the TPRM risk appetite and support the organisation’s continued ability to comprehensively identify, monitor and manage third-party risk.
Guiding definitions and strategy for the TPRM programme
Definition of third party
TPRM programmes must have a clear definition for a third party documented within the TPRM policy. This definition drives the requirements for the third party inventory at the service level (rather than the third party entity level). The reason for this is that different services have different risk profiles and one third party may provide many services to an organisation.
A good generally accepted definition of a third party is provided by the US Financial Services Regulator, the Office of the Comptroller of Currency (OCC), which defines a third party as: ‘any business arrangement between a bank and another entity, by contract or otherwise. Third party relationships include activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records. Affiliate relationships are also included. Third party relationships generally do not include customer relationships.’
Critical third party services
The OCC also has a good generally accepted definition of critical activities as: significant bank functions (e.g. payments, clearing, settlements, custody) or significant shared services (e.g. information technology), or other activities that have the potential to:
- Could cause a bank to face significant risk if the third party fails to meet expectations
- Could have significant customer impacts
- Require significant investment in resources to implement the third party relationship and manage the risk
- Could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house
Having a large volume of third party services classified as ‘critical’ can reduce management’s ability to dedicate the requisite attention on overseeing the truly critical third party services. The expectation is that both risk and performance of a critical service are assessed and continuously monitored with significant attention, focus and expenditure of organisational resources. It is important to note that irrespective of the control environment, when a service is designated critical it remains as such with the greatest amount of oversight provided.
“The expectation is that both risk and performance of a critical service are assessed and continuously monitored with significant attention, focus and expenditure of organisational resources”
For global organisations in particular, it is crucial to apply discipline in rating third party services as critical. We have observed a tendency for individual business or regions to rate business/region-specific third party services as critical, when these services are not critical for the enterprise as a whole. In some cases, a particular business or region may choose to shoulder the additional cost and effort for overseeing a region-specific service as critical and TPRM programmes can tag these exceptions as ‘region’ critical (rather than ‘enterprise’ critical). In many cases, the service would remain ‘high’ risk (rather than ‘critical’) for the enterprise rating.
Outsourcing strategy and TPRM risk appetite
In addition to defining third parties and criticality within the TPRM policy, leading TPRM programmes are further codifying an outsourcing strategy and TPRM risk appetite. The outsourcing strategy moves beyond a traditional sourcing strategy (that is largely focussed on achieving specific commercial outcomes) by articulating risk-based parameters for the use of third party outsourcing. The outsourcing strategy might include a preference to limit direct third party contact with customers and limited off-shoring of data to maintain consistent branding and preserve the organisation’s reputation.
The TPRM Risk Appetite articulates the organisation’s level of comfort with third party risk in alignment with applicable components of the enterprise-wide risk appetite. This might include low tolerance for downtime of certain applications and services.
Based on these two documents, the TPRM programme established limits and thresholds for individual third party services and the broader third party portfolio. An example of risk limits might be that critical third party services cannot have more than two consecutive quarters of ‘red’ performance score cards or that a business line can be no more than 20 per cent concentrated in one third party provider.
It is crucial to document limits and thresholds to verify that the third party inventory, risk segments and risk assessment activities are appropriate to provide senior management with the right information to determine if the TPRM programme is designed and operating effectively in alignment with both the outsourcing strategy the TPRM risk appetite.
Three segments within a complete third party inventory
Risk segmentation begins with determining the level of assessment required for the third party service. Many organisations have 40 to 80 service categories that are used as the baseline to determine whether a service falls into one of three categories: (1) standard TPRM process, (2) speciality programmes, or (3) nominal risk. The use of service categories also helps to manage what information is required to be captured within the TPRM inventory; all third parties (including nominal risk) are captured for inventory completeness.
1. Standard TPRM process
Third party services, such as critical services, key suppliers, data storage and management, technology platform providers, etc, will follow the standard TPRM lifecycle that is articulated within the TPRM policy and procedure, from initial planning through termination. A key hallmark of effective TPRM programmes is that they are risk-based, with the energy and expertise dedicated to onboarding and overseeing third party services being directly proportional to the risk of the third party service.
