shifting toward maturity - building a better working 71% of respondents said they were either...

Shifting toward maturityKey findings from EY’s 2016 financial services third-party risk management survey

June 2016

1Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |2 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey

Table of contents

About EY’s third-party risk management survey 2

Introduction 3

Executive summary 4

Market trends 6

Third-party population 8

Critical third parties 12

Operating model 14

Assessment framework 18

Termination/exit strategy 26

Oversight and governance; quality assurance/quality control 27

Regulatory exams 29

Technology 30

Inbound third-party management 31

Industry outlook 32


IntroductionAbout EY’s third-party risk management survey

In the financial services sector, this is the fifth third-party risk management (TPRM) survey EY has conducted. The survey population this year saw its greatest single increase in participants, which led to shifts in the year-over-year trend results, most notably in the areas of functional program ownership moving slightly to favor Procurement, third-party inventory reductions in overall population, and technology integration with maturity in this space decreasing overall.

As in previous years, protecting customer information, reputation and brand, as well as regulatory compliance, remain the most important drivers when assessing third-party controls. The purpose of the survey is to provide financial services firms with unique insight into third-party risk management strategies and provide perspectives on industry trends that can assist them in developing successful third-party risk management programs as the industry moves toward maturity.

In our annual survey, we asked participants to respond to questions across several key areas of their third-party risk management programs:

• ►Third-party population

• ►Operating model

• Critical third parties

• Assessment framework

• ►Termination/exit strategies

• ►Oversight and governance; quality assurance/quality control

• ►Regulatory exams

• ►Technology

• Inbound third party

• ►Industry outlook

Here we share with you the results of this survey and evolving third-party management trends. We look forward to discussing this report with you and sharing our outlook on third-party risk management in the financial services industry.

2 | Shifting towards maturity | Key findings from EY’s 2016 financial services third-party risk management survey

“You get smarter as you go along. I would say that team upgrade is on our radar ... but now as the program has been implemented, as we’re tuning it and evolving it, we’re finding that some of our roles are evolving in a way that had not been anticipated. When you’re in the mode of design, develop, build, implement, it’s about getting it done … and now the focus is on deeper quality, too. More seasoned, more analytical versus doing.”

— Executive, banking firm

Between October and December of 2015, EY surveyed 49 global financial services organizations with third-party risk functions in the retail and commercial banking, investment banking, insurance, and wealth and asset management sectors. The purpose of the survey was to address the distinctive nature of managing third-party risk in the financial services industry.

57% of the companies surveyed had fewer than 25,000 employees. This differs from last year’s survey, where 39% of firms had fewer than 25,000 employees and more than half had greater than 50,000 employees. Of those surveyed, about a third have had third-party risk management programs in place for more than five years, a third for three to five years and a third for fewer than three years.

The results of the survey are in the sections that follow.


Highlights from this year’s survey:• 90% of respondents felt neutral or negative about how well TPRM

tools integrate and capture the overall risk for reporting purposes.

• 41% of organizations said that primary ownership of third-party risk management resides within the procurement organization, up from 26% in 2014, while 38% place it within enterprise or operational risk.

• 71% of respondents said they were either neutral or faced challenges with business unit support in executing program requirements, indicating continued challenges in the areas of business risk culture.

• A third (35%) of respondents said they report third-party breaches to the board, while 71% report them to senior management. In a sign of progress, however, 43% said they report critical third parties to board level, up from 26%.

• 71% of organizations said they conduct regulatory compliance reviews pre-contract, up from 47% in 2014.

• Nearly half of all organizations polled (49%) said it would take a week or more to pull a report on third parties using specific criteria, indicating a data challenge underpinned by a disconnect between procurement and third-party risk management systems.

• 39% of organizations surveyed reported that all third parties require some form of risk assessment, a significant increase from 19% in EY’s most recent SRM survey (2014).

In response to the technology and reporting challenges cited in the survey, organizations have committed to increasing their overall third-party risk management budgets, with more than 95% of organizations indicating that they intend to spend the same or more across a number of functional components, including internal staffing, technology/enablement and oversight/governance.

“It is encouraging to see that management has recognized the importance of managing third-party risk and has committed to increasing their investments and resources to help organizations meet the expectations of customers, clients, shareholders and regulators,” added Ritterbush.

Executive summary

Financial services organizations continue to make significant

strides in managing third-party risk, even as challenges

persist in the areas of overall organizational knowledge, right-

sizing staffing models, optimizing cycle times and integrating

technologies across the end-to-end third-party life cycle.

Shifting toward maturity found that organizations have finally

absorbed the initial impact of sweeping regulatory change in

2013 and 2014 and have solved for core process expectations;

however, many organizations are still adjusting the scope and

scale of their risk management programs. Such scrutiny has

pushed banking organizations ahead of their insurance and

asset management counterparts with respect to maturity. At

the same time, survey respondents cited a lack of knowledge

across business functions and a pervasiveness of disintegration

across third-party (risk) management tools as significant barriers

to greater progress and a focus for the coming year.

“Given the increased regulatory scrutiny, it is not surprising

that organizations are taking a closer look at their third-party

populations, bringing more of them under the scope of their

programs, and focusing more closely on risk segmentation,” said

Chris Ritterbush, Executive Director, Ernst & Young LLP. “In this

respect, financial services organizations are doing a better job

of getting their arms around third-party risk. But there is still a

lot to be done, especially in knowledge sharing across business

areas and technology, where many organizations continue

to rely heavily on spreadsheets to conduct vendor

assessments.”

7Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |6 | Shifting toward maturity | Key findings from EY’s 2016 financial services third-party risk management survey7

Third-party population• 39% of respondents said all of their third parties fall within the

scope of their third-party risk management program, up from 19% in 2014. Though fewer firms (36) were surveyed last year, it is a strong indication that organizations are continuing to revisit the third-party population to re-profile.

