Shifting toward maturityKey findings from EY’s 2016 financial services third-party risk management survey
June 2016
1Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |2 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Table of contents
About EY’s third-party risk management survey 2
Introduction 3
Executive summary 4
Market trends 6
Third-party population 8
Critical third parties 12
Operating model 14
Assessment framework 18
Termination/exit strategy 26
Oversight and governance; quality assurance/quality control 27
Regulatory exams 29
Technology 30
Inbound third-party management 31
Industry outlook 32
3Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |2 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
IntroductionAbout EY’s third-party risk management survey
In the financial services sector, this is the fifth third-party risk management (TPRM) survey EY has conducted. The survey population this year saw its greatest single increase in participants, which led to shifts in the year-over-year trend results, most notably in the areas of functional program ownership moving slightly to favor Procurement, third-party inventory reductions in overall population, and technology integration with maturity in this space decreasing overall.
As in previous years, protecting customer information, reputation and brand, as well as regulatory compliance, remain the most important drivers when assessing third-party controls. The purpose of the survey is to provide financial services firms with unique insight into third-party risk management strategies and provide perspectives on industry trends that can assist them in developing successful third-party risk management programs as the industry moves toward maturity.
In our annual survey, we asked participants to respond to questions across several key areas of their third-party risk management programs:
• ►Third-party population
• ►Operating model
• Critical third parties
• Assessment framework
• ►Termination/exit strategies
• ►Oversight and governance; quality assurance/quality control
• ►Regulatory exams
• ►Technology
• Inbound third party
• ►Industry outlook
Here we share with you the results of this survey and evolving third-party management trends. We look forward to discussing this report with you and sharing our outlook on third-party risk management in the financial services industry.
2 | Shifting towards maturity | Key findings from EY’s 2016 financial services third-party risk management survey
“You get smarter as you go along. I would say that team upgrade is on our radar ... but now as the program has been implemented, as we’re tuning it and evolving it, we’re finding that some of our roles are evolving in a way that had not been anticipated. When you’re in the mode of design, develop, build, implement, it’s about getting it done … and now the focus is on deeper quality, too. More seasoned, more analytical versus doing.”
— Executive, banking firm
Between October and December of 2015, EY surveyed 49 global financial services organizations with third-party risk functions in the retail and commercial banking, investment banking, insurance, and wealth and asset management sectors. The purpose of the survey was to address the distinctive nature of managing third-party risk in the financial services industry.
57% of the companies surveyed had fewer than 25,000 employees. This differs from last year’s survey, where 39% of firms had fewer than 25,000 employees and more than half had greater than 50,000 employees. Of those surveyed, about a third have had third-party risk management programs in place for more than five years, a third for three to five years and a third for fewer than three years.
The results of the survey are in the sections that follow.
5Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |4 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Highlights from this year’s survey:• 90% of respondents felt neutral or negative about how well TPRM
tools integrate and capture the overall risk for reporting purposes.
• 41% of organizations said that primary ownership of third-party risk management resides within the procurement organization, up from 26% in 2014, while 38% place it within enterprise or operational risk.
• 71% of respondents said they were either neutral or faced challenges with business unit support in executing program requirements, indicating continued challenges in the areas of business risk culture.
• A third (35%) of respondents said they report third-party breaches to the board, while 71% report them to senior management. In a sign of progress, however, 43% said they report critical third parties to board level, up from 26%.
• 71% of organizations said they conduct regulatory compliance reviews pre-contract, up from 47% in 2014.
• Nearly half of all organizations polled (49%) said it would take a week or more to pull a report on third parties using specific criteria, indicating a data challenge underpinned by a disconnect between procurement and third-party risk management systems.
• 39% of organizations surveyed reported that all third parties require some form of risk assessment, a significant increase from 19% in EY’s most recent SRM survey (2014).
In response to the technology and reporting challenges cited in the survey, organizations have committed to increasing their overall third-party risk management budgets, with more than 95% of organizations indicating that they intend to spend the same or more across a number of functional components, including internal staffing, technology/enablement and oversight/governance.
“It is encouraging to see that management has recognized the importance of managing third-party risk and has committed to increasing their investments and resources to help organizations meet the expectations of customers, clients, shareholders and regulators,” added Ritterbush.
Executive summary
Financial services organizations continue to make significant
strides in managing third-party risk, even as challenges
persist in the areas of overall organizational knowledge, right-
sizing staffing models, optimizing cycle times and integrating
technologies across the end-to-end third-party life cycle.
Shifting toward maturity found that organizations have finally
absorbed the initial impact of sweeping regulatory change in
2013 and 2014 and have solved for core process expectations;
however, many organizations are still adjusting the scope and
scale of their risk management programs. Such scrutiny has
pushed banking organizations ahead of their insurance and
asset management counterparts with respect to maturity. At
the same time, survey respondents cited a lack of knowledge
across business functions and a pervasiveness of disintegration
across third-party (risk) management tools as significant barriers
to greater progress and a focus for the coming year.
“Given the increased regulatory scrutiny, it is not surprising
that organizations are taking a closer look at their third-party
populations, bringing more of them under the scope of their
programs, and focusing more closely on risk segmentation,” said
Chris Ritterbush, Executive Director, Ernst & Young LLP. “In this
respect, financial services organizations are doing a better job
of getting their arms around third-party risk. But there is still a
lot to be done, especially in knowledge sharing across business
areas and technology, where many organizations continue
to rely heavily on spreadsheets to conduct vendor
assessments.”
7Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |6 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey7
Third-party population• 39% of respondents said all of their third parties fall within the
scope of their third-party risk management program, up from 19% in 2014. Though fewer firms (36) were surveyed last year, it is a strong indication that organizations are continuing to revisit the third-party population to re-profile.