2. Speciality programmes
Increasingly, TPRM programmes are identifying homogenous third party services that are more efficiently managed in a separate segment of the TPRM programme, rather than adhering to the standard TPRM process. Common examples of speciality programmes include law firms that provide opinions and outside counsel or affiliate
“Risk segmentation begins with determining the level of assessment required for the third party service. Whether a service falls into one of three categories: standard TPRM process, speciality programmes or nominal”
risk service providers. In these examples, the speciality programme has a common risk profile, similar payment arrangement, is being used by specific function (e.g. legal) within the organisation, etc. The speciality programme generally allows a ‘lighter-touch’ risk assessment than the standard process, but speciality programmes may also have more strenuous requirements for certain risk assessment and ongoing monitoring, such as when interacting with the organisation’s customers.
3. Nominal risk
Third party services that do not present the requisite level of third party risk for the standard TPRM process may fall within a nominal risk segment. These third parties do not support key services/functions/products and are easily replaceable. Nominal risk services are captured within the third party inventory; nominal risk categories are re-evaluated and risk-accepted annually. Examples of nominal risk third party service categories may include: charitable donations, landscaping services, catering and employee travel. It is important to note that limited checks are still performed, such as sanctions screening and conflicts of interest.
Risk assessment process
1. Inherent risk assessment
After determining that a third party service is in-scope for the standard TPRM process, the next step is to conduct the inherent risk assessment via the inherent risk questionnaire (IRQ) to ascertain the inherent risk rating (IRR) and due diligence questionnaire (DDQ) applicability.
The IRQ covers areas such as cyber, compliance, business continuity and disaster recovery. We have also seen organisations include questions around the use of subcontractors, whether the provision of service directly interacts with the organisation’s customers and where geographically the service will be delivered. There are often no more than 10 to 20 questions within the IRQ that drive the IRR and determine criticality. These questions are completed by the first line service sponsor who is engaging the third party and subsequently reviewed by the TPRM programme (or other QA function) to validate the comprehensives of the responses and perform data validations to check for anomalies.
IRQ questions that determine the IRR generally include:
- Will the third party service be relied upon to deliver critical business objectives?
- What is the recovery time objective of the service?
- What type of data will you have access to?
- How many records?
- What systems will the service provider have access to?
- Will the service provider directly interact with our customers/clients?
- What location will the services be provided in?
- Will data be offshored?
- Will it be stored in the Cloud?
- Will service involve the use of subcontractors to perform critical aspects of service delivery?
- Does the service support regulatory requirements?
Organisations generally evaluate the following topics, as applicable, for third party services on a risk-based approach. Certain risk areas (like cyber risk) may require specialised skillsets for evaluation on the individual service/contract level, whereas other risk types (like financial viability) can often be evaluated once at the third party legal entity. Organisations are experimenting with which risk areas can be evaluated via data feed or reviewed by the TPRM support function (rather than requiring risk area expertise).
There are three main approaches for calculating risk scores. Organisations may:
(1) use a ‘high water mark’ approach for determining the overall residual risk score; (2) average the scores across all risk categories equally; or, (3) use a weighted calculation that places more emphasis on certain risk categories than others (generally when there are differences in the TPRM risk appetite for different categories). Overall service scores drive the reassessment of the service while individual risk component scores (such as cyber) drive when that component of the risk is monitored from an ongoing stand point.
It is the review of DDQs that can drive significant effort and duration into the TPRM programme, both at the front end, asking hundreds of questions and waiting for the third party to send adequate responses, and at the back end, reading and assessing the responses.
Leading practices for rationalising TPRM due diligence include:
- Use of market utilities (e.g. KY3P and TruSight) to gather responses to assessment questions
- Use of industry standard question sets (e.g. National Institute of Standards and Technology [NIST], Standardised Information Gathering (SIG))
- Rationalising proprietary DDQs for fewer questions on each questionnaire
- Use of automated reports for publicly available data when possible (vendors for financial viability, negative media screening, review of shareholders or board members, sanctions or financial crimes screening, etc)
3. Control effectiveness rating
Once the due diligence questionnaires have been completed by the third party, appropriate TPRM or risk category subject matter professionals review the responses to determine the scoring for the control environment for the risk category. Controls may either be located/performed at the third party or as a compensating control at the organisation.
An example of common organisation-owned control would be a complementary user entity controls (CUEC) that would remove a third party from access to a file sharing system or data feed once the third party engagement has been terminated. It is crucial for the subject matter professionals across risk categories to harmonise control effectiveness rating scales so that risk categories can be compared consistently. This ‘convergence’ in risk scoring is a top focus area for leading TPRM programmes.
4. Residual risk scoring
The control effectiveness scoring, in combination with the inherent risk of each risk category, determine the residual risk rating for each risk category and the overall residual risk of the third party service. Residual risk scores (both individual third party services and across the third party portfolio) are incorporated into TPRM management reporting to validate the programme is operating within prescribed risk tolerances.
Firms are still determining how residual risk scoring may be appropriate for determining TPRM programme requirements, such as reassessment frequency and ongoing monitoring requirements. Such a model would reduce the frequency of reassessments and volume of ongoing monitoring activities, which would reduce costs. At this point in TPRM evolution, however, the majority of organisations are still using the inherent risk rating to drive ongoing monitoring requirements.
There are two primary components to ongoing monitoring:
1. Service reassessment schedule
TPRM programmes generally repeat risk assessment and due diligence process on a risk-based cadence (with higher risk third party services being reassessed more frequently than lower risk third party services). KPMG recommends that TPRM programmes require the business owner of the third party service re-attest the validity of the IRQ annually, as the risk profile of third party services may change over time. Depending on the inherent risk of the third party service, due diligence may need to be re-performed annually or every few years.
That said, leading TPRM programmes are currently re-examining their reassessment cadence to rationalise these activities – especially for due diligence activities that require an on-site assessment and what activities can be assessed for the entity versus the service, bearing in mind that many third parties deliver multiple services to clients. Various industries are also exploring the use of industry utilities that seek to gather information once from third parties and reuse multiple times as members perform their reassessments.
2. Continuous risk and performance monitoring of the service and associated risks
The primary focus of TPRM risk assessment and due diligence processes has been point-in-time, deep-dive assessments around the service and its associated risks. These assessments require business and risk domain subject matter professionals with deep risk category knowledge to review evidence provided by the third party and make a determination on the control effectiveness and residual risk of the third party service.
“Leading TPRM programmes are making a more fundamental shift in mindset to emphasise continuous monitoring of risk and performance in a manner similar to transaction surveillance or other real-time monitoring”
In addition to improving the process for point-in-time risk assessments, leading TPRM programmes are making a more fundamental shift in mindset to emphasise continuous monitoring of risk and performance in a manner similar to transaction surveillance or other real-time monitoring. Currently, this is possible for aspects of reputational risk, geopolitical risk, negative media and other publicly available data streams. Internally, organisations can establish service level agreement (SLA) adherence reporting to track whether or not third party services are being performed in accordance with established expectations and contract terms. For critical third party services that include high volumes of transactions on a daily basis, there is an expectation that organisations will test a sample of the transactions on a daily basis. It is not difficult to imagine a future in which the entire volume of transactions would be continuously monitored for anomalies or issues using AI, for example.
Organisations are determining how to ingest continuous monitoring information into the third party service risk profile within their TPRM technology platform to accurately reflect the inherent risk, control effectiveness and residual risk of the third party service on a real-time basis.
Where to focus for maximum potential benefit in risk segmentation rationalisation
Risk segmentation drives an organisation’s risk assessment activities, which are often the most time-consuming and expensive components of the TPRM lifecycle. We recommend clients focus on the following aspects of risk segmentation and risk assessment to streamline their processes, reduce third party onboarding cycle time and cut programme costs:
- Map third party service categories to three risk segments: standard TPRM process, speciality programme and nominal risk
- Pursue third party rationalisation and establish preferred-provider agreements
- Reduce the number of questions being asked of the business (in IRQs) and third parties (in DDQs)
- Revise programme requirements to allow flexibility for applicable risk categories to be assessed at the legal entity level (v. the service level) and rationalise the cadence of reassessment activities for services performed by the same legal entity (as appropriate)
- Focus risk subject matter experts on the highest value components of the risk assessment process
- Explore how automated, continuous monitoring can augment point-in-time risk assessments
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.
About the Author:
Greg Matthews is a Partner at KPMG focused on Financial Services Risk and Regulatory Consulting. Greg assists his large, global, FS clients drive strategic, transformative change from a risk and regulatory compliance management perspective. Greg has a wealth of experience assisting clients to establish programs that manage risk, regulatory compliance and drive performance