Ensuring great customer outcomes through third-party risk management

Sundeep Gupta Thomas Caldwell

By Sundeep Gupta, Thomas Caldwell, Craig Oliver


Third-party risk management (TPRM) has become a focal point for financial services regulators across the globe. The publication of the EBA and EIPOA guidelines on outsourcing in 2019 and 2011, respectively has led to European regulators updating their rulebooks on third-party and intragroup outsourcing.

We expect to see a similar approach from US regulators in 2023. Essentially, organisations are now required to have greater oversight of their supply chains. And rightly so. The importance of robust TPRM is frequently brought to light by high-profile outages, many of which can be attributed to third-party service providers. These catastrophic outages often leave customers without vital services for days and can cost hundreds of millions of pounds in damages and lost business. These outages illustrate the importance of a resilient approach to TPRM, which includes embedding a robust TPRM framework.

It’s unsurprising that financial services organisations are feeling the pressure. A small survey of TPRM leaders at a recent conference revealed that almost half of these organisations have manual or Microsoft Excel-based TPRM and supplier management processes. And 41 percent said they intend to focus on rethinking their operating model and clarifying roles and responsibilities within the next 12 months. The imperative to comply and deliver for customers and the regulators is also putting a strain on capability and capacity of TPRM teams causing challenges when delivering on Important Business Services. So how can organisations better protect customers and optimise their TPRM approach?

Financial services organisations can make three changes to increase resilience in their TPRM approach - helping to ensure customer satisfaction in Important Business Services. Organisations should adopt new technology and tooling to optimise data, clearly define roles and responsibilities within an appropriate operating model, and increase the capacity of in-house risk functions.

1. Automate TPRM to reduce siloed data and disparate systems

Disparate systems and multiple data sources often mean a reliance on outdated or manual processes with only a minority of TPRM leaders at a recent event reporting they have fully automated their processes. This creates a fractioned and siloed approach to the identification, management, and monitoring of risks across the supply chain.

Meanwhile, regulators are applying pressure by encouraging organisations to have more oversight of the risks within their supply chains. Manual approaches are quickly becoming ineffective and new technology solutions are required to monitor concentration of risk more effectively across multiple parties.

Organisations are moving in the right direction. The same survey also revealed that almost half of executive leaders are interested in or assessing automation options in the next 12 months. An assessment of current approaches to TPRM against regulatory minimum requirements will help identify areas where improvements are needed. Tools such as PowerBI or Tableau can aggregate data and act as a bridge and bring together disparate systems to provide a singular point of truth. In addition, organisations should adopt centralised data sources such as Oracle or SAP to ensure a single source for each data type and therefore improve data integrity. These changes allow for a more streamlined approach to TPRM driving actions based on well informed and reliable data insights supporting both internal and regulatory reporting of supply chain risks.

2. Rethink your operating model and better define roles

Organisations often have inappropriate use of operating models. Many use a federated model to save costs. This can mean that key material suppliers are not efficiently managed and so supply chain risk may build up, leading to lower levels of resilience. Organisations can address the issue by ensuring that their chosen target operating model is proportionate to the third-party risk being managed. For example, material outsourced services should be managed centrally by a dedicated team. At the same time, all other non-material third-party services can be managed using a well-defined TPRM framework with effective oversight, training, and support capabilities. Organisations should consider the impacts of both models and ensure there is support in place to allow for effective risk management regardless of the option chosen.

Many firms will have poorly defined roles and responsibilities as part of their operating model. This can result in fragmented supplier management process across the Three Lines of Defence. Success comes with clearly defined roles and responsibilities as well as detailed RACI matrices that ensure accountability across important TPRM activities. This breaks down organisational boundaries and allows for multi-functional management of third-party risks.

3. Build capability and capacity into your TPRM approach

Increasing regulatory requirements on due diligence and monitoring of services is a significant drain on the capability and capacity of front-line resources. Organisations should consider using pooled audit services such as OneTrust’s Vendorpedia™ to ease the pressure on internal risk management teams by cutting down the workload for non-critical services. Pooled audit firms provide the internal risk functions with reports on pre-contract due diligence and risk management of nonmaterial suppliers saving the capacity of internal resources. This enables more effective management of high-risk suppliers, leading to an overall more resilient TPRM approach.

What’s next?

With the increased regulatory pressure for financial services organisations to have a robust and resilient TPRM approach, organisations need to scrutinise the appropriateness of their current TPRM framework and conduct thorough assessments of its suitability to reliably monitor, manage, and report on risk within the supply chain.

A resilient TPRM approach allows organisations to deliver Important Business Services effectively, offering the best customer experience in a turbulent industry.

About the authors

Sundeep Gupta
Sundeep Gupta PA third party risk management expert
Thomas Caldwell
Thomas Caldwell PA risk and regulation expert
Craig Oliver PA financial services expert

Explore more

Contact the team

We look forward to hearing from you.

Get actionable insight straight to your inbox via our monthly newsletter.