21
Third party risk management (TPRM) COVID-19 impact on third party resilience April 2020
Third party risk management(TPRM)
COVID-19 impact on third party resilience
April 2020
Contents
Page 2
31. Executive summary — Impact of COVID-19 on third parties and key questions
52. Background — COVID-19 and third parties
73. Key challenges and approach — Now, Next and Beyond
Topic
84. Now — Operational resilience of third parties
106. Beyond — Learnings from COVID-19
95. Next — Financial stability of third parties
117. Key contacts
12Appendix
Third party risk management (TPRM)
1. Executive summary — The impact of COVID-19 on third parties
Page 3Page 3
The rapid spread of the COVID-19 is impacting economic growth and market volatility is increasing. This has impacted the industrythrough weakening investment returns and a potential adverse impact on the capital position of financial institutions around the world.From a TPRM perspective, it remains key to understand third party inventories and continue to risk assess third parties to recognizetheir criticality for continuity of services.
The immediate TPRM actions
► Evaluation of Critical and Tier 1 relationships fortechnology infrastructure challenges and financialhealth concerns
► Send a series of focused questions about theirresponse to COVID-19, business impact and theirplanning for the future
► Critical global dependencies and location analysis asall countries go into and out of lock down scenarios
► Geographical load balancing of non-technical capacityand considerations for long term resource stress
► Laptop allocations and other infrastructure needs,which need to be provided internally beforeaddressing third-party needs and remote accesscapabilities
Additional procurement concerns
► Firms are experiencing issues with conducting riskassessments and on-site supplier assurance
► Information security concerns change withindistributed working scenarios
► For offshore entities, where suppliers have centresin less developed countries, there is limitedconfidence in the backbone infrastructure
► Review of material Master Service Agreements andcontracts for Service Level Agreements andcredit/penalty scenarios for enhanced closemonitoring and governance
► Short and long term evaluation for stringency vs.leniency in enforcing contract obligations givenworking circumstances
Financial risk exposure
► Consider potential impact to third party’s P&L due tovolatility in earnings, increased costs and loss in revenue
► Assess third party’s liquidity and capital impact due toglobal economic downturn
► Evaluate your own exposure to third party businessinterruption, supply claims and event cancellation claims
Non-financial risk exposure
► Understand third party landscape servicing your criticaltechnology and cyber operations to prepare, sense, andrespond to most forms of disruption
► Understand third party resilience; confirming alignmentwith your own plans, and how to communicate the “end”of the pandemic
How EY teams can help
► Now: Impact assessments for remote work, security operations, third and fourth party readiness for critical vendors and supporting contingency programmes, includingregulatory responses and process work-arounds (including automated access provisioning)
► Next: Testing to assess remote infrastructure and capabilities; including stress testing for financial impact and resilience► Beyond: Enhancing your TPRM framework through enhanced awareness, reporting, technology and collaboration, learning from COVID-19
Third party risk management (TPRM)
1. Executive summary — Key C-Suite questions related to third party resilience
Page 4
To navigate this challenging environment, firms should focus on better communication, enhanced consumer relationships and moretransparently with customers and investors. In order to do so, it’s important that senior members of organizations consider thefollowing questions in relation to third parties and their resilience:
Questions related to third party resilience1. Can you map your key third parties to impacted jurisdictions and industries?2. Do you have standardised questions to ask of your third parties and who is reviewing their responses?
3. Do you have clear policies regarding the presence of third parties onsite and are you clear which of your third parties can operateremotely?
4. Do you know, talking to relationship managers, IT and facilities, which services you can’t afford to lose?5. Are you clear which of your third parties preform any part of a critical economic function?6. Do you have a method of understanding the supply chains of your third parties and where the second order effect may arise?7. Can you quickly tell how many contracts, third parties, employees and other key relationships might be affected?8. Does the “Force Majeure” or hardship clauses in your standard terms and conditions or key contracts apply to this crisis?
