Banks continue to make significant strides in the area of third party risk management — though many are concerned about a lack of knowledge and not having the appropriate tools to efficiently assess and manage vendor risk — according to a study published today by Ernst & Young. Ninety percent of the institutions surveyed said they felt neutral or negative about how well their third party risk management tools were able to help them capture and report risk, and more than four in ten said that they consider lack of knowledge across the organization as a key challenge going forward.
Despite these concerns, however, the study pointed out that many banks have adapted to regulatory changes over the past few years and begun to appropriately scale their risk management programs. Thirty-nine percent of respondents said that all of their third parties now fall within the scope of their vendor risk management program, up from just 19 percent in 2014. When determining whether to enter a relationship with a third party, more than seven in ten organizations said they conduct pre-contract regulatory compliance reviews of potential vendors.
The majority of the banks surveyed reported using either a centralized (45 percent) or hybrid (41 percent) operational model for third party risk management. In terms of risk ownership, 41 percent said they believe that primary ownership of third-party risk resides with the procurement organization (or first line of defense), up from 26 percent last year.
The survey also noted that communication surrounding vendor risk management is improving. Seventy-one percent of banks said they report third-party breaches to senior management, and 35 percent report elevating breaches to the board level. Forty-three percent said they report critical third parties to the board, up from 26 percent in the last survey.
Additionally, banks are continuing to invest time and resources into third-party risk management — an overwhelming 95 percent said they plan to spend the same amount of time or more on it in the future.