• Of the remaining 61%, two-thirds indicated that less than a quarter of their third-party population is in scope for the organization’s third-party risk management program, which is a significant increase from the 10%–15% of the population that has been a stable data point over the last three years.

• Approximately 86% separate third parties into three to five risk segments or tiers.

• The majority (83%) of those surveyed have a critical third-party list that is 80 third parties or less; interestingly, this has been observed regardless of the size of the organization or third-party population.

• 85% of organizations indicated that less than a quarter of their risk-managed population posed consumer protection risk to the organization, as defined by the Consumer Financial Protection Bureau (CFPB).

Operating model• 41% of organizations said primary ownership of the third-party

risk management function falls within procurement (first line of defense), up from 26% the year prior. 38% place it within enterprise or operational risk (second line of defense).

• Only 14% reported their program is fully decentralized, representing a strong movement toward centralized (45%) models and hybrid (41%) models.

• Primary ownership of inherent risk assessments fell within the line of business for an increasing number of organizations — 53% compared with 32% the year before.

• In looking at third-party entity level assessments such as anti-money laundering (AML), sanctions, reputation and anti-bribery/corruption, we see a wide distribution between the line of business, TPRM and compliance.

• 71% surveyed were neutral or said they faced challenges with business-unit support in executing program requirements, indicating a continued challenge in business risk culture or understanding of program expectations for third-party management.

Assessment framework• 80% of organizations reported they spend two days or less

on-site when conducting information security and business continuity reviews, and 74% said they spend a day or less on-site conducting regulatory compliance reviews. This continues to be in line with previous years’ results.

• 28% of respondents adopted the Shared Assessments program as a framework, up from 24% the year prior. There was a strong correlation between organizations that used Shared Assessments and those that accept a SIG or AUP to reduce or replace assessment efforts.

• 71% of organizations find that a service organization controls (SOC) 2 report is useful (neutral or above) in reducing or removing the need to perform a review on a third party, up from 52% last year.

• The number of organizations that said they conduct consumer regulatory compliance reviews pre-contract increased to 71% from 47% a year earlier.

• 78% of organizations reported they identify fourth parties within the contracting phase, up from 60% the year before, and 75% identify fourth parties within control assessment activities, up from 71% last year.

• Three-quarters of organizations, up from 36% the year prior, said they rely on third parties to manage and evaluate fourth parties through controls at the third party or contractual terms with the third party to assess and monitor fourth parties.

Technology• Three-quarters of respondents face challenges in utilizing

tools to help execute their assessment programs.

• 39% of organizations use Oracle or Ariba for contracting, but only one of those organizations also uses these systems for facilitating their inherent risk assessment, and only 8% use procurement systems as the third-party population “golden source.”

• While there is no outstanding leader in tools leveraged for third-party assessments, 52% use Archer and Ariba.

• 90% of respondents felt neutral or negative about how well TPRM tools integrate and capture the overall risk for reporting purposes.

Oversight and governance; quality assurance/quality control• Third-party risk management spending is increasing across the

board: 63% of firms plan to boost spending on internal staffing for risk management, and 57% will spend more to improve risk management.

• Most firms plan to increase the scope and depth of assessments within the next year.

• Almost half (49%) said it would take a week or more to pull a report on third parties with specific criteria and 73% said it would take a week or more to forecast contract expiration, indicating a major disconnect between Procurement and TPRM systems.

• Roughly a quarter of organizations said they can run on-demand risk scorecards.

• As in years past, we continue to see few third parties being terminated for breach or failure.

Board reporting and critical third parties• 35% of organizations surveyed said they report third-party

breaches to the board, while 71% report them to senior management. We would expect this to increase going forward as board reporting matures.

• An increasing number of organizations reported critical third parties to the board level: 43%, up from 26% a year earlier.

Termination/exit strategy • 74% of organizations surveyed said responsibility for the

creation of exit strategies falls within the line of business, and nearly half said they document it prior to contract execution.

• 8% of organizations do not have exit strategies as a formal part of their program. However, most were entities with fewer than 25,000 employees.

Regulatory exams• Similar to data from the previous year, enterprise-critical third

parties, oversight and governance, and information security/business continuity assessments were the top three focus points, respectively, for regulatory reviews.

• However, focal points were spread much wider across the data set in 2016, including areas such as onboarding activities, consumer protection and maintenance of third-party inventory — indicating that regulators continue to go deep and wide in their oversight.

Industry outlook• More than 95% of organizations said they will spend the same

or more on TPRM across a number of functional components, showing a continued trend of investment into third-party risk management.

• The top three areas where organizations indicated they would spend more include internal staffing, technology/enablement, and oversight and governance, respectively.

| Shifting toward maturity | Key findings from EY’s 2016 financial Services third-party Risk Management Survey6

Market trends

Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |


Third-party populationInventory of third partiesOrganizations have focused their efforts to reduce the number of third parties in their total populations. By decreasing their third-party populations, organizations realize economies of scale, operational efficiencies and reduction of risk management costs; this is particularly attractive considering the large number of third parties that may remain active in populations after contractual relationships have ended.

As organizations continue to reduce their third-party inventory, the proportion of third parties subject to risk monitoring has risen. 19% of organizations reported that all third parties require some form of risk assessment in 2014, but that number jumped to 39% in 2016, likely due to the increased scrutiny from the CFPB, Office of the Comptroller of the Currency (OCC) and Federal Reserve Board (FRB) over the last two-plus years.

Businesses with third-party risk management programs active for fewer than five years have the highest proportion of third parties in scope for those programs.