9. When evaluating alternative third parties, are there exclusivity clauses in current third party contracts that may complicateswitching?
10. Can you determine the your third parties’ financial viability or attitude to the crisis facing your organization?11. Have you already given any consideration to the reintegration of third parties after COVID-19?12. Do you think the new normal will be different compared to the previous normal (working models/behaviors)?
Third party risk management (TPRM)
2. Background — The unexpected outbreak of COVID-19 is having a significant impact onglobal third party chains
Page 5
The COVID-19 outbreak has over 700,000 confirmed cases which is higher than previous recent disease outbreaks such as Ebola,MERS and SARS combined.
94% of the Fortune 1000 are seeing coronavirus supply chain disruptions.
Coronavirus raises fears of US drug supply disruptions 14% ofthe facilities that make active pharmaceutical ingredients arein China.
European companies face coronavirus hit to supply chainsItalian auto supplier warns car groups’ production lines may be brought to a standstill.
Oxford Economics warned that the spread of the virus to regions outside Asia would knock
1.3% off global growth this year, the equivalent of $1.1t in lost income.
““
“
“
The current COVID-19 pandemic hascaused disruption through all sectorswith various degrees of impact. It istime for companies to rapidly assess,recover and respond quickly throughnumerous obstacles and challengesthat will stand in the way. Throughthe chaos of recovery, it will be veryeasy to overlook the root cause andgaps within a supply chain that mayhave paralysed businesses duringthis unpredictable major event in thefirst place. Building towards aresilient third party chain will be atthe epicenter of future discussion foryears to come.
Third party risk management (TPRM)
2. Background — but COVID-19 is only the latest in an increasing number of unexpecteddisruptions hitting third party chains, impacting overall business performance
Page 6
Natural events► $210b Tohoku earthquake in
Japan halts production forToyota, GM and Nissan
Trade barriers► US $63b tariffs on EU autos and
auto parts, place strain on decades’old Global Supply Chain
Civil unrest► March at La Escondida, Chile copper
mine reduced global copper capacityby 5%
Terrorism► Border restrictions after Paris
Attack led to $3.5m increase toBelgium shippers in 1st month
Distressed suppliers► Crop disease, dry weather and
government policy changescause cocoa shortage for foodmanufacturer
Epidemics► Covid-19 outbreak expected to
cause a ~$400B dent in the globaleconomy in two years- anestimated 8X bigger impact thanSARS
Cyber attacks► WannaCry ransomware attack
losses could reach $4b► 50% increase in attacks from
2018, makes Supply Chain morevulnerable
Third party risk management (TPRM)
3. Key challenges — EY clients have to execute now, and prepare for the next and beyond as aresult of COVID-19 challenges
Page 7
The rapidly evolving threat around the COVID-19 virus is raising concerns among many organizations across the globe. Theinterconnected landscape of today’s business environment with third parties pose serious risk of disruption that can result in significantloss of revenue.
1 NowSolve the now 2 Next
Manage this year 3 BeyondThe current crisis
► Monitor the financial stability of yourcritical and important third parties
► Learn from COVID-19 and enhanceyour TPRM delivery models to futureproof your third party operations
► Help manage the immediateoperational resiliency challengeslinked to your third parties
Key ClientChallengesrelated to ThirdParty RiskManagement
► The extent to which critical third parties can continue to operate under significant stress for prolonged periodsof time
► Increasing concerns over data security or data leakage due to third parties moving to remote working/access► Difficulties to obtain holistic third-party universal view to fully understand dependencies and vulnerabilities► Inability to conduct appropriate third party risk assessments and supplier assurance activities► Do not have the capacity or technical capabilities to conduct the required on-going monitoring activities on third
parties► Meeting existing regulatory/Internal Audit deadlines or complying with on-going regulatory requirements► Ethical considerations, including how to manage small- and medium- sized third parties with the variation of
demand through the pandemic
Third party risk management (TPRM)
4. Now: Third party operational resilience
How EY teams can help?EY COVID-19 Third-Party Risk Management Assessment offering provides a rapid, scalable and automated assessment to evaluate and monitor third-party risksdue to COVID-19. This will help enable the organization to assess the impact to their critical third parties and understand how they are responding tocontinuously support key IT and business operations in a rapid and efficient manner. As a result of COVID-19, it is increasingly important for these assessmentsto take place rapidly and dynamically.The approach includes three phases:
Page 8
The interconnected landscape of today’s business environment poses serious risk of disruption that can result in significant loss ofrevenue. Organizations need to evaluate the ability of their critical off-shore presence and third-parties to continuously support criticalfunctions such as IT, human resources, payroll, financial reporting, cybersecurity and others.
