Ensuring Organizational Resilience by Mitigating Critical Third-Party Risk

Critical third parties emerging as threats to organizational resilience

Post-COVID surveys point to the increasing prioritization of organizational resilience and business continuity management, amidst escalating threats, such as supply chain disruption, geopolitical conflict, data breaches, and severe weather events.

However, another risk vector has emerged, threatening to undercut narrow gains eked out from organizational resilience programs. And that risk stems from the staggering rise in dependence on third parties for critical business activities. 

Indeed, firms across all major sectors are becoming increasingly reliant on third parties for the delivery of critical functions and servicesⁱ.

Why’s that? Well, the benefits of these third-party arrangements are obvious to all. Many of the services in question, particularly cloud-based providers (CSPs) and information and communications technology (ICT) platforms, enable digital transformation, catalyze innovation, and provide greater resilience than a host-firm’s own technology infrastructure. 

Many of these services, though, create single points of failure. And the failure of critical third parties has cascading effects on the availability of host-party services. 

Regulators, for their part, have noticed the interdependence of the firms they regulate with third-party vendors, as well. 

The Financial Policy Committee of the Bank of England, for one, noted the following in its Q22021 Financial Policy Summary: “since the start of 2020, financial institutions have accelerated plans to scale up their reliance on CSPs and in future place vital services on the cloud.” The summary concludes that “the increasing reliance on a small number of CSPs and other CTPs for vital services could increase financial stability risks in the absence of greater direct regulatory oversight of the resilience of the services they provide”.

The financial sector is not alone in this respect, though regulators there are beginning to exert direct oversight over these third-party arrangements. Regulators of other critical infrastructure industries are likely to follow. 

The question then turns to how should firms address third-party risk to ensure (future) compliance as well as ongoing operational and organizational resilience? A number of commonsense approaches have emerged from the regulatory space, which this guide will lay out.

Addressing third-party risk when ensuring operational resilience

Unsurprisingly, financial regulators have led the way in attempts to address third-party risk, through best-practice guidance. In July 2016, the Australian Prudential Regulation Authority (APRA), which supervises financial and related institutions across the banking, insurance, and superannuation sectors, released Prudential Standard CPS 231, which focuses on such outsourcing arrangements.

CPS 231 subjects all outsourcing arrangements involving material business activities entered into by an APRA-regulated institutionⁱⁱ to appropriate due diligence, approval, and ongoing monitoring. Regulated-firms must therefore manage risks arising from the outsourcing of their material business activities to meet financial and service obligations to depositors and/or policy holders. 

What then are material business activities?

A material business activity comprises any activity that has the potential, if disrupted, to have significant impact on business operations or the ability to manage risks effectively in the following respects:

• Financial, operational, and/or reputational impact, as well as a failure of the third-party service provider to perform over a given period
• Cost of the outsourcing arrangement as a share of total costs
• Degree of difficulty, including the time taken, in finding an alternative service provider or bringing the business activity in-house
• Ability of the regulated firm to meet regulatory requirements if there are problems with the service provider
• Potential losses to the regulated firm’s customers and other affected parties in the event of a service provider failure
• Affiliation or other relationship between the regulated firm and the service provider

After laying out the stakes, APRA also lists a set of best-practice measures that can help regulated-firms ensure resilience, while maintaining compliance. The main measure is the maintenance of an explicit, Board-approved policy relating to outsourcing arrangements involving material business activities. 

That policy should include sufficient monitoring processes to manage the outsourcing of material business activities as well as legally-binding agreements with third parties. Firms must also consult with the regulator prior to entering into agreements to outsource material business activities to service providers that conduct their activities outside of Australia as well as notify APRA after entering into agreements to outsource material business activities.

Regulated firms, for their part, must notify the regulator as soon as possible – no later than 20 business days – after entering into all outsourcing agreements of material business activities. 

Nor is mere notification sufficient. APRA demands that firms provide (1) a summary of the key risks involved in the outsourcing arrangement and (2) the risk mitigation strategies firms have put in place to address these risks. 

Further requirements include:

• Identify, assess, manage, mitigate, and report on risks associated with outsourcing to meet the institution’s financial and service obligations to its depositors, policyholders, and other stakeholders. 
• Have procedures to ensure that all the institution’s relevant business units are made aware of and have processes and controls for monitoring compliance with, the outsourcing policy. 
• Rest ultimate responsibility on the Board for oversight of any outsourcing of a material business activity. Although outsourcing may result in the service provider having day-today managerial responsibility for a business activity, the APRA-regulated institution remains responsible for complying with all prudential requirements that relate to the outsourced business activity. 
• Give the Board of the APRA-regulated institution responsibility to ensure that outsourcing risks and controls are taken into account as part of the institution’s risk management strategy and when completing the mandatory risk management declaration to APRA. 

