The S&P Global Know Your Third Party (KY3P®) team recently sponsored the 7th Annual Vendor & Third Party Risk Europe Summit organized by the Center for Financial Professionals. The two-day event brought together over 160 Third Party Risk Management (TPRM) professionals to discuss all things third-party risk related. Here are the top takeaways from the event:

1. The race for talent
As the demands and expectations on TPRM programs continue to grow, TPRM teams need to develop subject matter expertise to span key areas of vulnerability e.g., data breaches, the possibility of operational failures, financial instability, reputational impact, and cybercrime. This can mean firms need to employ a dozen specialists, then a management team to own and oversee the process, plus a team to drive execution. Firms need to work smarter, and there is a growing realization that if TPRM is not a core capability of your organization, then there is often little value in building the expertise in-house. The struggle for talent is real. Suppose a company operates in a low-cost location. In that case, few or no candidates are available with deep expertise in areas of due diligence such as cyber security or financial risk. The few skilled candidates are expensive in high-cost locations such as London or New York. According to Glassdoor, the total pay for TPRM has increased by over 16% in just the last six months! Focus your resource on your pockets of highest risk and outsource the rest.

2. Refocus on operational resilience
Traditionally, the focus of TPRM has been on the information security threat and protecting data, not on the resilience of the supply chain. The COVID-19 pandemic exposed weaknesses in the supply chain and within organizations' TPRM processes and frameworks, resulting in a growing realization that operational resilience needs to be embedded into an organization's DNA. Organizations are moving away from traditional risk management practices where everything ends up amber. They accept that third-party services will fail but need adequate resilience in the supply chain to maintain services to customers. Treating operational resilience, and by extension TPRM, like a tick box exercise and purely responding to new regulations is not enough. Organizations must take a holistic and cross-functional approach to monitoring and managing third parties. This includes developing exit strategies for your most critical and material third parties. Bringing the right people, including your supplier, to the table is key in planning for and managing both stressed and planned exits and building a robust and resilient supply chain.

3. The evolution of due diligence methods
The supply chain is increasingly considered a strategic extension of an organization. That means focusing more on the partnership and developing better relationship management. As an industry, financial services needs to get smarter about risk assessing third parties. Gone are the days when all the power lies with the financial firms and they can expect suppliers to complete hundreds of repetitive and duplicate due diligence questions yearly. Shared assessments and consortia-led frameworks are increasingly being adopted to drive convergence across the many different due diligence approaches and deliver efficiency to suppliers and financial firms. Consortia also facilitate best practice sharing moving towards more resilient and robust supply chains. In addition, firms are looking more and more to data to provide pre and post-contract diligence and ongoing monitoring. Readily available public data insights across a myriad of risk domains (e.g., cyber ratings, financial stability, ESG, and geographic location) provide meaningful assurance into a third party's risk posture before firms invest significant resources into more invasive due diligence.

How S&P Global KY3P® can help:
KY3P® helps you manage your end-to-end vendor portfolio lifecycle on a single platform with on-demand, multi-dimensional vendor risk assessments. Our tools let you continuously monitor risk through partnerships with industry-leading data providers specializing in financial health, cybersecurity ratings, data-breach analysis, location risk, and more. Our managed services scale your third-party risk management program while minimizing constraints caused by the difficulties of attracting and retaining risk management teams.

Find out more by visiting KY3P®

Posted 29 June 2022 by Kate Aziz, Global Head of Managed Services, KY3P, S&P Global Market Intelligence

S&P Global provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.

This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.