Speaker 1: In the financial service industry today, as well as in many other industries, one of the key topics on the minds of executives and even board members is third parties and specifically third parties risk management. We're going to be talking a little bit about that today in the latest installment of Powerful Insights. This is Kevin Donoghue, a senior director with Protiviti, and I'm pleased to be talking today with Chris Monk. Chris is a managing director with Protiviti's Business Performance Improvement Group, and among his many roles is serving as leader of our third party risk management practice. Chris, thanks for joining me today. As always, Kevin, it's a pleasure to be here. So Chris, let me ask you right off here, why does third party risk management continue to be such a hot topic, and particularly in the financial services industry?

Speaker 2: Kevin, without getting into too much detail, third party risk has been on the forefront of the minds of risk officers, compliance officers, information security officers, heads of procurement, and even CFOs of banks and other financial institutions for well over a decade. It really ramped up in the 2012-2013 timeframe when the CFPB, the OCC, and the Fed all came out with specific guidance around managing third parties, managing outsourced service providers, followed by the FFIEC releasing the well-known Appendix J that covered the resilience of outsourced technology service providers, and then again came to the forefront in 2017 when the OCC issued their supplemental examination procedures on their original 2013-29 guidance. What sounds like alphabet soup to some, this string of regulatory guidance has caused a massive shift in the regulatory landscape within the industry and the way the banks are approaching how they deal with third parties. On top of just good business sense that these regulations outline, the banks continue to get hammered by the regulators for noncompliance, and thus are spending considerable resources and dollars to improve not only their overall third party risk management programs, but as well as how they specifically manage the risk domains around things like compliance, business continuity, and information security.

Speaker 1: That serves now a lot that is on the minds of the leaders in the financial services industry today, especially when it comes to this third party risk management issue. Chris, Pertivity participated in a vendor and third party risk management conference last month, and actually took place in two cities, New York and London. Talk a little bit about those events and what you saw as some of the similarities and some of the differences between the U.S. and the U.K. markets right now.

Speaker 2: Yeah, absolutely. So the conference was sponsored by the Center for Financial Professionals, or CEPPRO, and was the third annual conference. We've attended both the New York and London events over the last couple of years. And while the topic is the same and the agenda is the same, the talking points, the makeup of the audience, and the specific discussion topics do tend to be slightly different based on the region. Let me start off just talking about some of the commonalities and similarities between the two conferences and the discussion points. Number one, there's still just a lot of focus on what I would call blocking and tackling. Due diligence, tiering process and methodology, and overall monitoring of third parties. There was a lot of discussion in both around the operating model, where does third party risk roll up within the organization, the use of centralized or shared services, kind of a 1.5 line of defense to support the business and the execution of the activities. And that operating model really driven by concerns and challenges around the lack of engagement and the requisite knowledge and skill sets of the people that own and manage those vendor relationships in the lines of business and making sure that they have what they need to effectively really understand kind of what that risk profile looks like, assess and monitor risks with third parties as opposed to just managing the relationships. There's lots of discussion around how to make the process more automated, how to make it more efficient. What role does procurement play within this process and not just, you know, managing risk or managing the vendor management office, but the concept of procurement moving from just buying stuff to really being risk managers for the enterprise. Other topics that we heard a lot about in both sessions, consortium and third party risk management as a service, which is really popping up now, of course, GDPR and understanding the data flow and how that is impacted by the use of third parties. Obviously, a very hot topic with GDPR going live here recently, and I would say both sides of the pond, there was still generally a lack of understanding on how far to drill down on things like concentration risk and fourth parties. Now, when you think about the differences between the two sessions, a couple of things stood out. So, number one, I would say that the U.S. regulations are more explicit. The U.S. has probably a three to five-year head start from a regulatory mindset and then the reaction to that. There was a poll that was conducted during the conference, and one thing that was striking. So, one of the questions asked during the poll was, who has the complete inventory of all third parties? And this was a live poll of people in the room at the conference, and it built on some of the results between a recent study that Aravo and Ceph Pro conducted, and I'll talk more about that in a minute. But from this poll, which this is the number one key building block of third party risk is, first of all, knowing who your third parties are. Within the U.S., 87% of the audience said yes, they have a complete inventory of all third parties, while 13% said no, which is kind of in line with what I would have expected. Shockingly, in the U.K., 59% of the group said yes, as opposed to 41% saying no. So, almost a 90-10 versus a 60-40 split, and just indicative of kind of the U.S. being a little bit more advanced in some of the topics. Other things I would say that U.S. regulators do seem a bit more aggressive on notices from the reviews, and surprisingly, the U.K. seemed more open to a decentralized or a federated operating model in terms of where the risk management, the third party risk management function resides.