• Of the remaining 61%, two-thirds indicated that less than a quarter of their third-party population is in scope for the organization’s third-party risk management program, which is a significant increase from the 10%–15% of the population that has been a stable data point over the last three years.
• Approximately 86% separate third parties into three to five risk segments or tiers.
• The majority (83%) of those surveyed have a critical third-party list that is 80 third parties or less; interestingly, this has been observed regardless of the size of the organization or third-party population.
• 85% of organizations indicated that less than a quarter of their risk-managed population posed consumer protection risk to the organization, as defined by the Consumer Financial Protection Bureau (CFPB).
Operating model• 41% of organizations said primary ownership of the third-party
risk management function falls within procurement (first line of defense), up from 26% the year prior. 38% place it within enterprise or operational risk (second line of defense).
• Only 14% reported their program is fully decentralized, representing a strong movement toward centralized (45%) models and hybrid (41%) models.
• Primary ownership of inherent risk assessments fell within the line of business for an increasing number of organizations — 53% compared with 32% the year before.
• In looking at third-party entity level assessments such as anti-money laundering (AML), sanctions, reputation and anti-bribery/corruption, we see a wide distribution between the line of business, TPRM and compliance.
• 71% surveyed were neutral or said they faced challenges with business-unit support in executing program requirements, indicating a continued challenge in business risk culture or understanding of program expectations for third-party management.
Assessment framework• 80% of organizations reported they spend two days or less
on-site when conducting information security and business continuity reviews, and 74% said they spend a day or less on-site conducting regulatory compliance reviews. This continues to be in line with previous years’ results.
• 28% of respondents adopted the Shared Assessments program as a framework, up from 24% the year prior. There was a strong correlation between organizations that used Shared Assessments and those that accept a SIG or AUP to reduce or replace assessment efforts.
• 71% of organizations find that a service organization controls (SOC) 2 report is useful (neutral or above) in reducing or removing the need to perform a review on a third party, up from 52% last year.
• The number of organizations that said they conduct consumer regulatory compliance reviews pre-contract increased to 71% from 47% a year earlier.
• 78% of organizations reported they identify fourth parties within the contracting phase, up from 60% the year before, and 75% identify fourth parties within control assessment activities, up from 71% last year.
• Three-quarters of organizations, up from 36% the year prior, said they rely on third parties to manage and evaluate fourth parties through controls at the third party or contractual terms with the third party to assess and monitor fourth parties.
Technology• Three-quarters of respondents face challenges in utilizing
tools to help execute their assessment programs.
• 39% of organizations use Oracle or Ariba for contracting, but only one of those organizations also uses these systems for facilitating their inherent risk assessment, and only 8% use procurement systems as the third-party population “golden source.”
• While there is no outstanding leader in tools leveraged for third-party assessments, 52% use Archer and Ariba.
• 90% of respondents felt neutral or negative about how well TPRM tools integrate and capture the overall risk for reporting purposes.
Oversight and governance; quality assurance/quality control• Third-party risk management spending is increasing across the
board: 63% of firms plan to boost spending on internal staffing for risk management, and 57% will spend more to improve risk management.
• Most firms plan to increase the scope and depth of assessments within the next year.
• Almost half (49%) said it would take a week or more to pull a report on third parties with specific criteria and 73% said it would take a week or more to forecast contract expiration, indicating a major disconnect between Procurement and TPRM systems.
• Roughly a quarter of organizations said they can run on-demand risk scorecards.
• As in years past, we continue to see few third parties being terminated for breach or failure.
Board reporting and critical third parties• 35% of organizations surveyed said they report third-party
breaches to the board, while 71% report them to senior management. We would expect this to increase going forward as board reporting matures.
• An increasing number of organizations reported critical third parties to the board level: 43%, up from 26% a year earlier.
Termination/exit strategy • 74% of organizations surveyed said responsibility for the
creation of exit strategies falls within the line of business, and nearly half said they document it prior to contract execution.
• 8% of organizations do not have exit strategies as a formal part of their program. However, most were entities with fewer than 25,000 employees.
Regulatory exams• Similar to data from the previous year, enterprise-critical third
parties, oversight and governance, and information security/business continuity assessments were the top three focus points, respectively, for regulatory reviews.
• However, focal points were spread much wider across the data set in 2016, including areas such as onboarding activities, consumer protection and maintenance of third-party inventory — indicating that regulators continue to go deep and wide in their oversight.
Industry outlook• More than 95% of organizations said they will spend the same
or more on TPRM across a number of functional components, showing a continued trend of investment into third-party risk management.
• The top three areas where organizations indicated they would spend more include internal staffing, technology/enablement, and oversight and governance, respectively.
| Shifting toward maturity | Key findings from EY’s 2016 financial Services third-party Risk Management Survey6
Market trends
Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |
9Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |8 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Third-party populationInventory of third partiesOrganizations have focused their efforts to reduce the number of third parties in their total populations. By decreasing their third-party populations, organizations realize economies of scale, operational efficiencies and reduction of risk management costs; this is particularly attractive considering the large number of third parties that may remain active in populations after contractual relationships have ended.
As organizations continue to reduce their third-party inventory, the proportion of third parties subject to risk monitoring has risen. 19% of organizations reported that all third parties require some form of risk assessment in 2014, but that number jumped to 39% in 2016, likely due to the increased scrutiny from the CFPB, Office of the Comptroller of the Currency (OCC) and Federal Reserve Board (FRB) over the last two-plus years.
Businesses with third-party risk management programs active for fewer than five years have the highest proportion of third parties in scope for those programs.