Identify and prioritise third parties providingcritical services to your organization.Confirm third-party status and services, and anyreach outs performed with internal third-partyrelationship owner(s).Leveraging TPRM technology, launch theCOVID-19 assessment questionnaire to third-party contact(s).
Gather information from third parties tounderstand the impact and how they areresponding to COVID-19. The assessmentincludes the following areas but not limited to:► Business continuity / pandemic plan► Remote access for Work-From-Home (WFH)
resources► Network security and operations
management► Security event management► Dependency on fourth parties
Summarise and review the third-partyresponses.Evaluate the impact and ability of third-partiesto support the organization’s critical functions.Develop recommendations and report onevaluation results.Support the triage and monitoring of agreed keyactions.
1. Plan 2. Assess 3. Respond and monitor
Third party risk management (TPRM)
5. Next: Third party financial resilience
Page 9
At a time when industries are severely stressed, contingency plans developed in better times are proving to be ineffective. In thisenvironment, firms are subjected not only to the financial health of immediate third parties, but also to the collective financial positionsof all those which their third parties rely. With complex supply chains and deteriorating market conditions, the risks today are an orderof magnitude greater than in prior years. Firms need to deploy significantly greater resources toward identifying third partiesexperiencing financial duress, and even more, finding the best ways to deal with these heightened risks.As a direct result of COVID-19, firms will also need to consider existing financial arrangements and refund procedures if third partiescannot continue to operate.
Life cycle of adistressed thirdparty
An effectiveprogram ofidentifying andmanaging the risksof a distressedsupply chain can bedescribed in threeprinciple orworkstreams
Companies need to think in terms of both near- andthen longer-term actions. Companies need to beprepared to, where necessary, take more dramaticaction.The EY Stress Pendulum gives an indication of thetypical stability monitoring and risk mitigationprocesses which exist to support companies in suchadversity as a result of COVID-19
Troubled third partyrisk assessment
Early warningscreening system
Distressed thirdparty management
Operational, financialand qualitativemetrics used to
profile third partiesbased on risk level
Detailed riskassessment and
mitigation planningfor third parties
which pose significantrisk
Further evaluationand review of
distressed third partywith a view to
protecting supply
Third party risk management (TPRM)
6. Beyond: Learning from COVID-19 and the future of TPRM
Page 10
Enhanced awareness and reportingCOVID-19 has brought a dramatic insight into the business continuity and operational resilience of thirdparties. We expect organizations to adopt an approach to TPRM that is increasingly data driven, proactiveand action oriented, drawing on the strengths of machine learning (ML) and artificial intelligence (AI). Clientwill be facing rejuvenated regulatory pressure, which will consider the proportional and appropriatemanagement of third parties.
1
TechnologyOrganizations are increasingly looking to the technology to improve the end to end TPRM programme acrossthe three lines of defence, and also help tackle the nth party challenge. COVID-19 has highlighted the needfor enhanced BAU TPRM activities, naturally enabled by technology, whilst technology will be able to supportwith root-case analysis and simulations.
