Service Provider Risk: Understanding Scope & Calculating Exposures
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a financial firm undertakes when outsourcing a function of its business to a service provider is enormous. Not only is the firm relinquishing control to an outside vendor, it also takes on the added burden of managing that company, in addition to its own.
I recently interviewed Eze Castle Cybersecurity and Data Privacy Analyst, Matt Donahue, and we spoke about how hedge funds, private equity firms and other alternatives can roll out and improve third party risk management programs.
Within an organization, where does the accountability for risk live and how do third parties fit into that structure?
Typically, when firms think about where responsibility and accountability live within their organization they mention compliance or information technology – when, in reality, there should be a sense of responsibility at almost every level. As we’ve noted before when talking about establishing a culture of security, tone should be set from the top down – and in this case, risk management responsibility starts at the top also.
If you’re making decisions with only a single lens on technology or cybersecurity or any one area – you’re missing the big picture. Senior execs bring a high-level view point that will help the risk management program align throughout the entire organization.
The other thing to remember is that ultimately, your firm is the one accountable to investors, regulators, clients, etc. – not your service providers – so the risk inherently lives with you. And in that sense, everyone at the firm should be playing an important role when it comes to managing and mitigating risk.
How can firms effectively begin to understand the scope of third party risk as well as calculate risks and exposures for those parties?
It can be daunting to understand the breadth and depth of your vendor and service provider relationships and, thus, the various access points where risk may live across your business.
Start by knowing what data your firm possesses and classify it. then, understand what information flows to what providers. Financial and investment firms today work with a host of third parties: prime brokers, fund administrators, accountants, managed service providers, compliance consultants, and more. Without understanding who has access to what, how it is accessed, what is retained or shared, etc., you won’t be able to successfully protect it.
Through a thorough vendor risk management process, firms can appropriately gather this information and also gain knowledge on how your vendors are mitigating risk on their side to protect your firm’s data and information.
More broadly, take time to understand what types of risk you may expose yourself to via your third parties: financial, operational, compliance, technology, etc.
What is the vendor management lifecycle?
Research & Planning
Vendor Due Diligence/Selection
Ongoing Monitoring/Periodic Review
How can firms leverage and involve third parties when they’re trying to test their risk management program capabilities?
One way to gauge the effectiveness of your risk management program – as well as that of your service providers – is to get them involved in testing and scenario-planning. Firms aren’t nearly as engaged on this level as they could be, and it’s an opportunity to work directly with vendors to walk through potential business interruptions or risk situations to understand how each side would respond in a given situation. Depending on the scope of your third party relationship, this can start out as a simple conversation or evolve to a functional exercise that provides more feedback for both sides on how scenarios may play out.
The end of the vendor management lifecycle (termination) is often overlooked. What are some of the considerations firms need to bear in mind that may come into play when the relationship ends?
There comes a point where you may opt to sever your service provider relationship, and in order to prepare for that occasion, firms need to understand what their options are and what controls are in place to ensure a smooth transition away from that provider. The key is to be proactive and ask questions in advance. This will expedite the transition or migration process and ensure both parties are on the same page. Some important questions to ask include:
Does your contract allow for withdrawal for cause/without cause?
What notice do you need to provide before termination?
What happens to your data/information when the relationship ends? How is access control terminated?
How do contract terms impact migration if moving to another provider?
What focus areas and questions should firms ask of their service providers during the due diligence process as it relates to IT, cybersecurity and general risk management?
Generally, some areas you’ll want to focus on include:
Financial Stability: Are your third party vendors in a position to withstand financial losses? Are they financially stable and can they demonstrate consistent revenue over a certain period of time? From a risk perspective, you want the confidence that your service providers have a long future and will be around to continue supporting your firm for many years to come.
Security: Obviously, there are a number of critical questions here, but ultimately you want to understand what controls are in place to protect your data from both internal and external threats.
Operations: On the operations front, you might want to get some insight into organizational structure and how compliance issues are handled or what industry regulations or best practices, if any, the company adheres to.