SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Michele Wesseling discusses balance between satisfying your firm's need to generate revenue and mitigate third-party risk.
Third-party risk management in the financial industry requires careful consideration when developing an operating model. It is essential to consider the regions and regulations that govern. In most of the banking industry, your internal risk culture allows you to easily implement a third-party risk program that methodically measures inherent risk, provides time to assess third party controls and negotiates contracts that enforce controls and mitigates residual risk.
Internal vs. Third-Party
The internal risk culture changes once you enter the world of capital markets where decisions are made quickly, risk is a way of life and patience is a rare quality. Now add the risk of a trade execution platform failing during a stock market dive and counterparties not having the ability to trade for several hours. The outage would be noticed and gain publicity, potentially causing Regulators to investigate. Should this occur and the necessary due diligence steps that would have highlighted this vulnerability were skipped, the repercussions could be costly. Your firm's reputation would be at stake and you most likely will face regulatory scrutiny that could result in fines. Striking a balance between satisfying your firm's need to generate revenue and mitigate third-party risk is an interesting challenge. If your operating model is too slow and cumbersome, your business will most likely attempt to circumvent the process. Careful consideration needs to be taken when aligning your control assessments to the true inherent risk.
As an example, if the third party is regulated to the same standards as your firm such a regulated Broker that you plan to conduct electronic trades with, the due diligence would differ dramatically from a technology firm that is providing a hosted trading platform solution. Interestingly these two things sound very similar to a technology risk partner in your second line of defense. In the case of the Broker providing an electronic trading communication network, you may be able to screen for sanctions, check their registration with the Regulator is still active, request a copy of their policies and an attestation that these policies are strictly adhered to.
Whereas, the technology firm providing a hosted trading platform should be put through due diligence that includes control assessments that align with the technology risk associated with their platform. As an example, cloud assessments, privacy and information security and onsite assessments, only to name a few.
The Third-Party Relationship
Your ongoing monitoring program should also be adjusted for entities that are regulated similarly to your firm. A program for such entities as a Broker relationship should be conducted regularly enough to allow you to remain confident that this firm's registration remains in good standing and that there have been no sanctions listed against them. Depending on the size of the relationship between your firm and their firm, this could be conducted quarterly, semi-annually, annually or bi-annually. The monitoring should include the same steps as noted early for your initial due diligence.
As you can see, the importance of scaling your programs to the third-party relationship at hand will help you manage your internal relationship with your business partners at the same time you mitigate risk for your firm. One size does NOT fit all when it comes to third-party risk management.
SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.
After an extensive career in the retail sector purchasing soft and hard goods from manufacturers and wholesalers, managing logistics, and contracting technology providers, Michele switched to the financial industry eight years ago. Upon joining, she found herself managing a very different type of supplier in a very different environment. With the aftermath of the financial crisis in full swing, and regulators ramping up their third-party regulations, Michele faced the challenge of aligning the internal practices for third-party due diligence and risk mitigation as a top priority. Interestingly, Michele observed that the art of procurement didn't change one bit from industry to industry. The commodities and services purchased change dramatically every year, and most of the people she encountered didn't understand procurement practices, offering her an interesting and fun challenge!
Today, Michele leads the TD Securities' Global Third Party Management Office with a mandate to manage TD Securities' third party risk and spend proactively, centralize third party management, and maintain an effective operating model aligned with rapidly changing regulatory requirements.