Perspectives

Managing third-party risk in financial services

Key considerations for the extended enterprise

Strong risk management across the extended enterprise can be best achieved by embedding third-party risk management (TPRM) capabilities firmly into the fabric of the business and its operations. Institutions that perform TPRM well should benefit by reducing risk and increasing agility and resiliency—enabling them to pursue growth while also reducing areas of vulnerability.

Third-party benefits and risks

Third parties—whether traditional vendors, business partners, or inter-affiliates—often reduce time to market, lower service delivery costs, and improve customer experiences. An extended enterprise can allow a company to access specialized talent not available in-house, driving product or service innovation. The use of third parties can also help an institution better focus on its core capabilities.

But along with the benefits come added risks. Reliance on an extended enterprise exposes financial institutions to the risk of other companies’ management and infrastructure. It increases the complexity of risk management, as it’s inherently difficult to understand the third party’s “black-box” inner workings. And it introduces different types of risks to which the institution may not have been previously exposed, such as concentration risk, location risk, or legal/jurisdiction risk.  

A structured approach

Properly considered, TPRM is an extension of operational risk. Operational risk is the possibility of loss resulting from inadequate or failed internal processes, people, and systems, or potential loss stemming from external events. TPRM provides management with the discipline and capability to mitigate operational risk.

To help boards and senior management in this area, Deloitte has developed a comprehensive TPRM framework. The framework is intended to guide management’s thinking for designing a structured approach for third-party risk management and takes into account enterprise-wide accountability.

Deloitte’s TPRM framework

Keys to successful TPRM

To help boards and senior management teams prepare for the eventuality of enhanced regulatory scrutiny of their TPRM programs, we have identified the following essential capabilities that institutions should cultivate:

  • Understand the institution’s third-party landscape and level of risk 
  • Drive risk management attention to the highest risk relationships
  • Engage the board and senior management for the most critical and highest risk relationships
  • Drive accountability into the business line and beyond
  • Enable end-to-end risk and control management through standards, procedures, and technology enablement
  • Incorporate sustainability and continual improvement into your capabilities

Managing third-party risk in financial services

TPRM has emerged as a critical topic in financial services. The risks are real, and TPRM is now considered a new risk domain within operational risk.

To learn more about this new risk domain and how it can lead to improved performance, download the full report. 

Managing third-party risk in financial services
Did you find this useful?