Third-party risk is moving up the agenda as insurance firms focus their attention on operational resilience, outsourcing, and environmental, social and governance (ESG) challenges. These risks are most commonly understood in the context of outsourcing, which many firms adopt as the default in key areas, such as IT, to provide scalable solutions, cut costs and reduce the need for in-house capability. But third-party risk is broader than that and problems may originate from clients, suppliers and intra-group or external outsourced providers, among others.
Poor third-party risk management can lead to fines, reputational damage, and regulatory or legal action. When outsourcing any service, it’s important to remember that the user organisation always retains regulatory responsibility for that activity. Similarly, high-profile legal cases highlight that firms are increasingly being held accountable for weaknesses in their third-party contracts. These relationships are also under greater scrutiny from customers, who want to ensure that organisations reflect their values – in word and deed.
As such, boards, regulators, investors and other stakeholders need assurance that these risks are being appropriately identified, managed and mitigated.
Third-party impacts on operational resilience
Under operational resilience, insurance firms must identify critical business services that could potentially cause financial harm to consumers, markets or the wider economy in the event of an outage. Firms must map the processes supporting those services, including any outsourced activity, and restore them within a pre-agreed tolerance limit. While these outages may be due to something internal, they can also be caused by third-party activity, including cyber breaches or a disruption to the supply chain.
Outsourcing is a key element of operational resilience, as highlighted in the FCA’s PS21/3, which emphasises the need to include all intra-group and external outsourced providers when planning the response to service disruptions. This may include measures to restore third-party services quickly, or it may involve temporary transfer to another supplier. (Although it may not always be possible to transfer services in niche areas such as the cloud or IT, where a few niche providers serve many firms across the insurance sector, giving rise to concentration risk.) Addressing these concerns at contract negotiation stage will establish effective processes, which need ongoing monitoring and review throughout the engagement. Firms may also need to consider alternate solutions as back-up plans.
An effective outsourcing framework will help mitigate these risks and embed effective controls across all three lines of defence, and avoid firms getting fines and regulatory penalties. This is particularly important for the first line, where responsibilities over third-party risk management are often not well defined and where a senior manager in the business needs to be accountable under their senior management function duties. Effective controls must be underpinned by strong reporting lines and good management information. These activities give the board and non-executive directors assurance that third-party risks are being appropriately managed, helping them to make informed decisions and consider outsourcing when setting the wider business strategy.
Third-party impacts on ESG
Insurance firms are increasingly concerned with ESG risks and how to manage them effectively in the face of rapidly changing customer and regulatory expectations.
Customers want to work with insurance firms that have a clear purpose, in line with their own values. If a firm has adopted an ESG strategy with a strong ethical or social stance, the third parties they work with also need to align to this purpose. To effectively manage this, firms must understand their supply chain and have appropriate assurance in place to make sure their values and behaviours line up. With long and complex supply chains, firms often do not have the oversight needed to know for sure that this is the case.
Lack of oversight can cause problems from a regulatory standpoint too. ESG regulation is increasingly complex and as new requirements emerge in this space, insurance firms must ensure they have adequate information and metrics from their suppliers and third parties to demonstrate compliance. An effective risk management framework will incorporate mitigation strategies around ESG ratings and market data and include appropriate due diligence and monitoring throughout the life of a third-party contract.
Challenges of managing third-party risk
Third-party relationships are inherently complex, especially for large corporations with international operations. Disparate working practices, in line with varying regional methodologies and regulatory frameworks, make it difficult to get a coherent view of all third-party arrangements – not to mention fourth or fifth parties. It can also be tricky to identify third-party risk or recognise how those risks can crystallise to cause operational disruption or regulatory action.
To add to this, it’s not always clear who’s responsible for third-party risk and it often falls to either the procurement or compliance team (on top of their existing duties). This presents further problems. As these teams often have little to no day-to-day contact with third parties, it is particularly challenging to provide effective oversight – or be sure that the terms of the contract are met. Where they do identify any issues, these teams may not have the necessary influence (internally or externally) to drive change.
What should insurance firms do now?
A holistic third-party risk framework, supported by greater training and awareness across the organisation, will promote a good understanding of third-party risk management and the mitigation strategies needed to manage those risks.
To get started, firms must:
- set third-party expectations at the contract stage including defining responsibilities, liabilities, setting service level agreements and performance objectives
- undertake appropriate due diligence for relevant third parties and gain assurance over their quality standards
- define clear roles and responsibilities across all three lines of defence, with appropriate points of escalation
- map critical business services to identify which underlying processes are provided by a third party and how material they are
- ensure third-party risks and controls are embedded in the risk management framework, with effective processes for managing monitoring and reporting.
Prioritising third-party risk as part of an effective enterprise risk management framework will help give all stakeholders assurance that third-party risks are being appropriately identified, monitored and mitigated.
To find out more on this topic, contact Nousheen Hassan.