2CollaborationAny incident emphasizes the need for increase collaboration, both internally (between functions anddivisions) and externally (across the industry). Internal and sector-based external utilities which moreefficiently manage third party risks, and at a lower cost, will continue to feature.
3Third party risk management (TPRM)
7. Key Contacts
Page 11
Kanika SethPartnerFSO TPRM [email protected]
Jerry O’SullivanAssociate PartnerFS Advisory [email protected]
Sara WoodsSenior ManagerFS Advisory [email protected]
Third party risk management (TPRM)
Page 12
Appendix
Third party risk management (TPRM)
Page 13
Now: Third party operational resilience — What can you do?
► Assessment intake processfacilitated by either the EY baselinemethodology or directly using theorganization’s existingmethodology
► Third-party’s product and servicerisk profiling using a targetedscope COVID-19 questionnaire
1. Plan
► Development of service risk profilereassessment timeline (e.g., every2 years)
► Establishment of third-party riskassessment monitoring approach(based on residual risk rating)
► Data mining looking for supplierchain linkages
4. Monitor
► Rapid assessment planning andcoordination
► Execution of remote global third-partyrisk assessments in 5+ risk areasincluding Information Security,Privacy, Business Continuity andRegulatory Compliance
► Residual risk calculation
2. Assessment execution
► Risks and findings monitoring,from registration to closure
► Evaluate the impact and ability ofthird-parties to support theorganization’s critical functions
3. Respond
TPRM
Assessmentexecution
Monitoring
Integrate all EY leadingmethodologies andenablers
Supported by atechnology platform,(for client, third parties,EY)
Execute rapid end-to-endTPRM processes onbehalf of the client
TPRM lifecycle
Third party risk management (TPRM)
Page 14
Next: Third party financial resilience — What can you do?
What is BRETA?
EY business relationship and economic threat analysis (BRETA) capability focuseson identifying and triaging business, economic and operational-related risks acrossa client’s ecosystem of business relationships (customers, suppliers, joint ventures,partnerships, etc.). BRETA leverages the firm’s experience across six disciplines(financial, technical, regulatory, supply chain, cyber and geopolitical) to provide amulti-dimensional view of risk and potential mitigation strategies.
How is it used?
The automated tool assists clients with threat screening, exploratory analysis andrisk scoring of individual entities or sub-populations. This differentiated capabilityuses publicly-available data sources to produce comprehensive reports. The reportsfeature interactive visualisations of market trends, business relationships, locationand geographic data, market transactions and automated aggregation and analysisof key indicators of financial health to rapidly identify where threats orvulnerabilities exist.
Third party risk management (TPRM)
TPRM market dynamics: key trends of 2020
Page 15
Resilience of third parties Growing market interest Board level attention Expanded risk landscape
Significant business disruptionas a result of COVID-19highlights the need fororganizations to have a clearunderstanding of the resilienceof their third parties
TPRM started off being a focusfor financial services due toregulatory requirements andhas since moved to otherregulated sectors
Third party risks are beingdiscussed at the board level,and more board members arebecoming aware of the topicand need
Organizations have expandedtheir risk focus fromIT/information security risk toa broader, more inclusive risklandscape
1 2 3 4
Integrated TPRM function Operating model evolution Common frameworks Technology-enabledIntelligence
Organizations are setting upan integrated TPRM functioncomprised of procurement,supply chain, legal, complianceand IT
Organizations are reducing in-house reliance and movingtoward co-sourcearrangements or fullymanaged services
Organizations are movingtoward standardising thirdparty assessmentmethodologies and processes
There has been a movementfrom manual activities to on-premise technologies toutilising software as a servicecloud based solutions, whererisk data is increasing beingused to provide procurementand supply chain insights
5 6 7 8
Third party risk management (TPRM)
TPRM framework: It is become more important than ever to deliver robust third party riskmanagement, utilising an enterprise-wide framework
Page 16
A TPRM function is comprised of six functional components that enable efficient, consistent and enterprise-wide execution.
