Skip to content
Subscribe

Protecting Yourself: Mitigating Third-Party Risks

Third-party risks are everywhere and regulators are paying attention. Diligence related to vendors a bank is using within their technology stack is important, but these days, vendors your vendors are using is also important to evaluate.

 

Third-Party and Even Fourth-Party Risks

In the technology era banks are living in today a solid third-party risk management program not only evaluates the direct vendors driving the technology stack, but also diligence related to the vendors that are driving your vendor is mission critical. Sometimes there are many layers to this exercise, but it is critical to evaluate given the business continuity risks that exist that you don't even know about until something goes wrong.

The Problem: Layers, Layers and More Layers

The direct problem related to this issue is that there are more layers that many banks are even aware of when they are evaluating vendors. As these layers to the technology a bank is using are evaluated it becomes clear there is a web of third-party and fourth-party risks because the vendor a bank is trusting for x, y and z don't often control their own destiny and are often reliant on their own set of vendors to power their product. This is problematic on many levels because to the extent something happens to one of the vendors of the banks vendors, it's not always clear where the responsibilities to maintain and maintenance the product lie. From a contract perspective alone, it is messy because the contract between the bank covers a certain set of SLA's, but the underlying contracts your vendor has with its vendors may not be consistent with those same SLA's and thus the layers get very complex. Understanding where your risks are as a bank is complex and time consuming, but worth understanding for when the inevitable happens.

The Impact: When Things Go Wrong

The impact of this issue related to layered business continuity risk associated with third-party and fourth-party risk is that when things go wrong they go really wrong. When a bank has issues is when these business continuity risks are generally uncovered and really understood, which creates "uptime" issues or even worse creates a scenario where the banks clients cannot utilize time-sensitive functions like money movement to the extent the issue is related to a treasury vendor. The long list of things that can go wrong creates business continuity risks for the banks consumer and commercial clients along with PR risk for the bank to the extent the clients of the bank are having issues.

Lessons Learned: Keep Asking Questions

Related to the issue of evaluating layered risk associated with third-party and fourth-party risk, it's best to keep asking questions:

Start with the Clients of the Bank

It's always a best practice to start with the clients of bank and understand what their critical and secondary functions consist of and work back from there. Taking the money movement example, which is obviously a mission critical function, working backwards to understand risks associated with all the vendors involved is a good start point.

Contract Negotiation is Critical

Now that it's understood that business continuity risks are present, now it's time to mitigate those risks through great contract negotiation. Specifically, SLA's associated with those business continuity risks along with worst-case scenario planning related to vendor alternatives should a bank need to switch vendors in a hurry.

Actionable Advice: Where to Start

Based on personal experience, here are a few practical steps to begin understanding and addressing the business continuity risks associated with third-party and fourth-party risks:

Start Reviewing Your Contracts

Don't get caught in a scenario with your major or mission critical vendors where you don't have a full, documented understanding of where business continuity risks are.

Document well 

Documenting where the business continuity risks are present is the first step toward mitigating those risks and holding everyone accountable. Start by documenting the list of vendors the bank is using, but also the critical vendors the vendor is using to deliver and maintain the product.

Setup Regular Check-In's With Vendors

One and done is not the move as it relates to evaluating vendor business continuity. Obviously, a solid third-party risk management program is important on the front-end, but regular check-in's are important to understand the current state.

Final Thoughts: Eyes Wide Open

Many of the third-party risk can be mitigated, but some cannot be mitigated. Knowing that is the case, establishing a crisis plan before the crisis is important. For those risks that cannot be mitigated, documenting a crisis plan, which would include evaluating vendor alternatives in the event the bank has to make a switch is critical.

Expect the crisis to come at some point. Plan for it through good diligence and evaluation of where the risks are that could impact critical functions for the bank and the clients of the bank.

About Finov8r

Finov8r is a leading embedded advisory consultancy that supports banks, fintechs, and corporations. Bridging finance and technology, Finov8r provides tailored solutions that foster profitable growth, simplify technology complexities, and deliver 5x ROI through fintech innovations. With hands-on advisory, Finov8r works within teams to achieve long-term results, unlock new revenue streams, and modernize operations. For more information, visit finov8r.com and follow on LinkedIn.

Get In Touch

  • Bank executive, fintech founder or business owner and want to get in touch regarding Finov8r advisory? Email me at allan@finov8r.com.

  • Media or speaking engagements please contact William Mills Agency in Atlanta.