Firms must change tack to meet financial regulators’ expectations on supplier risk

Currently, many firms treat outsourcing risk as a separate and distinct category from the broader one of third-party operational risk. This approach is inconsistent with the direction of travel pursued by international financial authorities as well as rules set earlier this year by UK regulators.

Third-party risk and the expectations of regulators

The G7, the Financial Stability Board (FSB) and the Basel Committee on Banking Supervision of the Bank of International Settlements have all recognised that while outsourcing relationships are important, they are not the only source of significant third-party operational risk. Similarly, the European Commission, in its draft regulation on operational resilience for financial services, focuses on ‘critical ICT third party service providers’ rather than outsourcing relationships.

In March, the Prudential Conduct Authority (PRA) issued its final supervisory statement on putsourcing and third party risk management (SS). The SS confirmed, and significantly strengthened, the good practice approach of treating outsourcing and other third party arrangements in substantially the same way, based upon materiality and risk.

If a non-outsourcing third party arrangement is classified as ‘material’ or ‘high risk’, the PRA has said that “proportionate, risk-based, suitable controls” should be put in place. It has also said that the controls “do not necessarily have to be the same as those that apply to outsourcing arrangements” but should be both appropriate to the materiality and risks of the third party arrangement and "as robust as the controls that would apply to outsourcing arrangements with an equivalent level of materiality or risk”.

The PRA has said that it expects stricter controls to be applied "to material, non-outsourcing third party arrangements" than those which are applied to "non-material outsourcing arrangements”.

As part of their broader operational resilience efforts, financial entities should, if they have not done so already, begin the task of identifying and reassessing non-outsourcing arrangements to meet the regulators’ operational resilience requirements. The approach of focussing significantly less attention on non-outsourcing arrangements must change with regulators expecting end-to-end operational resilience.

The increased focus on operational resilience also requires financial entities to assess, and in some cases reassess, their general approach towards supply chain risk management. Regulators expect financial entities to have oversight across the entire supply chain and not just of risks against which they can protect themselves through contractual provisions with their direct suppliers.

There are a number of steps firms can take to ensure that their entire supply chain is operationally resilient. The PRA has said that it expects financial entities to "pay particular attention to the potential impact of large, complex sub-outsourcing chains on their operational resilience, including their ability to remain within impact tolerances during operational disruption”.

Ensuring that impact tolerances set by financial entities are reflected in performance levels expected across an entire supply chain is challenging and may require a change of approach to dealing with some suppliers. To promote visibility, the PRA has said that it wants to see that "service providers are encouraged to facilitate this by maintaining up-to-date lists of their sub-outsourced service providers”.

There is a large gap for the financial services sector to close in developing and maintaining internal policies and risk assessment frameworks to meet the new standard required by regulators. Updating internal registers to apply a consistent materiality and risk-based supplier management approach is essential. Many firms are likely to be able to build on existing internal registers they have developed in this regard in the context of their compliance with the General Data Protection Regulation.

Refreshing contracts where required can be an effective way to drive prioritisation and identify the most significant areas which may concern regulators from an operational risk perspective. The deadlines are not all immediate and the regulators expect approaches to evolve. However, with the regulators’ frameworks now finalised, financial entities have significant reason to better protect their businesses and their clients by taking a broader approach to third party operational risk management.