Proportion of third parties in scope for risk
Q5. What percentage of third parties are in scope for your organization’s risk management program?
14%
25%
10%
4%
6%
2%
39%
16%
31%
22%
6%
6%
0%
19%
Less than 10%
10% to 25%
26% to 40%
41% to 60%
61% to 80%
81% to 99%
All third parties require someform of risk assessment
2016 (49) 2014 (32)
Proportion of third parties in scope
Third-party inventory
Q4. Approximately how many third parties are within your organization's inventory population?
73%
21%
6%
0%
58%
31%
9%
12%
49%
29%
14%
9%
Less than10,000
10,000 to29,999
30,000 to49,999
59,000 to69,999
Approximate number of third parties
2016 (48) 2014 (34) 2013 (35)
“We have all third parties that we enter contractual relationships with perform a short inherent risk assessment; a questionnaire that gauges the level of inherent risk that the third parties, product or service can pose on our company.”
— Executive, insurance firm
11Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |10 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Third-party populationRisk tiersOrganizations are moving toward a more granular approach when segmenting third parties, rather than a simple “high,” “medium” and “low.” The number of respondents with three risk tiers dropped to 25%, down from 31% the previous year and 43% the year before that. Meanwhile, an increasing number of organizations have four or five risk tiers — 39% and 22%, respectively.
The results indicate that a consensus has emerged — by further segmenting the middle risk tier, organizations are able to make better risk decisions. What organizations have not agreed on is the percentage of third parties in the highest risk tier. 66% of respondents have 15% or less of their third parties in their top tier.
Levels of risk tiers to segment third parties
Q6. How many levels of risk or tiers are used to segment third parties within your organization’s program?
12%
25%
39%
22%
2%
11%
31%
36%
17%
6%
6%
43%
31%
14%
6%
Fewer than3
3 levels
4 levels
5 levels
More than 5
Number of level/risk tiers
2016 (49) 2014 (36) 2013 (35)
Highest risk tier third parties
Q7. What is the percentage of third parties within your organization’s segmentation model: highest risk (not including the “critical” third parties) and second highest risk?
5%
31%
19%
12%
33%
8%
28%
33%
22%
8%
20%
29%
23%
9%
20%
Less than1%
1% to 5%
6% to 10%
11% to15%
More than15%
Proportion of third parties in highest risk tier
2016 (42) 2014 (36) 2013 (35)
14%
21%
17%
0%
48%
19%
17%
19%
11%
33%
20%
26%
9%
17%
29%
Less than 10%
10% to 15%
16% to 20%
21% to 25%
More than 25%
Proportion of third parties in second highest risk tier
2016 (42) 2014 (36) 2013 (35)
13Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |12 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Number of critical third parties
Q8. How many critical third parties are within the organization’s third-party inventory?
33%
24%
13%
13%
4%
13%
16%
42%
10%
7%
10%
16%
21%
38%
14%
3%
7%
17%
20 or fewer
21 to 40
41 to 60
61 to 80
81 to 100
More than100
2016 (46) 2014 (31) 2013 (29)
Total
About 90% of organizations maintain a list of critical third parties. A handful of organizations that generally have less mature third-party risk management programs do not maintain such a list. It should be noted that this was the top focus of regulators in recent reviews, with 44% of organizations denoting it in the top three focus areas during their last regulatory review.
More than 80% of those that maintain a list of critical third parties say their list has fewer than 80. The number of organizations with a list this size has steadily increased over the last three years. The more mature the third-party risk management program, the smaller the list of critical third parties, showing this is an iterative process with continual formalizing, refining and redefining the criteria used to determine what is critical for the specific organization.
“Services that come out of a high-risk rating receive a different set of questions, more detailed. We also require evidence that their controls are actually operating, and look for 20 specific pieces of documentation-based evidence because these have been identified as vendors that present the greatest threat.”
— Executive, banking firm
Critical third partiesFewer third parties on critical list
Additional oversightMost of the organizations surveyed said they apply additional oversight and governance activities on critical third parties and increase the scope and frequency of reviews. This aligns with the 90% of organizations reassessing their highest-risk third parties at least annually, the same proportion as two years earlier. Last year, that number dropped to 70%, showing a continued focus on “getting it right” with respect to the highest-risk third parties.
Additional actions applied for critical third parties
Q10. What additional actions are applied, outside of standard management activities, for your critical third parties? Please select all that apply.
81%
75%
75%
43%
36%
21%
11%
Additional oversight and governancerequirements
Increased scope of review activities
Increased frequency of review activities
Direct reporting to executivemanagement/board
Dedicated FTE to manage the overallrelationship and related services
Board-level approval of contract terms
No additional actions; monitoring same ashighest rank
Total
Total (47)
15Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |14 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Centralized — enterprise-wide third-party risk management officeHybrid — third-party risk management offices located within the business areas and centrallyat the enterprise levelDecentralized — embeds third-party risk management offices within each business area
45%
14%
ProcurementOperational and enterprise riskInformation securityTech and operations
41%
14%
38%
7%
41%
“Even though we coordinate all the reviews, the business owner still remains the first line of defense. We have integrated TPRM into the sourcing process.”
— Executive, banking firm
Operating model Still no resolution on modelPrimary ownership of third-party risk management falls within procurement or risk functions at most organizations. There was an even split between the number of organizations surveyed that have a fully centralized third-party risk management program and those that have a hybrid approach, with third-party risk management offices located both centrally and within the business areas.
While there is a trend toward centralized components of most functions, there still is not a “silver bullet” model for how to structure a program within an organization. In many cases, culture will trump process in driving an operating model design that will most appropriately enable the enterprise.
Structure of TPRM programQ13A. How is your third-party risk
management program structured?Structure of TPRM program (49)
Primary ownership of TPRM functionQ11. What area has primary ownership of the third-
party risk management function?
Structure of TPRM program (42)
17Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |16 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Risk assessment within the line of businessThe line of business is responsible for completing the inherent risk assessment more than ever before, 53% vs. 32% in 2014, though it varies depending on the structure of the organization’s third-party risk management program. Inherent risk assessments fall within the line of business for about 40% of organizations that take a centralized approach and 86% of organizations that take a decentralized approach.
For many, responsibility spans more than one group. One of four businesses with a hybrid approach to third-party risk management has multiple functions involved in the inherent risk assessment process. Most of those, however, involve the line of business in some way, reinforcing that the business needs to understand and be accountable for the risk.
Responsible for inherent risk assessment
Q14. Who is responsible for completing the inherent risk assessment?
Total By structure of TPRM program
53%
14%
8%
6%
2%
16%
32%
(N/A)
29%
15%
18%
(N/A)
34%
(N/A)
23%
23%
20%
(N/A)
Line of business
Centralized third-partyrisk management
Procurement
Information security
Operational risk
Multiple parties
2016 (49) 2014 (34) 2013 (35)
41%
23%
14%
14%
0%
9%
55%
10%
5%
0%
5%
25%
86%
0%
0%
0%
0%
14%
Line of business
Centralized third-party risk
management
Procurement
Information security
Operational risk
Multiple parties
Centralized (22) Hybrid (20)Decentralized (7)
Escalating third-party issues to the board71% of third-party breaches are reported to senior management, yet reporting of breaches or incidents typically stops at the senior management level. An alarming two-thirds of organizations surveyed said they do not report on emerging risk or breaches and incidents involving third parties to the board. Despite the lack of incident reporting to the board, an increasing number of businesses reported on critical third parties to the board: 43% up from 26% a year earlier.
While the visual summarizes the data on average, we did not see a high degree of deviation between organizations on these numbers. The average number of full-time employees varied greatly based on the size of the organization and the operating model in place. In many cases, we did see outliers in this metric, as it may be a significant challenge to evaluate the number of true full-time equivalents (FTEs) in hybrid or decentralized models where third-party risk management responsibility may only be a portion of a person’s remit.
Third party-reporting to managementQ17. When reporting on third-party risk management, what is the level of escalation for each type of
report? Please select all that apply.
Level of escalation for third-party reporting (49)
Board of directors
Senior bank management
Business area lead bank
management
Third-party relationship
managerNo reporting
Critical third parties 43% 71% 49% 43% 6%
Third parties with breaches or incidents 35% 71% 63% 59% 4%
Third parties with the highest residual risk 31% 55% 47% 43% 22%
Operational metrics of the program 26% 61% 47% 47% 8%
Third parties with noted significant issues 22% 71% 55% 55% 6%
Third parties with the highest level of inherent risk 20% 63% 49% 47% 12%
Non-compliant third parties 18% 57% 59% 55% 10%
Third parties with control issues that are part-due 12% 65% 55% 55% 12%
All third parties 8% 31% 41% 53% 22%
New third parties 6% 27% 45% 59% 16%
Third parties related to an emerging risk 4% 49% 47% 45% 27%
Third parties about to be terminated 4% 45% 55% 57% 18%
Among the top 10 banks surveyed, we saw an average of one assessment FTE per 200 third parties actively risk managed. For governance or a “core” third-party team, this was one FTE per 240 third parties actively risk managed. However, within this data set there was a very wide range for both between 1:15 to 1:1,000. There did seem to be a clear average among this group in size, regardless of third-party population, with 50 FTEs supporting assessment functions and 40 FTEs in core functions after the high and low values were removed.
We did not see any clear correlations or “golden ratios” for staffing outside of this group, signaling that organizations are still trying to figure out the right staffing model. Banks may have leaned more heavily on people than technology when addressing program challenges, indicated by a low percentage of organizations that feel they have fully integrated supporting systems for third-party risk management.
“How we deal with [failures], how we understand the risk and how we learn from it, I know that’s something the board is definitely focused on.”
— Executive, banking firm
19Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |18 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Assessment framework Full day or less on-site visits become more commonplaceMore than half of the organizations surveyed said they do not spend more than a half-day conducting on-site information security, regulatory compliance or business continuity reviews. This duration was unexpected given the current regulatory environment and focus on compliance. The time spent is significantly less than in 2013, when more than two-thirds of the organizations reported that on-site reviews lasted at least a full day. In many cases, this could be driven by process efficiencies and an increased maturity of the third-party community the second and third times around, but this could also indicate assessment functions becoming “box-checking” functions as opposed to robust third-party risk management activities.
Combined reviews are the most time-consuming to complete; however, the benefits of combining multiple assessment efforts into one would indicate a reduction in the overall end-to-end time and effort. More than half of those surveyed reported spending at least two days on-site for them.
Duration of on-site reviews
Q21. When conducting an on-site review at a third-party site, what is the typical duration of the site visit for each of the following components of the review (excluding travel)?
Total
54%
52%
23%
18%
20%
37%
43%
27%
13%
9%
26%
34%
11%
2%
6%
7%
2%
0%
2%
14%
Regulatorycompliance review
(46)
Business continuityreview (46)
Information securityreview (47)
Combined IS/BC/RCreview (44)
Less than half-day Full day Two days Three days More than three days
Control questionnaires shortened as third- party risk management programs matureOrganizations with more mature third-party risk management programs are beginning to recognize that shortening their control self-assessment questionnaires, especially in the due diligence stage, can increase focus on the higher areas of risk and minimize the burden on business stakeholders and third parties. The risk-based approach minimizes delays in deal execution and the number of low risk findings that are typically risk accepted. Two-thirds of organizations whose third-party risk management programs have been in place for more than five years use fewer than 250 questions. While we have seen a decrease in number of questions, we have also seen an increase in the documentation and evidence review expectations as organizations put a focus on validating third-party responses.
One approach organizations are using to make the questionnaires more efficient is to develop a more targeted set of questions that apply to the specific third party and the level of risk it poses to the organization. In addition, we see a trend in differentiating between the level of effort in due diligence and the level of effort in ongoing monitoring; the due diligence efforts are more focused on the highest risk factors to the organization.
Full-length control self-assessment questionnaire
Q22. How many questions are within your organization’s full-length control self-assessment questionnaires that are used to assess the highest-risk third parties?
8%
21%
33%
27%
10%
22%
8%
39%
14%
17%
14%
23%
20%
37%
6%
Fewer than 50questions
51 to 100questions
101 to 250questions
251 to 500questions
More than 500questions
2016 (48) 2014 (36) 2013 (35)
0%
35%
35%
18%
12%
7%
0%
40%
40%
13%
19%
25%
25%
25%
6%
More than 5 years (17) 3 to fewer than 5 years (15)
Fewer than 3 years (16)
Year-over-year comparison By TPRM program maturity
Fewer than 50 questions
51 to 100 questions
101 to 250 questions
251 to 500 questions
More than 500 questions
“Yes, we are actively shortening questions for our third parties …the questions have reduced, but the documentation has increased.”
— Executive, financial services firm
21Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |20 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Large organizations tend to rely more on proprietary standards when designing their self-assessment questionnaires, as many of these programs were developed prior to the emergence of standard frameworks. However, as organizations mature and begin to realize the value of industry-wide frameworks, we have started to see some migration toward standard adoption.
Typically, organizations rely on Shared Assessments and, to a lesser degree, International Organization for Standardization (ISO) and/or National Institute of Standards and Technology (NIST) standards. 28% of firms use Shared Assessments as a baseline for control self-assessment questionnaires, up from 24% last year and 17% the year before that. Meanwhile, the number of firms using ISO and NIST has dropped from 23% to 21% to 16% over the last three years.
SOC 2 (44) 46% 25% 29%
Shared Assessments SIG (42) 26% 31% 43%
PCI Certification (44) 23% 25% 52%
NIST (43) 21% 23% 56%
SOC 1 or ISAE3 402 (43) 21% 37% 42%
ISO Certification (44) 14% 32% 55%
Shared assessments AUP (40) 13% 40% 48%
Extremely useful Useful Not useful
Usefulness of reports in reducing need for control assessment
Q24. On a 5 point scale, with 1 – not at all useful and 5 – extremely useful, when considering the need to perform a control review, which of the reports listed below are the most useful in reducing or removing the need to perform a review on a third party?
While there is a sense of optimism in this area, we still recognize that 10 out of 14 organizations surveyed said it is unlikely that the industry could ever agree on common standards. SOC 2 reports are perceived as the most useful reports for reducing the need for control self-assessments; 71% of organizations find that a SOC 2 report is useful in reducing or removing the need to perform a review on a third party, up from 52% last year.
Industry standards
21| Shifting toward maturity | Key findings from EY’s 2016 financial Services third-party Risk Management Survey20 Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |
23Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |22 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Regulatory risk and compliance control assessmentMore than half (58%) of the organizations surveyed said that less than 10% of third parties expose their organizations to regulatory risk (specifically consumer compliance), while nearly all conduct compliance control assessments. More than 70% reported conducting compliance control assessments pre-contract, compared with 47% the previous year, showing a much larger focus on understanding compliance risk prior to entering formally into a third-party arrangement. 57% of organizations also conduct assessments post-contract.
Two-thirds of organizations conduct individual transaction assessments, going beyond the control structures themselves, and most perform them post-contract.
Within our interviews, we noted Compliance plays a number of roles within the overall program, in many cases providing anti-money laundering (AML), anti-bribery and corruption (ABC) and office of foreign assets control (OFAC) screening, in addition to second-line efforts to oversee compliance risk within the businesses and the overall structure of third-party risk management program requirements in line with regulatory guidance.
Exposure to regulatory risk/consumer compliance
Q28. What percentage of third parties expose the organization to regulatory risk, specifically consumer compliance?
By industry
23%
35%
42%
50%
33%
17%
18%
33%
49%
33%
67%
0%
Less than5%
5% to 10%
More than10%
Total (48) Asset management (6)Banking and capital markets (39) Insurance (3)
Conducting regulatory compliance reviews
Q29. When are regulatory compliance reviews conducted? Please select all that apply.
Total (49)
71%
57%
4%
10%
27%
49%
16%
20%
Pre-contract
Post-contract
Notperformed
Notapplicable
Compliance control assessments Individual transactional assessments
“We have a Compliance Functional Group that is made up of two groups of subject-matter experts, one dealing with banking and the other with corporate compliance. Outside of that is anti-money laundering group. So each of our third parties, as applicable, will get a review by these three disciplines.”
— Executive, banking firm
25Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |24 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Assessing and monitoring fourth parties
Q31. How does your organization assess/monitor fourth parties? Please select all that apply.
75%
73%
56%
8%
36%
(N/A)
84%
56%
Rely on the controls at the third partyto actively monitor the fourth party
Rely on contractual terms established with the third party
Rely on contractual terms between the third-party and the fourth-party organization
Rely on the relationship manager program
2016 (48) 2014 (25)
Total
Assessing concentration risk
Q32. What factors are currently considered in the assessment of concentration risk?
65%
50%
40%
50%
10%
57%
50%
54%
29%
21%
25,000 or more (20) Fewer than 25,000 (28)
Total
60%
50%
48%
38%
17%
Concentration of a specific service
Geographic concentration
Reverse concentration (i.e., anorganization comprises a significant
amount of business to the serviceprovider)
Concentration of spend
Fourth-party concentration
Total (48)
By size of firm
Identifying and tracking fourth partiesNearly 90% of organizations surveyed said they identify or maintain an inventory of fourth parties. This statistic is an improvement from the 2014 survey, when one-quarter were not actively tracking fourth-party data, and is a sign of a maturing industry. Information is usually gathered pre-contract or during the control assessment, and it is more often accounted for in the contractual terms with a third party.
In addition, we saw a large jump in the reliance on the controls at the third party to actively monitor the fourth party — from 36% to 75%.
Concentration risk Concentrations of a specific service as well as geographic concentrations have emerged as key considerations in third-party risk management. Smaller organizations are more likely to look at reverse concentration, such as how much their organization impacts the third party, while larger businesses focus more on the concentration of spend within third parties. This is an interesting observation, especially in light on the Federal Financial Institutions Examination Council (FFIEC) guidance regarding concentration risk related to service availability.
“We look at the impact a vendor would have on us. Would it impact the entire enterprise, multiple business units? But we also look at the dependency flip side. In other words, what’s the dependency of the vendor on us for their revenue?”
— Executive, financial services firm
27Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |26 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Termination/exit strategyLine of business and exit strategyThree-quarters of the respondents said the line of business is responsible for documenting the exit strategy for each of their third parties. About half document this during due diligence, and 30% do so post-contract. We would consider creating exit strategies earlier in the process as a leading practice, as post-contract may position the activity to be reactive.
Organizations, on average, terminated two third parties because of control issues in the past year; five did so based on performance and less than one due to a specific incident or breach. This continues to be a very low number on average year-over-year, either showing that few organizations have taken strict actions to address third-party issues or illustrating that the program has some ability to dictate risk-managed business decisions.
On average, the typical organization terminated 51 third parties as part of consolidation efforts, which shows a small, positive trend in third-party base reduction. In many cases, these efforts have been consolidated in certain commodity services (e.g., law firms).
Oversight and governanceOversight and governance continues to be the number one or number two item of focus from a regulator perspective, as mature and compliant functions lean heavily on this portion of the program to instill program compliance and to identify issues or challenges throughout the end-to-end function. Where we have seen challenges in the ability of an organization to meet the expectations of a program, there is common alignment with underlying issues with the oversight and governance function.
Reporting for operational and governance purposes continues to be an indicator of the maturity of a healthy third-party risk management program. Reporting contributes not only to understanding program health, but to illustrating the value and efficiency of the function to
Contracts with incentive compensation structures (47) 4% 23% 43% 30%
Presence of concentration risk related to predefined risk thresholds (46) 7% 24% 44% 26%
Forecasting of contract expiration (48) 19% 35% 38% 8%
Services with global delivery locations (47) 23% 38% 23% 15%
Third-party risk scorecard/profile across all applicable risk and performance domains 26% 19% 36% 19%
Risk treatment distribution (i.e., amount accepted or remediated) (48) 31% 29% 23% 17%
Population of third parties based on specific criteria (i.e., business area location service) (49) 39% 29% 20% 12%
Identification of upcoming remediation plan due dates (49) 41% 25% 20% 14%
Customer/consumer-facing third parties (49) 41% 33% 18% 8%
Forecasting of upcoming control assessments (to be conducted in the next quarter) (49) 51% 33% 10% 6%
Population of critical third parties (49) 63% 29% 6% 2%
Ability to reportQ37. How quickly would your organization be able to report on the following?
Easy: On-demand Possible: 1 week Difficult: > 1 week Unable to report
senior management and above. In line with that, 78% said reporting to the board of directors is an important part of their organization’s oversight and governance program, but only a handful of organizations said reporting on third parties, across a number of surveyed topics/metrics, actually made it up to the board, showing strong intent but a lesser degree of tangible maturity.
Where we do see a high degree of real-time reporting ability is in the area of critical third-party populations and the forecast of upcoming control assessments. However, real-time reporting across a number of criteria or metrics in the figure below is still a considerable challenge for financial services organizations
Oversight and governance; quality assurance/quality control
29Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |28 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Quality Assurance/Quality Control (QA/QC)Organizations are performing an increasingly wider variety of QA/QC activities as part of their oversight and governance programs, a sign of their increasing maturity. Third-party risk classification has become progressively more important in determining the scope of review for QA activities; this helps explain why organizations are now adding additional layers to their risk tiers, which enables them to provide focused flexibility in governance activities to the higher tiers as opposed to an all-or-nothing approach for a single high-risk tier.
The levels of inherent and residual risk of the third party, as well as known areas of non-compliance, are also becoming more important. While QA/QC functions continue to increase in maturity at organizations with functions greater than three years old, 40% of organizations with relatively new third-party risk management programs noted they did not have a quality assurance function, illustrating this is one of the last portions of program establishment considered.
Functional components in-scope for QA of the TPRM program and determining scope of review for QA activities
Q39. What functional components of the program are in scope for the quality assurance function of the third-party risk management program?
Please select all that apply.
93%
73%
80%
73%
83%
83%
61%
56%
Control assessments andrelated evidence
Inherent riskassessments
Issuses and action plans
Known areas of programnon-compliance
25,000 or more(15) Fewer than 25,000 (18)
Q40. When executing quality assurance activities on the third-party risk management program, how is the scope of the review determined and the population selected?