Further resilience best practices to consider

Taken from this vantage, APRA requirements simply extend business continuity, risk management, and organizational resilience best practices into the realm of outsourcing.

U.K. financial regulators have also caught on. After laying down internal resilience best-practice requirements for regulated institutions, they are now in the process of codifying minimum resilience requirements on critical third parties (CTPs) that engage with regulated institutions.

Soon, CTPs themselves will have to meet minimum requirements before providing material services to regulated financial institutions.

Still being hashed out, potential measures are likely to include a requirement for CTPs to carry out or take part in various resilience tests. These tests will focus primarily on the resilience of material services CTPs provide to regulated firms.

What would the testing requirement consist of? It’s likely to include scenario testing, participation in sector-wide exercises, and cyber resilience testing. Some of these tests and exercises could be carried out in collaboration with overseas financial supervisory authorities, or U.K. competent authorities and public bodies outside the financial services sector.

Supervisory authorities in the U.K. are also interested in aligning resilience frameworks imposed on CTPs with those already imposed on regulated financial institutions, resulting in a greater focus on the following:

• A focus on services. The operational resilience framework requires firms to focus on the resilience of important business services they provide. Likewise, potential measures for CTPs would focus on the resilience of any “material” services they provide to firms and FMIs.
• The assumption that disruption would occur. An assumption underpinning both the operational resilience framework for firms and the potential measures for CTPs is that disruption is inevitable. The aim, therefore, would be to assess and strengthen the ability of CTPs to prevent, adapt to, respond to, recover from, and learn from any disruption capable of having a systemic impact on the supervisory authorities’ objectives.
• Complementing responsibilities. A key principle underpinning existing regulation and supervision of firms’ outsourcing and third-party arrangements is that boards and senior management cannot outsource their responsibilities. Potential measures for CTPs would therefore seek to strengthen the regulator’s ability to monitor and manage the systemic risks that CTPs pose to their objectives, and which the existing regulatory and supervisory framework for firms cannot fully manage at present, without eliminating or reducing the responsibilities of firms.

Role of digital technology in addressing third-party risk to organizational resilience

For regulated entities, CTPs, and interested host parties, the question now turns to how to incorporate these minimum standards into existing resilience programs? Here, digital technology can help.

Integrated platforms, like Noggin, give firms the risk and business continuity management functionality to identify, assess, manage, mitigate, and report on risks associated with outsourcing.

As business continuity aims are compromised by third-party risk, Noggin Continuity enables organization to automate key functions crucial to recovery should disruption occur. 

Other Noggin Continuity capabilities that help ensure resilience include:

• Define domains, critical business activities, assets, and sites, as well as record inter-dependencies 
• Assess the risk and impact of outages across activities, assets, and sites, and implement risk treatment plans and actions to mitigate risks, and reduce the likelihood or impact of incidents
• Assign and track business impact assessment and risk management activities for organizational unit owners 
• Set recovery targets for business activities and report on progress against those targets as incidents occur
• Visualize and report on the risk profile of business and the impact on critical services 
• Digitize business continuity, crisis, and incident response plans, including strategies and considerations, roles and responsibilities, and pre-assigned checklists ready to deploy when incidents occur
• Activate crisis and incident management teams including structures, roles, capabilities required and on-call resources
• Record and manage incidents and response tasks, log and share updates, decisions, facts, and assumptions, and produce situation reports and briefings 
• Initiate and track investigations, capture evidence and related actions 
• Conduct exercises, post-incident reviews, and lessons learned
• Visualize locations of incidents, risks, people, and assets using the fully integrated mapping features. 
• Communicate alerts, notifications and updates via email, SMS, voice, or the Noggin app
• Manage key details of staff, contractors, customers, suppliers, regulators, and external parties
• Display key information where it is needed using flexible dashboards, analytics, and reporting that caters for all stakeholders. 
• Automate and lead people through procedures, with fully-configurable workflows

Thanks to COVID and associated crises, senior leaders finally cottoned on to the need to prioritize organizational resilience. However, those same leaders also entered into outsourcing arrangements with third parties for critical business activities.

Unvetted, these arrangements can prove just as threatening to organizational resilience as any external crisis.

Fortunately, best practices are coming down the pike, just as regulatory scrutiny ramps up. How to stay on top of both? Digital technologies, such as Noggin, are crucial for managers and executives (alike) in determining disruption impacts, developing plans and recovery strategies, and addressing risks.

Sources

i. Deloitte: Third-party risk is becoming a first priority challenge. Available at https://www2.deloitte.com/ca/en/pages/risk/articles/reduce-your-thirdparty-risk.html.

ii. This standard applies to (a) authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised under the Banking Act (authorised banking NOHCs); (b) all general insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs) and parent entities of Level 2 insurance groups; and (c) all life companies, including friendly societies and eligible foreign life insurance companies (EFLICs), and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs).