4 steps growing banks can use to manage third-party risk

How do you know whether your financial services firm is aware of all your third parties and properly managing the risks?

It’s a simple question with a complex answer. As third-party services become more technology-driven and outsourcing trends intensify, it’s more urgent than ever for growing banks to address how they handle third-party risk management (TPRM). At the same time, it’s increasingly difficult for risk professionals to manually examine every relationship and determine the extent to which each needs to be assessed under a TPRM process.

In this article, Crowe risk management specialists describe four essential steps that can help you define and manage your third-party vendor risks.

1. Figure out who your third parties are

It can be challenging to define your third-party population. The simple definition says that a third party is any entity with whom you have a business relationship, whether or not that relationship is defined by a written agreement. However, this definition is often too vague for practical TPRM use.

To determine who your relevant third parties are, organizations need to decide what types of third parties require due diligence and monitoring. Do all your third parties fit the definition of a vendor, supplier, or service provider? Or, do some of your third parties fall into a more of an expanded set of relationships, such as partners, affiliates, or joint marketers? This latter set of relationships sometimes gets overlooked but might need to factor into your TPRM processes.

One way to make sure that you’ve identified all your relevant third parties is to compare your accounts payable spend against your current vendor inventory. Another way is to compare access logs. Who has electronic access to your network, and who has physical access to facilities? Do the names on that list match those on your employee roster? If you see names that aren’t on your roster, then you might be looking at third parties you haven’t identified.

2. Develop a method to classify and segment your third parties

You need to set risk characteristics for your third parties and assess your third parties against those characteristics. Ideally, you want to spend more time on your most critical or high-risk third parties.

Some questions that can help you accurately assess the risk level of a third-party relationship include:

Do third parties get access to your data?
If yes, what type of data is it?
What volume of data are your third parties getting?
Do third parties have access to your network or physical locations?
Do third parties affect your production environment for all your systems?
Do third parties interact directly with your customers and represent your business while doing so?
Do you need to ask your third parties about their subcontractors too?

The answers to these questions can help you determine whether a given third party presents low, critical, or high inherent risk. Then, that risk categorization can help you decide how much of your TPRM resources to spend on assessments and monitoring.

3. Make sure your risk assessments contain targeted questions

Make sure your risk assessments also contain targeted questions.

Generic assessments are not particularly helpful when you’re trying to validate claims from your third parties. Your third parties all perform different functions for your organization. It might seem easier in the short term to send out the same questionnaire to everyone rather than tailoring assessments by vendor.

However, in the long run, sending out generic risk assessments can create problems. For one, third parties don’t like answering irrelevant questions, so unfocused questionnaires can harm the relationship. And depending on the nature and extent of the third-party relationship, your questionnaire might fail to address specific risks or deliver unrelated information to whomever is tasked with the review process, thus wasting their time.

4. Give your third-party risk professionals what they need to execute

Too often, third-party vendor risk program problems result from too few employees managing far more third parties than they can handle.

The right risk management technology can help your third-party risk team operate more efficiently, which can make your budget go further. But technology solutions can also bog your program down if they aren’t tailored to your organization’s size and your industry.

As you explore your options, take time to think about your growth strategy and what that strategy might mean for your technology needs going forward. Find a solution that makes sense now but can also grow with you. Then, work with leadership to get buy-in and secure a budget allocation.

Crowe IRM-as-a-Service can help you with any stage of your third-party risk management process

It’s challenging for growing banks to identify and assess their third-party relationships. That’s why we created Crowe IRM-as-a-Service, a ready-to-use GRC platform that offers the technology and subject-matter specialists you need to sustainably evaluate and manage your third-party relationships.

Our platform includes a third-party risk management module that comes with an inherent risk assessment process and workflow. The system can help identify risk characteristics, put your third parties through a controls assessment, segment them by residual risk, and define ongoing monitoring plans for them. Crowe subject-matter specialists are also available to help with third-party review whenever you need them.

Furthermore, because the platform includes functionality to support other risk and compliance processes, you can easily connect your third parties to key information, like identifying which third parties support your products and services, business processes, applications, and other technologies. Crowe IRM-as-a-Service can help take your TPRM program to the next level.

Learn more about Crowe IRM-as-a-Service and how it can elevate your third-party risk management process.

Explore solution