Risky Business with PaymentWorks: E5–Third-Party Risk Management and Risk
This blog was initially published in 2021 but was updated in March 2024 for accuracy and comprehensiveness – and to highlight how third-party risk assessment and management have only increased in importance over the last several years.
Third-party risk assessment for vendors isn’t just a good idea—it’s crucial for keeping things running smoothly (without some serious consequences) in today’s business world.
This piece is all about the big role third-party risk checks play in the bigger picture of keeping risks under control. We had a very interesting conversation with an expert with more than four decades of real-world experience in this realm. Grab your favorite snack, and let’s dig in!
Table of Contents
Listen to the Full Episode
About Our Guest
Episode Takeaways On Third-Party Risk Assessments and Management
#1. There are five phases to managing third-party risk
#2. Third-party risk management has evolved
#3. Third-party risk is not a standalone risk
#4. Siloed risk management processes are a problem
#5. The ramifications of vendor master data integrity are clear
Get Ready For Vendor Management Appreciation Day 2024
Want Help Aligning Teams on Conducting a Third-Party Risk Assessment?
Interested in Tips On Conducting a Third-Party Risk Assessment?
Want Personalized Guidance On Conducting a Third-Party Risk Assessment?
Listen to the Full Episode
Listen to the episode here.
Welcome to Episode 5 of Risky Business with PaymentWorks!
Yakut Akman has 40 years of experience in financial services, covering a wide range of functions globally, including Operations & Technology, Risk Management, Audit, and Regulatory Compliance.
She joined to discuss all things third-party risk assessment and management. If you’re looking for a compelling case to centralize third-party data, you won’t want to miss this!
About Our Guest
Ms. Akman started her career at Citibank Istanbul as an Executive Trainee and then worked in multiple locations gaining extensive global experience.
Over time, she excelled in Operations Management as a thought leader and a change agent in the financial markets, and in response, the regulatory expectations grew more complex.
Ms. Akman focused on process efficiency and effectiveness while balancing operational risks and controls. She sharpened these skills in Internal Audit overseeing new emerging risks.
As a Risk Manager of key businesses, Ms. Akman actively interacted with government agencies around the world. She successfully addressed high-profile, enterprise-wide issues by setting standards, building trust, and achieving sustainable results.
Episode Takeaways On Third-Party Risk Assessments and Management
#1. There are five phases to managing third-party risk
A third-party risk assessment, and more broadly, managing risk, starts with the planning phase. This begins the moment an organization starts to consider a relationship with a third party.
Next, there is the due diligence phase, which requires a third-party risk assessment that allows you to check off the things you need to make sure the third party is okay to start a relationship with.
Next, after you shake hands, the third phase of contracting begins.
Ms. Akman argues that the fourth phase of ongoing monitoring is perhaps the most important, if not the longest-lasting one, saying, “Things change, and this could be a years-long [phase].”
Finally, the last phase is termination. This may come up due to a contract expiring or because the organization is not happy with the services of the third-party provider.
#2. Third-party risk management has evolved
Ms. Akman explains how things were done a bit differently when she first started her career in banking. Nearly everything was done in-house, barring things like check printing, cleaning, and catering services.
But in the last decade or two, Ms. Akman notes, “banks have significantly increased the number and the complexity of bank functions that they outsource to third parties [with] more and more customer-facing services have been outsourced.”
As a result, third parties have become an integral component of the bank’s operations. This is especially true for third parties that can do similar functions better, faster, and cheaper.
Ms. Akman goes on to explain how oversight was, at first, a missed opportunity, pointing out that “the banks were happy to outsource the services and pay for them. But what they forgot in the process was an oversight function of these third parties. I often liken this to parents dropping off their kids at a babysitter and then going out to enjoy themselves for 2,3,5 hours, whatever. And thinking, ‘Okay, the kids are the babysitter’s responsibility.’ They’re not. You’re still responsible if your kids break something or misbehave.”
Eventually, regulators started to pay attention and published third-party risk assessment and management guidance, significantly expanding their review of banks’ third-party management programs.
