Newsletter on third- and fourth-party risk management and concentration risk
This version
The Committee issues this newsletter to provide greater detail on its internal discussions regarding third- and fourth-party risk management and concentration risk. The Committee believes the information provided may be useful for both supervisors and banks in their day-to-day activities. This document is for informational purposes only and does not constitute new supervisory guidance or expectations.
- Banks have successfully leveraged technology, including that provided by third parties, to withstand the Covid-19 pandemic. However, the pandemic has also exacerbated certain operational risks that banks face related to their use of technology-based services provided by third parties.
-
The Committee conducted a series of outreach sessions that highlighted areas of improvement related to banks' third- and fourth-party risk management and concentration risk matters.
-
The Committee considers the implementation of the Principles for Operational Resilience and revised Principles for the Sound Management of Operational Risk critical to strengthening banks' operational resilience.
Throughout the Covid-19 pandemic, the Committee observed banks rapidly adapting their operations in response to new hazards or changes in existing hazards. However, the Covid-19 pandemic also exacerbated operational risks that banks faced related to the rapid adoption of, and increased dependency on, technology infrastructure as well as the sector's growing reliance on technology-based services provided by third parties. Recognising that a range of potential hazards cannot be prevented, the Committee believes that the appropriate management of banks' third- and fourth-party relationships and concentration risk exposures can enhance their ability to withstand, adapt to and recover from potential hazards and thereby mitigate potentially severe disruptive events.
The Committee issued Principles for Operational Resilience (POR) and revised its Principles for the Sound Management of Operational Risk (PSMOR) in March 2021 to address several of these issues, and it continues to monitor the impact of the pandemic on banks' operations.1 Specifically, it recently conducted outreach sessions with private sector participants and supervisors from various jurisdictions to assess the status of better established practices related to third-party risk management, and to exchange views regarding evolving practices related to fourth-party risk management and concentration risk matters. Among other matters discussed, banks and supervisors noted the following:
- Primary gaps relating to firms' third-party risk management include a lack of clarity regarding respective bank and service provider responsibilities, insufficient monitoring of critical fourth parties, inadequate challenge or oversight from second lines of defence, and a lack of developed and tested business continuity plans.
- Banks and supervisors are concerned that a lack of complete supply chain transparency may increase operational risk. Risk-management efforts are focused on immediate suppliers, though key risks stemming from outsourcing arrangements may be driven by suppliers further down the supply chain.
- While several banks maintain formal exit strategies with respect to critical suppliers, they often lack sufficient detail and testing, and identifying the appropriate stage to execute a strategy can be unclear.
- There are a range of tools for managing operational disruptions, such as the substitutability of a third-party service provider and contracting for enhanced resilience options or service levels offered by service providers. Exit strategies designed to guide transitions that occur over longer time periods may not be as useful as other tools for curing operational disruptions.
The outreach sessions confirmed the importance of banks implementing the principles set out in the POR and revised PSMOR. Consistent with the POR and revised PSMOR, outreach participants indicated that banks' third- and fourth-party risk management arrangements should reflect strong governance and the integration of risk management in their due diligence processes. Participants noted that when using industry-wide consortiums to support their risk assessment and due diligence efforts, banks should not outsource their risk management responsibilities. Participants further observed that appropriate business continuity and contingency planning procedures and exit strategies support banks' operational resilience in the event of a failure or disruption at a third party that would impact the provision of critical operations. As a related matter, it was agreed that banks' business continuity plans should assess the substitutability of third parties that provide services to a bank's critical operations, and other viable alternatives that may facilitate operational resilience in the event of an outage at a third party, such as bringing the service back in-house. With respect to concentration risk, participants noted that banks should collaborate with service providers in planning for potential failures and developing appropriate options.
The Committee will continue to carefully monitor banks' third- and fourth-party risk management and concentration risk-related arrangements, and potential systemic risks arising from the concentration of services provided by specific entities. The Committee is of the view that the implementation of the POR and revised PSMOR is critical to strengthening banks' ability to withstand operational risk-related events and enhance their operational resilience.
1 The Committee issued a newsletter on cyber security, given that cyber threats and incidents have increased since the onset of the Covid-19 pandemic, posing risks to the safety and soundness of individual banks and the stability of the financial system.