Proportion of third parties in scope for risk

Q5. What percentage of third parties are in scope for your organization’s risk management program?

14%

25%

10%

4%

6%

2%

39%

16%

31%

22%

6%

6%

0%

19%

Less than 10%

10% to 25%

26% to 40%

41% to 60%

61% to 80%

81% to 99%

All third parties require someform of risk assessment

2016 (49) 2014 (32)

Proportion of third parties in scope

Third-party inventory

Q4. Approximately how many third parties are within your organization's inventory population?

73%

21%

6%

0%

58%

31%

9%

12%

49%

29%

14%

9%

Less than10,000

10,000 to29,999

30,000 to49,999

59,000 to69,999

Approximate number of third parties

2016 (48) 2014 (34) 2013 (35)

“We have all third parties that we enter contractual relationships with perform a short inherent risk assessment; a questionnaire that gauges the level of inherent risk that the third parties, product or service can pose on our company.”

— Executive, insurance firm


Third-party populationRisk tiersOrganizations are moving toward a more granular approach when segmenting third parties, rather than a simple “high,” “medium” and “low.” The number of respondents with three risk tiers dropped to 25%, down from 31% the previous year and 43% the year before that. Meanwhile, an increasing number of organizations have four or five risk tiers — 39% and 22%, respectively.

The results indicate that a consensus has emerged — by further segmenting the middle risk tier, organizations are able to make better risk decisions. What organizations have not agreed on is the percentage of third parties in the highest risk tier. 66% of respondents have 15% or less of their third parties in their top tier.

Levels of risk tiers to segment third parties

Q6. How many levels of risk or tiers are used to segment third parties within your organization’s program?

12%

25%

39%

22%

2%

11%

31%

36%

17%

6%

6%

43%

31%

14%

6%

Fewer than3

3 levels

4 levels

5 levels

More than 5

Number of level/risk tiers

2016 (49) 2014 (36) 2013 (35)

Highest risk tier third parties

Q7. What is the percentage of third parties within your organization’s segmentation model: highest risk (not including the “critical” third parties) and second highest risk?

5%

31%

19%

12%

33%

8%

28%

33%

22%

8%

20%

29%

23%

9%

20%

Less than1%

1% to 5%

6% to 10%

11% to15%

More than15%

Proportion of third parties in highest risk tier

2016 (42) 2014 (36) 2013 (35)

14%

21%

17%

0%

48%

19%

17%

19%

11%

33%

20%

26%

9%

17%

29%

Less than 10%

10% to 15%

16% to 20%

21% to 25%

More than 25%

Proportion of third parties in second highest risk tier

2016 (42) 2014 (36) 2013 (35)


Number of critical third parties

Q8. How many critical third parties are within the organization’s third-party inventory?

33%

24%

13%

13%

4%

13%

16%

42%

10%

7%

10%

16%

21%

38%

14%

3%

7%

17%

20 or fewer

21 to 40

41 to 60

61 to 80

81 to 100

More than100

2016 (46) 2014 (31) 2013 (29)

Total

About 90% of organizations maintain a list of critical third parties. A handful of organizations that generally have less mature third-party risk management programs do not maintain such a list. It should be noted that this was the top focus of regulators in recent reviews, with 44% of organizations denoting it in the top three focus areas during their last regulatory review.

More than 80% of those that maintain a list of critical third parties say their list has fewer than 80. The number of organizations with a list this size has steadily increased over the last three years. The more mature the third-party risk management program, the smaller the list of critical third parties, showing this is an iterative process with continual formalizing, refining and redefining the criteria used to determine what is critical for the specific organization.

“Services that come out of a high-risk rating receive a different set of questions, more detailed. We also require evidence that their controls are actually operating, and look for 20 specific pieces of documentation-based evidence because these have been identified as vendors that present the greatest threat.”


Critical third partiesFewer third parties on critical list

Additional oversightMost of the organizations surveyed said they apply additional oversight and governance activities on critical third parties and increase the scope and frequency of reviews. This aligns with the 90% of organizations reassessing their highest-risk third parties at least annually, the same proportion as two years earlier. Last year, that number dropped to 70%, showing a continued focus on “getting it right” with respect to the highest-risk third parties.

Additional actions applied for critical third parties

Q10. What additional actions are applied, outside of standard management activities, for your critical third parties? Please select all that apply.

81%

75%

75%

43%

36%

21%

11%

Additional oversight and governancerequirements

Increased scope of review activities

Increased frequency of review activities

Direct reporting to executivemanagement/board

Dedicated FTE to manage the overallrelationship and related services

Board-level approval of contract terms

No additional actions; monitoring same ashighest rank

Total

Total (47)


Centralized — enterprise-wide third-party risk management officeHybrid — third-party risk management offices located within the business areas and centrallyat the enterprise levelDecentralized — embeds third-party risk management offices within each business area

45%

14%

ProcurementOperational and enterprise riskInformation securityTech and operations

41%

14%

38%

7%

41%

“Even though we coordinate all the reviews, the business owner still remains the first line of defense. We have integrated TPRM into the sourcing process.”


Operating model Still no resolution on modelPrimary ownership of third-party risk management falls within procurement or risk functions at most organizations. There was an even split between the number of organizations surveyed that have a fully centralized third-party risk management program and those that have a hybrid approach, with third-party risk management offices located both centrally and within the business areas.

While there is a trend toward centralized components of most functions, there still is not a “silver bullet” model for how to structure a program within an organization. In many cases, culture will trump process in driving an operating model design that will most appropriately enable the enterprise.

Structure of TPRM programQ13A. How is your third-party risk

management program structured?Structure of TPRM program (49)

Primary ownership of TPRM functionQ11. What area has primary ownership of the third-

party risk management function?