Please select all that apply.
Functional components in-scope for QA of the TPRM program Determining scope of review for QA activities
69%
54%
43%
37%
37%
53%
44%
21%
50%
29%
40%
37%
14%
26%
26%
Third-party riskclassification
Level of inherentrisk
Level of residualrisk
Random sample
Known areas ofprogram non-compliance
2016 (35) 2014 (34) 2013 (35)
By firm size Total
Regulatory examsRegulators are increasingly focused on enterprise-critical third parties. The organizations we surveyed ranked enterprise-critical third parties as the most important focus area for regulators, compared with the fourth most important focal area in the previous year’s survey and eighth most important the year before that.
While oversight and governance procedures, information security and business continuity still rank highly, it is evident regulators are spending more time looking at critical third parties.
It also appears that regulators are going broader and deeper in their assessments, showing a greater level of knowledge and maturity in the regulatory oversight teams performing the exams. Because on this shift, organizations should be knowledgeable and conversant of every piece of the end-to-end function across the lines of defense and have a keen perspective on the strategic direction of their program over the next 6 to 12 months.
Regulatory body review focus areas
Q41. During your organization’s most recent regulatory body review, what were the 2 to 3 most important areas of focus?
44%
44%
38%
21%
19%
19%
17%
15%
13%
13%
13%
10%
8%
8%
6%
Enterprise-critical third parties
Oversight and governance
Third-party assessments: Information security and business continuity
Maintenance of third-party inventory
Third-party assessments: Compliance
Third-party assessments: Performance
Inherent risk assessment
Onboarding activities
Issue management and/or risk acceptance
Consumer protection
Privacy/confidentiality
Foreign-based third parties
Fourth-party oversight
Operating models
Residual risk model
Total (48)
Total Rank in importance2014 2013
4 8
2 1
3 5
“However, they [regulators] did challenge us with how the program is to grow and mature throughout our organization and whether or not we are considering the increased resource requirements in that growth model.”
— Executive, financial services firm
31Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |30 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
TechnologyEven with broader third-party risk management reporting systems, there is still relatively little integration of tools and technology across the end-to-end process for third-party risk management. Organizations surveyed were less satisfied overall with the level of tool integration in 2016 than they were in 2014, a step backward compared to other program elements; this potentially indicates a growing frustration in the industry with the lack of a “best in class” tool set. A number of organizations have migrated to a new tool in the past year without a single system showing strong growth. In many cases, this may be driven by challenges in the business process and amplified by a tool decision that may not be the most suitable for the organization.
No single third-party tool was used by more than one-third of organizations. The most frequent response is a proprietary solution to manage risk reporting. Use of proprietary technology increased from 9% in 2014 to almost one-quarter of organizations in 2016, indicating that there is a strong market need for a more collaborative and process focused integrated solution.
Even though fewer organizations indicated they were using spreadsheets to track issues and exceptions compared with 50% the year before, they are the second most common method used and the most common for organizations with new third-party risk management programs. Surprisingly, 35% of organizations with third-party risk management programs that have been in place for more than 5 years also still use spreadsheets, and 69% of firms with third-party risk management programs that have been in place for fewer than three years use them.
Inbound third-party management Service organizations continue to be inundated with inbound requests to complete third-party control assessments. Nearly half of the organizations surveyed, the vast majority of which are similarly regulated financial institutions, said they receive at least 50 inbound requests to complete third-party control assessment questionnaires on other banks, signaling opportunity for an industry solution on common ground. Typically, firms have four to five FTEs responding to these requests, though most are to facilitate remote/desktop reviews.
Q42. Approximately how many inbound requests for completion of third-party control assessment questionnaires does your organization receive annually?
Q43. What percentage of inbound requests are on-site third-party reviews versus desk-based/remote reviews?
Inbound third-party risk management
Number of inbound requests annually (45)
Use of toolsQ45. What technology/tool does your organization use for each of the following functions?
Use of tools (46)
Archer Bwise Oracle Ariba SAP Hiperos Proprietary Other
Sourcing activity 7% 2% 9% 33% 7% 7% 22% 22%
Inherent risk assessment 26% 2% 2% 2% 2% 13% 33% 17%
Contract repository 4% 2% 9% 30% 7% 0% 22% 26%
Primary third-party inventory 26% 2% 4% 4% 4% 11% 26% 26%
Control assessment facilitation tool 30% 2% 0% 0% 0% 13% 24% 20%
Issue management tool 26% 7% 2% 0% 0% 9% 28% 24%
Reporting tool integrationQ46. On a scale of 1 to 5, with 1 = not at all integrated and 5 = fully integrated, how well do the above tools integrate and capture the overall risk for reporting purposes?
2014 (35) 12% 34% 54%
2016 (48) 11% 27% 63%
Fully integrated Not at all integrated
The organizations that are moving away from spreadsheets typically have an enterprise-level issue management system or a centralized third-party program-specific tool. Those with the most mature third-party risk management programs may also track and store issues within the assessments themselves, constraining reporting capabilities and impacting efficient and effective issue management activities.
Nearly all organizations surveyed identified fewer than 10 issues for each third-party
control assessment, while only 6% identified between 11 and 20 issues.
These numbers continue to be lower year over year, which presents some optimism in third-party control structures. However, we do know that a decrease in question set size may be contributing to this as well. The downward trend also raises concern that third parties have improved in responding to these questionnaires, as opposed to leading and proactive risk, threat and vulnerability management.
