It goes without saying that operational resiliency and supplier risk management go hand in hand. Organisations need to adapt, respond to, and recover from disruptions that occur both internally and externally in order to be successful. In recent years, financial regulators globally have been putting a stronger emphasis on operational resiliency and business continuity, leading to an influx of new guidelines for managing third-party risk.
In the UK, rapid technological advancements, changing consumer behaviors, and increasing cybersecurity concerns have led regulators to consider new strategies to address economic stability through outsourcing and third parties. Operational resilience has become a leading focus for the UK Prudential Regulation Authority (PRA).
The PRA has published a supervisory statement on third-party risk management that aims to improve operational resiliency. Outsourcing arrangements entered on or after 31 March 2022 will need to comply with these expectations in the coming months.
PRA Establishes Framework for Outsourcing Practices
The supervisory statement from the PRA seeks to improve the readiness of financial service firms to absorb inevitable disruptions, in turn, mitigating any damage to the greater economic stability. The PRA has outlined its approach to operational resilience by targeting third parties. The PRA encourages organisations to identify “important business services” for which a significant disruption would threaten market integrity or financial stability.
Additionally, firms are to establish impact tolerances for key services and conduct testing to ensure that tolerances can be met. This will allow for a proper understanding of the impact of a disruption and provide valuable metrics to facilitate process improvement and resource allocation.
The guidelines reinforce the idea that business disruptions will inevitably occur, and systems should be designed to bend but not break. It is important that tolerances and testing are designed with customer experience in mind, as the goal is to allow customers to continue to use and access financial services despite interruptions.
A key factor in this strategy is the importance of board-level support for the firm’s third-party risk management program. This ensures that operational resiliency is built into business functions from the top down.
Where Operational Resiliency and Supplier Risk Management Intersect
UK legislators propose that all third-party arrangements go through extensive risk assessment before integration. Additionally, third parties must provide a continued demonstration of appropriate operational resilience standards in line with the organisation’s policies.
Organisations will need to create a written outsourcing policy and keep a register of outsourcing arrangements. This means that organisations will need a centralised processes for identifying and managing their supplier base. Firms providing outsourced services will need to address their practices along with any third-party arrangements they may have, as these relationships pose a fourth-party risk. These steps are particularly important for critical business services where sensitive data is accessible to a third party.
The regulatory framework from the Prudential Regulation Authority and UK Financial Conduct Authority presents a new approach to existing practices around operational resiliency. Organisations can align their supplier risk management and operational resiliency practices to avoid significant impact on the larger economy, creating a more stable economic environment overall.
The guidance provided by the PRA emphasises that organisations coordinate with third parties to understand potential risks. It is necessary for organisations to obtain enough information and data on the third party while onboarding to ensure that they can operate within the organisation’s impact tolerances.
Preparing for the Changes Ahead
Organisations are required to comply with the new UK PRA guidelines on outsourcing and third-party risk management on 31 March 2022.
Organisations can take the necessary steps to bolster their supplier risk management programs prior to the deadline by automating the vendor lifecycle.
ProcessUnity Vendor Risk Management (VRM) is a software-as-a-service (SaaS) application that helps companies identify and remediate risks posed by third-party service providers. Combining a powerful vendor services catalog with risk process automation and dynamic reporting, ProcessUnity VRM streamlines third-party risk activities while capturing key supporting documentation that ensures compliance and fulfills regulatory requirements.
ProcessUnity Vendor Risk Management provides organisations with the tools to manage third-party risk effectively, allowing your organisation to remain resilient throughout disruptions. Learn more here.
This article was originally published by ProcessUnity and is shared with their kind permission.