Significant others: How financial firms can manage third party risk

May 2015
  • Print-friendly version
Significant others: How financial firms can manage third party risk

At a glance

Are third parties worth the risk for financial institutions? It’s a multibillion-dollar question when every week, yet another business interruption, data breach, or compliance failure seems to surface in the news. We believe the answer is “yes”—provided a firm takes the right approach to risk management. Ultimately, a robust third party risk management program may even make using third parties less risky than keeping those functions in-house.

At a glance

Are third parties worth the risk for financial institutions? It’s a multibillion-dollar question when every week, yet another business interruption, data breach, or compliance failure seems to surface in the news. We believe the answer is “yes”—provided a firm takes the right approach to risk management. Ultimately, a robust third party risk management program may even make using third parties less risky than keeping those functions in-house.


Third parties: risks or strategic assets?

Over the last decade, use of third parties has helped institutions grow revenues, cut costs, and improve the customer experience. The 18th annual PwC Global CEO survey shows that more than 40% of banking CEOs see joint ventures, strategic alliances, and informal collaborations as an opportunity to strengthen innovation and gain access to new customers and new technologies.1

However, the proven upsides of third party collaboration come with equally apparent downsides: operational setbacks such as major service interruptions, mishandling of customer or employee data, and non-compliance with laws and regulations.

US regulatory agencies have significantly raised standards for oversight of third parties in recent years, making it clear financial institutions cannot outsource their controls. In fact, firms should hold third parties to the same high standards that they themselves must meet.

To find out how institutions are responding to demands for stronger oversight of third parties, we surveyed financial institution leaders, publishing the results in PwC’s 2014 Third Party Risk Management (TPRM) Survey. This report offers insights and conclusions from the survey and our experiences with clients.

Oversight still has too many gaps

We found many firms—two out of every five—have not taken even basic steps, such as defining business-critical functions to meet regulatory guidelines. Among the other key conclusions:

  • A full 45% of respondents said that they rely on third parties to monitor their subcontractors—without performing additional checks to review the results.
  • Only 55% of respondents said a board committee participates in TPRM oversight and governance, while some regulators explicitly expect the board to perform these functions involving business-critical functions.
  • Few firms conduct on-site visits of third parties. Among respondents that did not perform on-site visits or performed them only on an ad hoc basis, about half experienced a service disruption traceable to third parties.
  • Barely half of respondents said that their oversight programs include affiliates. This is problematic: the OCC highlighted its definition of third party relationships as “any business arrangement between a bank and another entity, by contract or otherwise”.2

Using third parties does pay off

We see top firms adopting several leading practices to contain risk:

  • Focusing on the riskiest services.
  • Achieving insight into subcontractors.
  • Establishing a central office to administer and oversee the risk management program.
  • Tracking TPRM issues and customer complaints in central databases.

These leading practices should be part of an overarching TPRM framework that includes governance, processes and tools, and enablers.

Beyond better risk management, effective TPRM programs can also deliver valuable insights that inform strategic decisions. An effective TPRM program improves transparency for a firm—not only regarding how much its third parties cost, but also which business units use them and which markets and customer segments they serve.

Armed with a more thorough, accurate view of the role third parties play across the organization, financial institutions can use data analytics to support strategic business decisions. The insights they gain can help to improve the customer experience, identify new strategic partnerships, drive down costs, and improve market agility.

We believe a robust TPRM program can help a financial institution continue to use third-party partners while fulfilling its obligations to customers, company stakeholders, shareholders, and regulators. Ultimately, it may even make using third parties less risky than keeping those functions in-house.

To continue reading, please download the full report.

1 PwC, “18th Annual Global CEO Survey”, January 2015.
2 OCC, “Third Party Relationships”, October 2013.





Benchmark your company against your peers