Third Party Risk Escalates to Board Level Priority

Why Third-Party Risk Management Has Become a Critical Business Issue. Third-Party Risk Management (TPRM) remains a Top 5 priority for financial services firms increasingly interconnected through vast vendor networks. This growing reliance on third parties expands the attack surface and creates vulnerabilities that traditional manual risk management approaches struggle to address - challenges that are further compounded by increasingly sophisticated cyber threats and an evolving regulatory landscape.

Regulatory Pressure and the Push for Operational Resilience

Worldwide regulations driving market participants and the services they provide to be more resilient are changing, and third-party risk management is a significant component of this change. In the UK, the PRA (The Prudential Regulation Authority) has put in place specific requirements and policies for incident reporting to align with international stakeholders and Europe has DORA (Digital Operations Resilience Act) to improve operational resilience. These regulations are intended to ensure that firms are positioned to expect disruption and take all possible steps to remain resilient when it occurs.

These regulations are intended to ensure that firms are positioned to expect disruption and take all possible steps to remain resilient when it occurs.

Managing Third-Party Risk Across Borders and Complex Supply Chains

Many firms are global entities and having to deal with local third-party risk requirements set by regulators whose expectations vary from one territory to the next. The cross-border dimension is therefore becoming more of a focal point for discussion. There is the added challenge of gaining visibility into how third parties operate across borders, particularly in jurisdictions with less transparency or less developed regulatory frameworks.

How do they handle sensitive data? What are their local data privacy and security regulations? Are they aligned to your standards and expectations? Although still a question of how you manage your third party, when there is a border involved, it becomes slightly more complicated.

Automation, AI, and the Expansion to Fourth- and Fifth-Party Risk

Firms are moving away from manual processes toward automated and AI-driven solutions for monitoring and reporting on supply chain risks. There is an increasing emphasis on conducting deeper assessments to have greater assurance of fourth and fifth parties. Organisations are expected to understand the connected supply chain in its entirety, and that includes not only their third, but also their fourth and fifth-party suppliers.

Firms are moving away from manual processes toward automated and AI-driven solutions for monitoring and reporting on supply chain risks.

Converging Risk Domains and Strengthening TPRM Resilience

Financial Services companies have traditionally developed siloed risk management frameworks for different risk types, with separate processes and requirements in place for third-party risk, financial crime, cyber security. In practice these are converging as the risks themselves become increasingly interrelated and the artificial boundaries between the different risk types are broken down.

Developing robust exit strategies for critical suppliers and testing the substitution of vendors to ensure business continuity is part of this move to improve TPRM resilience. The substitution could be either to another vendor or to your internal team. By proactively planning for supplier transitions and failures, organisations will be able to demonstrate the operational resilience that regulators increasingly require of them.

By proactively planning for supplier transitions and failures, organisations will be able to demonstrate the operational resilience that regulators increasingly require of them.

Third-Party Risk as a Board-Level Responsibility

Firms will need to invest in technology, update their existing TPRM frameworks to address new risks and enhance collaboration between their procurement, risk and compliance departments to survive in this new landscape. Third-party risk management (TPRM) requires direct board oversight. As the body accountable for organisational risk, the board must treat TPRM as a strategic priority—not an IT function.

The board must take the initiative and drive efforts to identify, assess, and mitigate the third-party risks introduced by external vendors, suppliers and contractors.

How Projective Group Supports Non-Financial Risk Management

These are just some of the talking points around third-party risk management. At Projective Group we have deep domain expertise across non-financial risk areas. With a focus on ESG, our latest Non-Financial Sustainability Risk Benchmarking report echoes many of the concerns outlined above. Compiled from an analysis of the annual reports of 170 of the world’s largest financial service and legal firms, it is of great relevance to non-financial risk managers.

Our latest Non-Financial Sustainability Risk Benchmarking report echoes many of the concerns outlined above. Compiled from an analysis of the annual reports of 170 of the world’s largest financial service and legal firms, it is of great relevance to non-financial risk managers.

DOWNLOAD REPORT

Contact us today to discuss your TPRM and other non-financial risk concerns.

Over Projective Group

Projective Group is opgericht in 2006 en is een toonaangevende change specialist voor de financiële dienstverlening.

We worden binnen de sector erkend als een provider van complete oplossingen, die samenwerkt met klanten in de financiële dienstverlening om oplossingen te bieden die zowel holistisch als pragmatisch zijn. We hebben ons ontwikkeld tot een betrouwbare partner voor bedrijven die willen gedijen en bloeien in een steeds veranderend landschap van financiële dienstverlening.