Structure of TPRM program (42)


Risk assessment within the line of businessThe line of business is responsible for completing the inherent risk assessment more than ever before, 53% vs. 32% in 2014, though it varies depending on the structure of the organization’s third-party risk management program. Inherent risk assessments fall within the line of business for about 40% of organizations that take a centralized approach and 86% of organizations that take a decentralized approach.

For many, responsibility spans more than one group. One of four businesses with a hybrid approach to third-party risk management has multiple functions involved in the inherent risk assessment process. Most of those, however, involve the line of business in some way, reinforcing that the business needs to understand and be accountable for the risk.

Responsible for inherent risk assessment

Q14. Who is responsible for completing the inherent risk assessment?

Total By structure of TPRM program

53%

14%

8%

6%

2%

16%

32%

(N/A)

29%

15%

18%

(N/A)

34%

(N/A)

23%

23%

20%

(N/A)

Line of business

Centralized third-partyrisk management

Procurement

Information security

Operational risk

Multiple parties

2016 (49) 2014 (34) 2013 (35)

41%

23%

14%

14%

0%

9%

55%

10%

5%

0%

5%

25%

86%

0%

0%

0%

0%

14%

Line of business

Centralized third-party risk

management

Procurement

Information security

Operational risk

Multiple parties

Centralized (22) Hybrid (20)Decentralized (7)

Escalating third-party issues to the board71% of third-party breaches are reported to senior management, yet reporting of breaches or incidents typically stops at the senior management level. An alarming two-thirds of organizations surveyed said they do not report on emerging risk or breaches and incidents involving third parties to the board. Despite the lack of incident reporting to the board, an increasing number of businesses reported on critical third parties to the board: 43% up from 26% a year earlier.

While the visual summarizes the data on average, we did not see a high degree of deviation between organizations on these numbers. The average number of full-time employees varied greatly based on the size of the organization and the operating model in place. In many cases, we did see outliers in this metric, as it may be a significant challenge to evaluate the number of true full-time equivalents (FTEs) in hybrid or decentralized models where third-party risk management responsibility may only be a portion of a person’s remit.

Third party-reporting to managementQ17. When reporting on third-party risk management, what is the level of escalation for each type of

report? Please select all that apply.

Level of escalation for third-party reporting (49)

Board of directors

Senior bank management

Business area lead bank

management

Third-party relationship

managerNo reporting

Critical third parties 43% 71% 49% 43% 6%

Third parties with breaches or incidents 35% 71% 63% 59% 4%

Third parties with the highest residual risk 31% 55% 47% 43% 22%

Operational metrics of the program 26% 61% 47% 47% 8%

Third parties with noted significant issues 22% 71% 55% 55% 6%

Third parties with the highest level of inherent risk 20% 63% 49% 47% 12%

Non-compliant third parties 18% 57% 59% 55% 10%

Third parties with control issues that are part-due 12% 65% 55% 55% 12%

All third parties 8% 31% 41% 53% 22%

New third parties 6% 27% 45% 59% 16%

Third parties related to an emerging risk 4% 49% 47% 45% 27%

Third parties about to be terminated 4% 45% 55% 57% 18%

Among the top 10 banks surveyed, we saw an average of one assessment FTE per 200 third parties actively risk managed. For governance or a “core” third-party team, this was one FTE per 240 third parties actively risk managed. However, within this data set there was a very wide range for both between 1:15 to 1:1,000. There did seem to be a clear average among this group in size, regardless of third-party population, with 50 FTEs supporting assessment functions and 40 FTEs in core functions after the high and low values were removed.

We did not see any clear correlations or “golden ratios” for staffing outside of this group, signaling that organizations are still trying to figure out the right staffing model. Banks may have leaned more heavily on people than technology when addressing program challenges, indicated by a low percentage of organizations that feel they have fully integrated supporting systems for third-party risk management.

“How we deal with [failures], how we understand the risk and how we learn from it, I know that’s something the board is definitely focused on.”



Assessment framework Full day or less on-site visits become more commonplaceMore than half of the organizations surveyed said they do not spend more than a half-day conducting on-site information security, regulatory compliance or business continuity reviews. This duration was unexpected given the current regulatory environment and focus on compliance. The time spent is significantly less than in 2013, when more than two-thirds of the organizations reported that on-site reviews lasted at least a full day. In many cases, this could be driven by process efficiencies and an increased maturity of the third-party community the second and third times around, but this could also indicate assessment functions becoming “box-checking” functions as opposed to robust third-party risk management activities.

Combined reviews are the most time-consuming to complete; however, the benefits of combining multiple assessment efforts into one would indicate a reduction in the overall end-to-end time and effort. More than half of those surveyed reported spending at least two days on-site for them.

Duration of on-site reviews

Q21. When conducting an on-site review at a third-party site, what is the typical duration of the site visit for each of the following components of the review (excluding travel)?

Total

54%

52%

23%

18%

20%

37%

43%

27%

13%

9%

26%

34%

11%

2%

6%

7%

2%

0%

2%

14%

Regulatorycompliance review

(46)

Business continuityreview (46)

Information securityreview (47)

Combined IS/BC/RCreview (44)

Less than half-day Full day Two days Three days More than three days

Control questionnaires shortened as third- party risk management programs matureOrganizations with more mature third-party risk management programs are beginning to recognize that shortening their control self-assessment questionnaires, especially in the due diligence stage, can increase focus on the higher areas of risk and minimize the burden on business stakeholders and third parties. The risk-based approach minimizes delays in deal execution and the number of low risk findings that are typically risk accepted. Two-thirds of organizations whose third-party risk management programs have been in place for more than five years use fewer than 250 questions. While we have seen a decrease in number of questions, we have also seen an increase in the documentation and evidence review expectations as organizations put a focus on validating third-party responses.

One approach organizations are using to make the questionnaires more efficient is to develop a more targeted set of questions that apply to the specific third party and the level of risk it poses to the organization. In addition, we see a trend in differentiating between the level of effort in due diligence and the level of effort in ongoing monitoring; the due diligence efforts are more focused on the highest risk factors to the organization.

Full-length control self-assessment questionnaire

Q22. How many questions are within your organization’s full-length control self-assessment questionnaires that are used to assess the highest-risk third parties?

8%

21%

33%

27%

10%

22%

8%

39%

14%

17%

14%

23%

20%

37%

6%

Fewer than 50questions

51 to 100questions

101 to 250questions

251 to 500questions

More than 500questions

2016 (48) 2014 (36) 2013 (35)

0%

35%

35%

18%

12%

7%

0%

40%

40%

13%

19%

25%

25%

25%

6%

More than 5 years (17) 3 to fewer than 5 years (15)

Fewer than 3 years (16)

Year-over-year comparison By TPRM program maturity

Fewer than 50 questions

51 to 100 questions

101 to 250 questions

251 to 500 questions

More than 500 questions

“Yes, we are actively shortening questions for our third parties …the questions have reduced, but the documentation has increased.”

— Executive, financial services firm


Large organizations tend to rely more on proprietary standards when designing their self-assessment questionnaires, as many of these programs were developed prior to the emergence of standard frameworks. However, as organizations mature and begin to realize the value of industry-wide frameworks, we have started to see some migration toward standard adoption.

Typically, organizations rely on Shared Assessments and, to a lesser degree, International Organization for Standardization (ISO) and/or National Institute of Standards and Technology (NIST) standards. 28% of firms use Shared Assessments as a baseline for control self-assessment questionnaires, up from 24% last year and 17% the year before that. Meanwhile, the number of firms using ISO and NIST has dropped from 23% to 21% to 16% over the last three years.

SOC 2 (44) 46% 25% 29%

Shared Assessments SIG (42) 26% 31% 43%

PCI Certification (44) 23% 25% 52%

NIST (43) 21% 23% 56%

SOC 1 or ISAE3 402 (43) 21% 37% 42%

ISO Certification (44) 14% 32% 55%

Shared assessments AUP (40) 13% 40% 48%

Extremely useful Useful Not useful

Usefulness of reports in reducing need for control assessment

Q24. On a 5 point scale, with 1 – not at all useful and 5 – extremely useful, when considering the need to perform a control review, which of the reports listed below are the most useful in reducing or removing the need to perform a review on a third party?

While there is a sense of optimism in this area, we still recognize that 10 out of 14 organizations surveyed said it is unlikely that the industry could ever agree on common standards. SOC 2 reports are perceived as the most useful reports for reducing the need for control self-assessments; 71% of organizations find that a SOC 2 report is useful in reducing or removing the need to perform a review on a third party, up from 52% last year.

Industry standards

21| Shifting toward maturity | Key findings from EY’s 2016 financial Services third-party Risk Management Survey20 Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity |


Regulatory risk and compliance control assessmentMore than half (58%) of the organizations surveyed said that less than 10% of third parties expose their organizations to regulatory risk (specifically consumer compliance), while nearly all conduct compliance control assessments. More than 70% reported conducting compliance control assessments pre-contract, compared with 47% the previous year, showing a much larger focus on understanding compliance risk prior to entering formally into a third-party arrangement. 57% of organizations also conduct assessments post-contract.

Two-thirds of organizations conduct individual transaction assessments, going beyond the control structures themselves, and most perform them post-contract.

Within our interviews, we noted Compliance plays a number of roles within the overall program, in many cases providing anti-money laundering (AML), anti-bribery and corruption (ABC) and office of foreign assets control (OFAC) screening, in addition to second-line efforts to oversee compliance risk within the businesses and the overall structure of third-party risk management program requirements in line with regulatory guidance.

Exposure to regulatory risk/consumer compliance

Q28. What percentage of third parties expose the organization to regulatory risk, specifically consumer compliance?

By industry

23%

35%

42%

50%

33%

17%

18%

33%

49%

33%

67%

0%

Less than5%

5% to 10%

More than10%

Total (48) Asset management (6)Banking and capital markets (39) Insurance (3)

Conducting regulatory compliance reviews

Q29. When are regulatory compliance reviews conducted? Please select all that apply.

Total (49)

71%

57%

4%

10%

27%

49%

16%

20%

Pre-contract

Post-contract

Notperformed

Notapplicable

Compliance control assessments Individual transactional assessments

“We have a Compliance Functional Group that is made up of two groups of subject-matter experts, one dealing with banking and the other with corporate compliance. Outside of that is anti-money laundering group. So each of our third parties, as applicable, will get a review by these three disciplines.”



Assessing and monitoring fourth parties

Q31. How does your organization assess/monitor fourth parties? Please select all that apply.

75%

73%

56%

8%

36%

(N/A)

84%

56%

Rely on the controls at the third partyto actively monitor the fourth party

Rely on contractual terms established with the third party

Rely on contractual terms between the third-party and the fourth-party organization

Rely on the relationship manager program

2016 (48) 2014 (25)

Total

Assessing concentration risk

Q32. What factors are currently considered in the assessment of concentration risk?

65%

50%

40%

50%

10%

57%

50%

54%

29%

21%

25,000 or more (20) Fewer than 25,000 (28)

Total

60%

50%

48%

38%

17%

Concentration of a specific service

Geographic concentration

Reverse concentration (i.e., anorganization comprises a significant

amount of business to the serviceprovider)

Concentration of spend

Fourth-party concentration

Total (48)

By size of firm

Identifying and tracking fourth partiesNearly 90% of organizations surveyed said they identify or maintain an inventory of fourth parties. This statistic is an improvement from the 2014 survey, when one-quarter were not actively tracking fourth-party data, and is a sign of a maturing industry. Information is usually gathered pre-contract or during the control assessment, and it is more often accounted for in the contractual terms with a third party.

In addition, we saw a large jump in the reliance on the controls at the third party to actively monitor the fourth party — from 36% to 75%.

Concentration risk Concentrations of a specific service as well as geographic concentrations have emerged as key considerations in third-party risk management. Smaller organizations are more likely to look at reverse concentration, such as how much their organization impacts the third party, while larger businesses focus more on the concentration of spend within third parties. This is an interesting observation, especially in light on the Federal Financial Institutions Examination Council (FFIEC) guidance regarding concentration risk related to service availability.

“We look at the impact a vendor would have on us. Would it impact the entire enterprise, multiple business units? But we also look at the dependency flip side. In other words, what’s the dependency of the vendor on us for their revenue?”



Termination/exit strategyLine of business and exit strategyThree-quarters of the respondents said the line of business is responsible for documenting the exit strategy for each of their third parties. About half document this during due diligence, and 30% do so post-contract. We would consider creating exit strategies earlier in the process as a leading practice, as post-contract may position the activity to be reactive.

Organizations, on average, terminated two third parties because of control issues in the past year; five did so based on performance and less than one due to a specific incident or breach. This continues to be a very low number on average year-over-year, either showing that few organizations have taken strict actions to address third-party issues or illustrating that the program has some ability to dictate risk-managed business decisions.

On average, the typical organization terminated 51 third parties as part of consolidation efforts, which shows a small, positive trend in third-party base reduction. In many cases, these efforts have been consolidated in certain commodity services (e.g., law firms).

Oversight and governanceOversight and governance continues to be the number one or number two item of focus from a regulator perspective, as mature and compliant functions lean heavily on this portion of the program to instill program compliance and to identify issues or challenges throughout the end-to-end function. Where we have seen challenges in the ability of an organization to meet the expectations of a program, there is common alignment with underlying issues with the oversight and governance function.

Reporting for operational and governance purposes continues to be an indicator of the maturity of a healthy third-party risk management program. Reporting contributes not only to understanding program health, but to illustrating the value and efficiency of the function to

Contracts with incentive compensation structures (47) 4% 23% 43% 30%

Presence of concentration risk related to predefined risk thresholds (46) 7% 24% 44% 26%

Forecasting of contract expiration (48) 19% 35% 38% 8%

Services with global delivery locations (47) 23% 38% 23% 15%

Third-party risk scorecard/profile across all applicable risk and performance domains 26% 19% 36% 19%

Risk treatment distribution (i.e., amount accepted or remediated) (48) 31% 29% 23% 17%

Population of third parties based on specific criteria (i.e., business area location service) (49) 39% 29% 20% 12%

Identification of upcoming remediation plan due dates (49) 41% 25% 20% 14%

Customer/consumer-facing third parties (49) 41% 33% 18% 8%

Forecasting of upcoming control assessments (to be conducted in the next quarter) (49) 51% 33% 10% 6%

Population of critical third parties (49) 63% 29% 6% 2%

Ability to reportQ37. How quickly would your organization be able to report on the following?

Easy: On-demand Possible: 1 week Difficult: > 1 week Unable to report

senior management and above. In line with that, 78% said reporting to the board of directors is an important part of their organization’s oversight and governance program, but only a handful of organizations said reporting on third parties, across a number of surveyed topics/metrics, actually made it up to the board, showing strong intent but a lesser degree of tangible maturity.

Where we do see a high degree of real-time reporting ability is in the area of critical third-party populations and the forecast of upcoming control assessments. However, real-time reporting across a number of criteria or metrics in the figure below is still a considerable challenge for financial services organizations

Oversight and governance; quality assurance/quality control


Quality Assurance/Quality Control (QA/QC)Organizations are performing an increasingly wider variety of QA/QC activities as part of their oversight and governance programs, a sign of their increasing maturity. Third-party risk classification has become progressively more important in determining the scope of review for QA activities; this helps explain why organizations are now adding additional layers to their risk tiers, which enables them to provide focused flexibility in governance activities to the higher tiers as opposed to an all-or-nothing approach for a single high-risk tier.

The levels of inherent and residual risk of the third party, as well as known areas of non-compliance, are also becoming more important. While QA/QC functions continue to increase in maturity at organizations with functions greater than three years old, 40% of organizations with relatively new third-party risk management programs noted they did not have a quality assurance function, illustrating this is one of the last portions of program establishment considered.

Functional components in-scope for QA of the TPRM program and determining scope of review for QA activities

Q39. What functional components of the program are in scope for the quality assurance function of the third-party risk management program?

Please select all that apply.

93%

73%

80%

73%

83%

83%

61%

56%

Control assessments andrelated evidence

Inherent riskassessments

Issuses and action plans

Known areas of programnon-compliance

25,000 or more(15) Fewer than 25,000 (18)

Q40. When executing quality assurance activities on the third-party risk management program, how is the scope of the review determined and the population selected?

Please select all that apply.

Functional components in-scope for QA of the TPRM program Determining scope of review for QA activities

69%

54%

43%

37%

37%

53%

44%

21%

50%

29%

40%

37%

14%

26%

26%

Third-party riskclassification

Level of inherentrisk

Level of residualrisk

Random sample

Known areas ofprogram non-compliance

2016 (35) 2014 (34) 2013 (35)

By firm size Total

Regulatory examsRegulators are increasingly focused on enterprise-critical third parties. The organizations we surveyed ranked enterprise-critical third parties as the most important focus area for regulators, compared with the fourth most important focal area in the previous year’s survey and eighth most important the year before that.

While oversight and governance procedures, information security and business continuity still rank highly, it is evident regulators are spending more time looking at critical third parties.

It also appears that regulators are going broader and deeper in their assessments, showing a greater level of knowledge and maturity in the regulatory oversight teams performing the exams. Because on this shift, organizations should be knowledgeable and conversant of every piece of the end-to-end function across the lines of defense and have a keen perspective on the strategic direction of their program over the next 6 to 12 months.

Regulatory body review focus areas

Q41. During your organization’s most recent regulatory body review, what were the 2 to 3 most important areas of focus?

44%

44%

38%

21%

19%

19%

17%

15%

13%

13%

13%

10%

8%

8%

6%

Enterprise-critical third parties

Oversight and governance

Third-party assessments: Information security and business continuity

Maintenance of third-party inventory

Third-party assessments: Compliance

Third-party assessments: Performance

Inherent risk assessment

Onboarding activities

Issue management and/or risk acceptance

Consumer protection

Privacy/confidentiality

Foreign-based third parties

Fourth-party oversight

Operating models

Residual risk model

Total (48)

Total Rank in importance2014 2013

4 8

2 1

3 5

“However, they [regulators] did challenge us with how the program is to grow and mature throughout our organization and whether or not we are considering the increased resource requirements in that growth model.”



TechnologyEven with broader third-party risk management reporting systems, there is still relatively little integration of tools and technology across the end-to-end process for third-party risk management. Organizations surveyed were less satisfied overall with the level of tool integration in 2016 than they were in 2014, a step backward compared to other program elements; this potentially indicates a growing frustration in the industry with the lack of a “best in class” tool set. A number of organizations have migrated to a new tool in the past year without a single system showing strong growth. In many cases, this may be driven by challenges in the business process and amplified by a tool decision that may not be the most suitable for the organization.

No single third-party tool was used by more than one-third of organizations. The most frequent response is a proprietary solution to manage risk reporting. Use of proprietary technology increased from 9% in 2014 to almost one-quarter of organizations in 2016, indicating that there is a strong market need for a more collaborative and process focused integrated solution.

Even though fewer organizations indicated they were using spreadsheets to track issues and exceptions compared with 50% the year before, they are the second most common method used and the most common for organizations with new third-party risk management programs. Surprisingly, 35% of organizations with third-party risk management programs that have been in place for more than 5 years also still use spreadsheets, and 69% of firms with third-party risk management programs that have been in place for fewer than three years use them.

Inbound third-party management Service organizations continue to be inundated with inbound requests to complete third-party control assessments. Nearly half of the organizations surveyed, the vast majority of which are similarly regulated financial institutions, said they receive at least 50 inbound requests to complete third-party control assessment questionnaires on other banks, signaling opportunity for an industry solution on common ground. Typically, firms have four to five FTEs responding to these requests, though most are to facilitate remote/desktop reviews.

Q42. Approximately how many inbound requests for completion of third-party control assessment questionnaires does your organization receive annually?

Q43. What percentage of inbound requests are on-site third-party reviews versus desk-based/remote reviews?

Inbound third-party risk management

Number of inbound requests annually (45)

Use of toolsQ45. What technology/tool does your organization use for each of the following functions?

Use of tools (46)

Archer Bwise Oracle Ariba SAP Hiperos Proprietary Other

Sourcing activity 7% 2% 9% 33% 7% 7% 22% 22%

Inherent risk assessment 26% 2% 2% 2% 2% 13% 33% 17%

Contract repository 4% 2% 9% 30% 7% 0% 22% 26%

Primary third-party inventory 26% 2% 4% 4% 4% 11% 26% 26%

Control assessment facilitation tool 30% 2% 0% 0% 0% 13% 24% 20%

Issue management tool 26% 7% 2% 0% 0% 9% 28% 24%

Reporting tool integrationQ46. On a scale of 1 to 5, with 1 = not at all integrated and 5 = fully integrated, how well do the above tools integrate and capture the overall risk for reporting purposes?

2014 (35) 12% 34% 54%

2016 (48) 11% 27% 63%

Fully integrated Not at all integrated

The organizations that are moving away from spreadsheets typically have an enterprise-level issue management system or a centralized third-party program-specific tool. Those with the most mature third-party risk management programs may also track and store issues within the assessments themselves, constraining reporting capabilities and impacting efficient and effective issue management activities.

Nearly all organizations surveyed identified fewer than 10 issues for each third-party

control assessment, while only 6% identified between 11 and 20 issues.

These numbers continue to be lower year over year, which presents some optimism in third-party control structures. However, we do know that a decrease in question set size may be contributing to this as well. The downward trend also raises concern that third parties have improved in responding to these questionnaires, as opposed to leading and proactive risk, threat and vulnerability management.

On-site vs. remote/desktop reviews (33)

Tracking issues with spreadsheets

Fewer than 5050 to 150150 to 300More than 300

56%

13%

18%

13%

On-site reviewsRemote/desktop reviews

15%

85%


Industry outlookThe two greatest challenges: technology and knowledgeOn the technology side, a number of organizations have gravitated toward workflow management systems in combination with typical contracting, GRC, risk and issue-management platforms to piece together the ecosystem of platforms necessary to address the end-to-end process challenge. We have also seen an increase in the acceptance and use of Software as a Service (SaaS) based platforms.

More than 40% of the organizations surveyed stated that the lack of knowledge across functions and business areas, as well as the tools they have to execute their assessment programs, pose significant challenges to their third-party risk management programs. This is not unexpected, given there is no widely accepted set of industry standards and many organizations are relying heavily on spreadsheets.

As operating models continue to shift and change to fit the growing needs of organizations, functions put an increasingly large expectation

Challenges

Q20. On a 5-point scale, with 1 = no difficulty and 5 = significant difficulty, what degree of difficulty does your organization face in addressing each of these potential challenges related to your third-party risk management program?

25%

35%

25%

35%

41%

29%

43%

35%

63%

47%

41%

35%

35%

35%

33%

27%

20%

16%

Utilizing a tool to assist in the execution of the assessmentprogram

Appropriate skillset/knowledge/experience across each ofthe functional components and business areas

Clarity of responsibilities for third-party activities acrossyour organization

Integration between risk management and procurement process

Organizational change causing significant addition/change to the scope of the program

Business unit support for third-party assessment activities

Variability of assessment date/inability to distributethe assessments throughout the year

Understanding the scope of the third-party serviceprior to conducting control assessment

Approval of material changes to contract termsby Legal/General Counsel

No difficulty Significant difficulty

Total (49)

on the first line of defense to own and manage the risks posed by third-party relationships. Focusing on the enhancement of risk awareness, training and culture are critical factors in the continued growth in maturity of third-party risk management functions.

All of the organizations surveyed stated that management recognizes the importance of the third-party risk function and is providing strong support in the form of new investments and increased resources to help meet regulator expectations. Many organizations plan to increase their spending on human capital, in line with the findings from a year ago. Additionally, 54% said they plan to spend more on technology, up from 40% a year earlier.

Third-party risk management is a growing domain that is still moving toward maturity. But the fact that few organizations are planning to cut back in any area of their programs and many are, in fact, seeking to bolster their programs with additional investments indicate that businesses understand the significance of this industry and will continue to prioritize it moving forward.

Areas of investment

Q47. Compared to the current year, does your organization plan to spend more, less or the same amount for the following activities?

7%

7%

7%

15%

7%

9%

9%

7%

7%

57%

54%

50%

46%

46%

39%

39%

35%

33%

Internal staffing: TPRM

TPRM technologyenablement

TPRM oversight andgovernance

Procurement process

Third-party on-siteassessments

Internal staffing: Third-partyrelationship management

Updating TPRM methodology

TPRM audit or regulatoryremediation requirements

Third-party remoteassessments

Spend less Spend more

Planned changes in TPRM spending (46) 2014 (35)

3%

3%

3%

6%

3%

6%

0%

9%

(N/A)

63%

46%

46%

43%

40%

37%

32%

29%

Internal staffing: TPRM

TPRM oversight andgovernance

Internal staffing: Third-partyrelationship management

Third-party on-siteassessments

TPRM technologyenablement

TPRM audit or regulatoryremediation requirements

Procurement process

Third-party remoteassessmentsUpdating TPRM

methodology


Want to learn more?

Turning risk into resultsHow leading companies use risk management to fuel better performance

Maximizing value from your lines of defense

A pragmatic approach to establishing and optimizing your LOD model

Insights ongovernance, riskand compliance

December 2013

Turning risk into results: how leading companies use risk management to fuel better performance

This study explores EY’s experience with clients that shows turning risk into results requires a multifaceted approach.

Creating trust in the digital world

Our 2015 Global Information Security Survey (GISS) provides insights from 1,755 participants and investigates the most important cybersecurity issues facing business today.

Regulating from within bank strategy

The Banker’s special January 2016 editing in association with EY.

Maximizing value from your lines of defense: a pragmatic approach to establishing and optimizing your LOD model

The current economic environment and significant risk events over the last few years have caused companies to have a renewed focus on the effectiveness of risk management.

EY contacts

Matthew Moog Principal Ernst & Young LLP +1 212 773 2096 [email protected]

Chris Ritterbush Executive Director Ernst & Young LLP +1 212 773 4489 [email protected]

Please visit us at ey.comKey findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity | 35| Shifting toward maturity | Key findings from EY’s 2016 financial Services third-party Risk Management Survey34

http://www.ey.com/Publication/vwLUAssets/Turning_risk_into_results/$FILE/Turning%20risk%20into%20results_AU1082_1%20Feb%202012.pdf



http://www.ey.com/GL/en/Services/Advisory/ey-global-information-security-survey-2015-1

http://www.ey.com/Publication/vwLUAssets/EY-regulating-from-within/$FILE/EY-regulating-from-within.pdf

http://www.ey.com/Publication/vwLUAssets/EY-Maximizing-value-from-your-lines-of-defense/$FILE/EY-Maximizing-value-from-your-lines-of-defense.pdf






Notes

Key findings from EY’s 2016 financial services third-party risk management survey | Shifting toward maturity | 37| Shifting toward maturity | Key findings from EY’s 2016 financial Services third-party Risk Management Survey36

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

EY is a leader in serving the global financial services marketplace Nearly 35,000 EY financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients. In the Americas, EY is the only public accounting organization with a separate business unit dedicated to the financial services marketplace. Created in 2000, the Americas Financial Services Organization today includes more than 6,500 professionals at member firms in over 50 locations throughout the US, the Caribbean and Latin America.

EY professionals in our financial services practices worldwide align with key global industry groups, including EY’s Global Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industry-focused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a well-rounded understanding of business issues and challenges, as well as integrated services to our clients.

With a global presence and industry-focused advice, EY’s financial services professionals provide high-quality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide.

© 2016 EYGM Limited All Rights Reserved.

SCORE No. 01451-161Gbl1604-1908450 BD FSOED none

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com

shifting toward maturity - building a better working 71% of respondents said they were either...

Documents