On-site vs. remote/desktop reviews (33)
Tracking issues with spreadsheets
Fewer than 5050 to 150150 to 300More than 300
56%
13%
18%
13%
On-site reviewsRemote/desktop reviews
15%
85%
33Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |32 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Industry outlookThe two greatest challenges: technology and knowledgeOn the technology side, a number of organizations have gravitated toward workflow management systems in combination with typical contracting, GRC, risk and issue-management platforms to piece together the ecosystem of platforms necessary to address the end-to-end process challenge. We have also seen an increase in the acceptance and use of Software as a Service (SaaS) based platforms.
More than 40% of the organizations surveyed stated that the lack of knowledge across functions and business areas, as well as the tools they have to execute their assessment programs, pose significant challenges to their third-party risk management programs. This is not unexpected, given there is no widely accepted set of industry standards and many organizations are relying heavily on spreadsheets.
As operating models continue to shift and change to fit the growing needs of organizations, functions put an increasingly large expectation
Challenges
Q20. On a 5-point scale, with 1 = no difficulty and 5 = significant difficulty, what degree of difficulty does your organization face in addressing each of these potential challenges related to your third-party risk management program?
25%
35%
25%
35%
41%
29%
43%
35%
63%
47%
41%
35%
35%
35%
33%
27%
20%
16%
Utilizing a tool to assist in the execution of the assessmentprogram
Appropriate skillset/knowledge/experience across each ofthe functional components and business areas
Clarity of responsibilities for third-party activities acrossyour organization
Integration between risk management and procurement process
Organizational change causing significant addition/change to the scope of the program
Business unit support for third-party assessment activities
Variability of assessment date/inability to distributethe assessments throughout the year
Understanding the scope of the third-party serviceprior to conducting control assessment
Approval of material changes to contract termsby Legal/General Counsel
No difficulty Significant difficulty
Total (49)
on the first line of defense to own and manage the risks posed by third-party relationships. Focusing on the enhancement of risk awareness, training and culture are critical factors in the continued growth in maturity of third-party risk management functions.
All of the organizations surveyed stated that management recognizes the importance of the third-party risk function and is providing strong support in the form of new investments and increased resources to help meet regulator expectations. Many organizations plan to increase their spending on human capital, in line with the findings from a year ago. Additionally, 54% said they plan to spend more on technology, up from 40% a year earlier.
Third-party risk management is a growing domain that is still moving toward maturity. But the fact that few organizations are planning to cut back in any area of their programs and many are, in fact, seeking to bolster their programs with additional investments indicate that businesses understand the significance of this industry and will continue to prioritize it moving forward.
Areas of investment
Q47. Compared to the current year, does your organization plan to spend more, less or the same amount for the following activities?
7%
7%
7%
15%
7%
9%
9%
7%
7%
57%
54%
50%
46%
46%
39%
39%
35%
33%
Internal staffing: TPRM
TPRM technologyenablement
TPRM oversight andgovernance
Procurement process
Third-party on-siteassessments
Internal staffing: Third-partyrelationship management
Updating TPRM methodology
TPRM audit or regulatoryremediation requirements
Third-party remoteassessments
Spend less Spend more
Planned changes in TPRM spending (46) 2014 (35)
3%
3%
3%
6%
3%
6%
0%
9%
(N/A)
63%
46%
46%
43%
40%
37%
32%
29%
Internal staffing: TPRM
TPRM oversight andgovernance
Internal staffing: Third-partyrelationship management
Third-party on-siteassessments
TPRM technologyenablement
TPRM audit or regulatoryremediation requirements
Procurement process
Third-party remoteassessmentsUpdating TPRM
methodology
35Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |34 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Want to learn more?
Turning risk into resultsHow leading companies use risk management to fuel better performance
Maximizing value from your lines of defense
A pragmatic approach to establishing and optimizing your LOD model
Insights ongovernance, riskand compliance
December 2013
Turning risk into results: how leading companies use risk management to fuel better performance
This study explores EY’s experience with clients that shows turning risk into results requires a multifaceted approach.
Creating trust in the digital world
Our 2015 Global Information Security Survey (GISS) provides insights from 1,755 participants and investigates the most important cybersecurity issues facing business today.
Regulating from within bank strategy
The Banker’s special January 2016 editing in association with EY.
Maximizing value from your lines of defense: a pragmatic approach to establishing and optimizing your LOD model
The current economic environment and significant risk events over the last few years have caused companies to have a renewed focus on the effectiveness of risk management.
EY contacts
Matthew Moog Principal Ernst & Young LLP +1 212 773 2096 [email protected]
Chris Ritterbush Executive Director Ernst & Young LLP +1 212 773 4489 [email protected]
Please visit us at ey.comKey findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity | 35| Shifting toward maturity | Key findings from EY’s 2016 financial Services third-party Risk Management Survey34
37Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |36 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey
Notes
Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity | 37| Shifting toward maturity | Key findings from EY’s 2016 financial Services third-party Risk Management Survey36
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
EY is a leader in serving the global financial services marketplace Nearly 35,000 EY financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients. In the Americas, EY is the only public accounting organization with a separate business unit dedicated to the financial services marketplace. Created in 2000, the Americas Financial Services Organization today includes more than 6,500 professionals at member firms in over 50 locations throughout the US, the Caribbean and Latin America.
EY professionals in our financial services practices worldwide align with key global industry groups, including EY’s Global Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industry-focused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a well-rounded understanding of business issues and challenges, as well as integrated services to our clients.
With a global presence and industry-focused advice, EY’s financial services professionals provide high-quality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide.
© 2016 EYGM Limited All Rights Reserved.
SCORE No. 01451-161Gbl1604-1908450 BD FSOED none
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.
ey.com