Speaker 1: Chris, a quick follow-up on that. By federated approach, do you mean that these organizations are kind of spreading the management of third parties among the different functions and their specific parties, or am I misinterpreting

Speaker 2: that? Well, federated from the standpoint that they are still pushing out the activities farther down into the organization, into the lines of business, rather than centralizing it into a single group. There's guidance being provided, but very much so still pushing that down to the vendor managers, the relationship owners within the business.

Speaker 1: I see. That makes perfect sense. Chris, to wrap up our discussion here, I wanted to ask you a little more about the Ceph Pro or Ravo study you mentioned. What were some of the other highlights and insights that came from that study?

Speaker 2: Yeah, certainly. And I would encourage people to go search for it and download the entire study. It was very well done. The study was called Taking the Pulse of Third Party Risk Management. As you mentioned, it was sponsored by Ceph Pro and Ravo, who is a third party risk management technology provider. And the study focused on the journey towards maturity that companies are taking. So a couple of things in terms of the key findings. Number one, most organizations are still relatively early in the stages of maturity, which given the context and points I've raised earlier, a bit surprising given how long this topic has been around. On a five-point maturity scale, 43% of the companies that participated in the study rated themselves at a level two or below in terms of overall program maturity. So 43% at a level two or below on a five-point scale. And then 67% or two-thirds put themselves at a level three or below. So still a lot of work to do, and I think those results, again, a bit surprising given just how long the topic has been around. Another key finding. While regulatory compliance is the primary driver for half of the organizations, business and cost benefits were the primary drivers for about 40%, which is good news, and something that we talk a lot about with our clients in the market, and that, as I mentioned earlier, this just makes good business sense, right? There are some things that the regulators are requiring that may drive a level of rigor that can be interpreted as maybe overkill. But at the end of the day, applying the level of rigor and oversight into the vendors that you're selecting, how you're managing those vendors, how they're managing your customers and your data, again, it's just good business sense. And on top of that, that additional focus and rigor we're also seeing is attributing to improving the performance of these vendors and third parties. It's actually leading to spend reduction, because in many cases, the banks are leveraging their spend with a fewer amount of third parties, which not only reduces the risk profile but then also can leverage their spend for better pricing. So the business and cost benefits that we see are primary drivers for about 40% of the people in the study. Organizations are gravitating towards locating their third-party functions within risk management, again, specifically talking mostly about their financial services here. The study did indicate that centralized structure is the most common and aligning with the organization's overall approach to risk management, so not surprisingly there. Organizations are still struggling with basic components of third-party risk, and back to the point earlier about the level of maturity. Capturing all third parties in a single inventory, conducting comprehensive due diligence, overall reporting, the basic blocking and tackling components of third-party risk is an area where companies are still struggling. Many of these challenges, of course, can be attributed to a lack of technology, and that's where we're starting to see the market trend is get the structure in place and then become more scalable, more automated, more efficient through the use of technology. And on that point, two-thirds of the study participants indicate they're using spreadsheets for all or part of their third-party risk management program. Almost half are using SharePoint. So very rudimentary tools and certainly an opportunity to advance that. And finally, the last key finding I'll point out is that third-party risk management teams are still very concerned about being able to keep up with regulatory change and the growing demands of the extended enterprise. And Kevin, I think it's that last point that really will cause third-party risk management to have sustained power, an increasing need for managing complex third-party ecosystems, the ever-changing regulations across different geographies, the need to correctly and effectively monitor and analyze not only vendor performance, but risk and compliance. And not only within banks, but, you know, this sustained power really has impacts on service providers, on consulting firms, third-party as a service, and obviously technology partners as well. So for those reasons, I think the topic is here to stay.

Speaker 1: Yeah, Chris, based on your explanation, it undoubtedly sounds like it is here to stay. I want to thank you very much, Chris, for sharing your insights with us today on third-party risk management and some of the differences between the U.S. and U.K. market and how the financial services industry is viewing those today. I want to invite our audience to visit Proactivity.com slash BPI, where you can find more information from Proactivity on this and other performance-related topics.