#3. Third-party risk is not a standalone risk
Ms. Akman thinks the term “third-party risk” is somewhat of a misnomer. Instead, she thinks it shouldn’t be viewed as if it’s “a separate and single risk.”
Why? Because as organizations outsource many of their functions, third parties actually become an extension of the organization’s operation.
While Ms. Akman’s experience deals directly with banks, it’s a point that resonates with organizations of any kind. She says, “All the relevant risks that would apply to the [organization’s] operation would also apply to a third party. But then there’s the additional risk because the third parties are a separate entity. So they’re not subject to the same policies, standards, and processes that the [organization] has in-house, [but] they may have access to the [organization’s] systems, confidential [organization] data, or customer information.”
As a result, she says, “there is a need to identify, assess, and control all the risks presented throughout the third party lifecycle.”
This is why she considers “third-party risk” a whole bucket of risks – risks that are not easy to manage unless you have “ effective people, processes, and tools.”
#4. Siloed risk management processes are a problem
Ms. Akman points out that a bird’s-eye view of the typical third-party risk management landscape includes everything from adequacy and effectiveness of internal policies and processes, compliance with applicable regulations, information security risks, business contingency, and more.
In many ways, it might be easier if it could all be bundled together under operational risks. Why? Because these different risk areas are often supported by many different systems that don’t talk to each other.
Ms. Akman also points out that many of these silos are because many of the systems are “developed over time in response to emerging risks or emerging functions.” Add to that regional complexities and, depending on the size and scope of the organization, you are dealing with siloed information, systems, and processes.
Ms. Akman adds, “There is no master file for the third-party data. There are multiple and different databases for the same third parties. In different platforms, the processes are very manual. As I mentioned before, the process really starts with the businesses, the frontline businesses. And to them, this is a pain in the neck kind of a process.”
#5. The ramifications of vendor master data integrity are clear
Ms. Akman goes on to say that those various processes and systems also support various functions within an organization – including procurement, sales, contracts, risk management, compliance, information, security, cybersecurity, contingency of business, and so on.
Some of these departments and groups did even exist a few years ago. Now, many are very big groups within an organization. Subsequently, they choose their own systems, making it hard for anyone to have a bird’s eye view. It then becomes harder for someone to put in the necessary central controls.
Ms. Akman adds, “A lot of these systems have been around a long time. They’re rather archaic, and they use old technology, there’s no connectivity between the systems. We may, at best, have some mapping between similar fields.”
She recalls a time when she was heading up derivatives and was tasked with determining their exposure to a major Fortune 100 company. She and her team quickly realized the company was in “a gazillion different systems – and the name was spelled differently in every system!”
It underscores the need for a centralized repository of third-party core data. With a central location for core data defining the third party (like name, address, tax ID), it can be fed into different systems from there.
She also adds, “There’s evidence that when third parties enter their data themselves, the error rate goes down significantly. Because it’s not a one-time thing we’re talking about here, once you set up your third party, things change over time, their address change, names change, all sorts of things change, right? So allow the third party to have control over their data, with some oversight and control, of course.”
PaymentWorks can help streamline third-party risk assessment — and provide the oversight and control needed to keep third-party data in line.
Get Ready For Vendor Management Appreciation Day 2024
The party lives on! Don’t forget to sign up for the 2024 Vendor Management Appreciation Day (VMAD) celebration. It’s our way of creating one giant love letter to our favorite people: vendor managers!
Why? Because we know it’s one of the most critical, under-recognized roles across industries.
VMAD is a brand-new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
We’ve released gifts each month to help you supercharge your vendor management efforts. We’re also planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.
Learn more here, and grab some free vendor management goodies.
Want Help Aligning Teams On Conducting a Third-Party Risk Assessment?
Explore our blogs below. They’re filled with action items you can implement right away.
The Missing Link When Building a Vendor Risk Management Framework
Risky Business with PaymentWorks: E10–The Risk and the Reward
Three Things Going Wrong With Your Vendor Onboarding Process
Vendor Verification: How NOT to Do it and What to Do Instead
Interested in Tips On Conducting a Third-Party Risk Assessment?
Subscribe to our blog
Want Personalized Guidance On Conducting a Third-Party Risk Assessment?
Contact Us–we’d love to help you