Enterprise-wide policy and proceduresestablish clear roles and responsibilities forall functional owners through the execution ofthe end-to-end TPRM lifecycle. More mature functionsembed service/risk management within third partymanagement policy/procedures for stream-linedintegration and execution.
Technology and data enable TPRM processes toreduce overall function cost. Additionally, the use oftechnology increases data integrity and drive seamlessand reliable reporting.
Risk models help ensure monitoring activitiesare reflective of the inherent/residual riskassociated with third parties and their services –essential in quantification and illustration ofTPRM programme value.
Risk assessment and due diligenceare essential.to understand the third partiescontrol environment around identified risks(e.g., enterprise resilience, cyber security,regulatory compliance, etc.)
The operating model defines clear roles andrelationships supportive of consistent, risk basedapplication of all functional enterprise-wideTPRM process.
Oversight and governance is the component thatoversees the function to ensure that the relationshipsand activities are managed effectively. This consists ofthe following sub components: reporting, issuemanagement and escalation, internal and externalprogramme liaison, quality assurance and policyadherence.
41% of firms said primary ownership of the TPRM function falls within procurement (1st line of defense) – 2018 TPRM survey
Monitoring is the periodic assessment andmanagement of risk and service performancerelative to a third party and the servicesprovided once contracted.
Third party risk management (TPRM)
Regulatory requirements: The EBA outsourcing regulatory requirement provides a frameworkto assess, govern and monitor third parties
Page 17
Core Considerations:Regulatory Deadline► Finalised version of EBA guidelines were made
available March 2019► The guidelines apply from 30 September 2019 to
all outsourcing arrangements entered into on orafter this date
► Complete documentation for all existing contractsmust be completed by first renewal date of eachcontract, but no later than 31 December 2021
Proportionality► Institutions are expected to apply the principle of
proportionality to achieve the requirements, byapplying governance that aligns with the nature,scale and complexity of the operations
► Management body of the institutions retains fullresponsibility for the regulatory requirements
Outsourcing arrangements► Institutions are required to establish if an
arrangement with a third party falls under thedefinition of outsourcing, and if this constitutesthe outsourcing of a critical or important function
Outsourcing to cloud► EBA outsourcing standards for cloud service
providers have been applicable since 1 July 2018and have been embedded into EBA outsourcingguidelines to set the supervisory expectations forservices outsourced through cloud
EBA emphasizes the following aspects of outsourcing arrangements by institutions
The institution retains full responsibility andaccountability for complying with applicableregulatory obligations
Institutions are required tohave an outsourcing policy inplace
Institutions should identify,assess and manage conflictsof interest
Institutions are required tohave Business ContinuityPlans available with regardto the outsourcing of criticalor important functions
The internal audit activities shouldcover the independent review ofoutsourced activities following a riskbased approachInstitutions should maintain a register
of all outsourcing arrangements,critical or otherwise
Pre-outsourcing analysis should be performed forall outsourcing arrangements covering:► Assessment of the criticality of importance► Due diligence► Risk assessment
The respective rights and obligationsof the institution and service providershould be clearly allocated and set outin a written agreement
Institutions are required to monitorthe performance by the serviceprovider with regard to alloutsourcing arrangements
Institutions should have a clearly definedexit strategy for all outsourcing of criticalor important functions
Institution should provide the relevantauthority with the register of outsourcingarrangements
1
2
3
4
5
6
7
8
9
10
11
EBA guidelineson outsourcing
Third party risk management (TPRM)
Regulatory requirements: The PRA consultation paper requires an enhancement of theoversight of third parties to help improve their operational resilience
Page 18
Case for change Key objectives of the CP Key concepts
► Greater reliance is being placed on thirdparties and increasingly on technologyproviders, e.g., Cloud
► Firms face increased risks, e.g., storing,processing and/or sharing of customer data,long chains of service providers, regulatoryreporting
► The evolving nature of Outsourcing andTPRM brings benefits, opportunities andpotentially enhanced resilience if managedappropriately
► Modernises expectations► Facilitates greater resilience► Clarifies PRA expectations► Final policy expected in the second half of
2020
► Definitions – material vs. non materialoutsources
► Intra group – no less risky than externalarrangements
► Governance – responsibility cannot beoutsourced
► Data Security – detailed requirements aroundsecurity
► Access, audit and information rights – riskbased approach and concept of pooled audits
► Sub-outsourcing – emphasis to assess thisrisk
► Business Continuity and Exit – importance ofdefining and testing approaches for stressedscenarios
Third party risk management (TPRM)
TPRM market dynamics: EY FSO TPRM 2019 survey — The survey highlights the keychallenges facing organizations and their response
Page 19
65%
57%Resourcing model
54
20
Operating model
58%
38%
of organizationsreported having acentralisedstructure.
