Today's Financial Institutions (FI) provide financial solutions to their clients through both internal and network third-party providers' activities using their respective resources such as employees, systems, and infrastructure.
Although some of their activities and resources may be outsourced the associated potential losses (risks) remain with the FI
This means that the Financial institutions would ideally apply their own management practices to their third-party providers.
However, since each FI has its own version of risk management practices and each service provider serves multiple FIs applying their own risk management practices to a service provider is not possible.
What to do? To answer this question, we have to ask an antecedent question which is: what
are we trying to achieve? What is the goal?
In 2013, lighting struck an office building in Mount Pleasant, South Carolina, causing a fire to break out. The offices were home to Cantey Technology, an IT company that hosts servers for more than 200 clients, including Bank ABC.
The fire torched Cantey’s network infrastructure, melting cables and burning its computer hardware. The equipment was destroyed beyond repair and the office was unusable. But Cantey’s clients never knew the difference, because of Cantey’s robust BCM.
The CEO of your bank calls the CRO and says: “They never knew the difference! that is impressive. Would our clients know the difference if our servers were destroyed?”
This is what Third Party Risk Management is all about
That is not what happened with The Rogers Communication outage. Read More
Regulatory Expectations
Here is OSFI's draft guidance (regulations) on Third Party Risk Managemen, please review and familiarize yourself enough to participate in the class discussion
Risk appetite acts as a foundational guideline for evaluating new vendors and setting expectations. A well-defined risk appetite allows organizations to screen vendors more effectively, ensuring that they align with the organization’s risk tolerance, especially in areas like data security, operational resilience, and compliance.
I wonder what steps do the organization take to assess the risk profile of a third-party?How does the organization handle situations where a third-party vendor’s risk profile exceeds the defined risk appetite? What contingency plans are in place if a high-risk vendor relationship must be terminated abruptly in order to minimize losses?
The case identifies fourth-party risk, where vendors subcontract services, introduces layers of complexity and reduces visibility. Zev’s focus on this risk reflects a growing recognition that organizations need mechanisms to track not only their direct vendors but also the extended party to ensure control over outsourced operations. How can the bank effectively monitor fourth-party risks? How can the bank incentivize primary vendors to actively manage their own subcontractors?
What specific risk management practices should FRFIs implement to address technology and cyber risks in third-party arrangements, especially regarding cloud service providers?
Would the third-party risk mainly relate to cloud servers and data privacy issues? As we look into the case of cyber-attacks and data breaches, the main causes may be weak controls of the service provider. If the audit report of the third-party shows that the third party has strong controls and the risk is low, would the company still have to develop a very detailed plan to manage third-party risk, or can they rely on the controls that are being audited?
How does the FI address concentration risks, especially with widely-used providers in critical areas like cloud services? Are there controls in place to monitor subcontracting by third-party vendors? Also, how to ensure third-parties remain consistency of regulatory requirements? When transitioning away from a third-party provider, how should the company handle some sudden disruptions in this transitioning and how can the company avoid the consumption of time and costs of the switch of the third party?