By Atul Vashistha
Although it’s unclear when the negative effects of COVID-19 will be fully played out, one thing is certain: The traditional third-party risk management, or TPRM, practices that financial institutions have relied on are inadequate going forward. Many current risk programs are reactionary in nature, thereby crippling effective risk mitigation. The problem is compounded by the fact that risk mitigation decisions rely on static data collected during point-in-time assessments.
In today’s rapidly changing risk environment, reactive responses and stale risk data are passé. Leading financial institutions are recognizing the need to reset their TPRM programs. Making the shift to investing in continuous risk monitoring through a proactive risk operations center enables effective risk anticipation to mitigate or even avoid costly business disruptions.
The shortcomings of today’s TPRM programs
For most financial services TPRM programs, the main risk focus occurs during the third-party selection process. Due diligence is performed at the point of onboarding to understand the risk associated with a new location or a new third party.
Assessments are performed periodically, usually once a year or every other year, to ascertain whether risk profiles have changed. Additional efforts are typically limited to reactively responding when a risk event has already occurred. The downfall of these practices results from the continuous, dynamic nature of risk. The time between assessments leaves financial institutions exposed and vulnerable to potentially significant disruptions.
The inadequacy of today’s programs stems from an underinvestment in risk due to a reliance on outdated risk models. For too long risks such as global pandemics have been considered high impact, but low probability. This isn’t logical when you consider both the frequency of recent disease outbreaks (four pandemics since 2002—SARS, H1N1, MERS, and COVID-19) and the hyper-connectivity of our global financial markets and travel. When financial institutions tested their disaster recovery and business continuity plans pre-COVID-19, few if any tested a scenario where 100 percent of employees would be forced to work from home or that all global operations would be affected at once. Today’s risk leaders need to challenge their assumptions on risk impact, frequency and worst-case scenario.
Operational disruptions result not only in lost revenue, but also reputational damage, customer churn, regulatory penalties, litigation, attrition, lost productivity of internal employees tasked with resolving the incident and often much more. When you evaluate the potentially astronomical cost of disruptions, it’s easy to see why investment in risk management is now being recognized as a competitive advantage.
Introducing a permanent risk operations center
Leading financial institutions will establish a permanent risk operations center to continuously monitor for changes, assess potential impact, identify risk mitigation actions, track incident resolution and identify risk trends. The competitive benefits realized are improved speed and quality of response to minimize or avoid disruptions and the related costs.
While permanent, an ROC can be staffed up or down as the risk environment requires. It is continuously monitoring, planning and proactively ready to act. Enterprises that wait to establish a risk operations center in a reactionary manner, once a crisis is declared, will miss out on key risk intelligence and valuable time to make effective risk mitigation or avoidance decisions.
The foundation for building an ROC
An ROC relies on four components: a monitoring post, a workflow tool, a response center and a feedback loop. The monitoring post continuously monitors risk across a broad framework of third-party and location-based risks to collect real-time risk intelligence. Traditionally, TPRM programs have been heavily focused on financial and cyber risks, but today’s business disruptions come from a wide spectrum of risk, such as compliance, sanctions, people, solutions maturity, client and location-based risks.
Relevant and validated risk intelligence is routed through a workflow tool. The response center, ideally divided into specialized workstreams like technology, facilities and workforce, will then assess the intelligence for relevance and risk level to the institution. From there, risk mitigation guidance and recommended actions, both internal and external, are provided to the relevant business functions. When action is taken, results are entered into the feedback loop to know what is working and when alternative actions are required. Risk events are then tracked to resolution.
Staffing an ROC for a financial services enterprise should be considered through the view of competencies needed. These functions can be covered through a combination of technology, tools, analytics and people. Data collected needs to be continuous and analyzed in real-time for relevancy and impact to produce risk intelligence that can be used for mitigation, trending and forecasting. As the response center team will need to work well with other business functions, they need skills related to relationship management and collaboration. Team members will need risk mitigation knowledge and the ability to look beyond the individual risk event to make connections to other possible related or cascading risks in a truly proactive fashion.
A new way forward
COVID-19 has highlighted that our current risk models and third-party risk practices are no longer adequate. Instead of focusing on risk management as an expense, financial enterprises should pivot to a new way forward with risk management as an investment. Making the proper investment in continuous risk monitoring through a proactive and permanent risk operations center, financial enterprises can reap the competitive advantages of business resilience, regulatory compliance and brand enhancement.
Atul Vashistha is a leading expert on globalization, governance, and risk. He has authored three best-selling books: The Offshore Nation, Globalization Wisdom and Outsourcing Wisdom. He is also founder and Chairman of Supply Wisdom, the real-time and continuous risk intelligence and monitoring solution.