40%Tools and technology
of organizations have a TPRMtechnology platform. Over halfof those that have links toexternal threat intelligencedata or supplier data.
37% of organizations that usetools/technology as part of theirTPRM programs indicate thattechnology across theorganization is not integratedand requires manualreconciliations to report out ofmultiple systems.
38% of organizationshad a data breachcaused by a thirdparty over the past2 years.
52% of organizationshad an outagecaused by a thirdparty over the past2 years.
Cybersecurity
Execution
resources, on average, arededicated to supporting theTPRM program/function.
resources within the business,on average, provide support tothe TPRM program/function.
of organizationsreported having ahybrid structure.
Assessments
83% of organzsations reassess(risk/control assessment)critical third parties on anannual basis
70% of organizations rely on thecontractual terms establishedwith the third party toassess/monitor fourth parties
Inherent risk
45% of organizations refreshthird party inherent riskprofiles based upon theirinherent rating
41%of organizations expect to usemore of managed services toexecute their TPRMprogram/function in 2–3 years.
of organizations expect to usemore of marketutilities/exchanges to executetheir TPRM program/functionin 2–3 years.
of organizations expect to usemore of sector-basedconsortiums to execute theirTPRM program/function in 2–3years.
Fourth-party management
Third party risk management (TPRM)
EY thought leadership: examples
Page 20 Third party risk management (TPRM)
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory services.The insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We developoutstanding leaders who team to deliver on our promises to all of ourstakeholders. In so doing, we play a critical role in building a betterworking world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of themember firms of Ernst & Young Global Limited, each of which is a separatelegal entity. Ernst & Young Global Limited, a UK company limited byguarantee, does not provide services to clients. Information about how EYcollects and uses personal data and a description of the rights individualshave under data protection legislation are available via ey.com/privacy. Formore information about our organization, please visit ey.com.
© 2020 EYGM Limited.All Rights Reserved.
EYG/OC/FEA no.
EY##### (UK) ##/20. CSG London.
ED MMYY
This material has been prepared for general informational purposes only and is not intended tobe relied upon as accounting, tax or other professional advice. Please refer to your advisors forspecific advice.
ey.com/
GlobalBoilerplate
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory services.The insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We developoutstanding leaders who team to deliver on our promises to all of ourstakeholders. In so doing, we play a critical role in building a betterworking world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of themember firms of Ernst & Young Global Limited, each of which is a separatelegal entity. Ernst & Young Global Limited, a UK company limited byguarantee, does not provide services to clients. Information about how EYcollects and uses personal data and a description of the rights individualshave under data protection legislation are available via ey.com/privacy. Formore information about our organization, please visit ey.com.
© 2020 EYGM Limited.All Rights Reserved.
EYG no. 001562-20Gbl
This material has been prepared for general informational purposes only and is not intended tobe relied upon as accounting, tax or other professional advice. Please refer to your advisors forspecific advice.
ey.com/
