Financial services industry regulators are serious about delivering the post-crisis stemmed legislation changes. Last year alone fines worth millions of dollars were imposed on financial intermediaries for their failures to adequately shield customers from predatory lending practices by their third party vendors. Accordingly, a recentglobal financial institutions survey, conducted by Ernst & Young, found that tougher scrutiny of regulatory compliance had increased by more than any other factor as a driver of third-party supplier risk. The message is clear: although activities can be outsourced, accountability cannot.
The widening of regulatory scope to include consumer protection and third-party compliance has also started to pose new supplier risk management challenges amongst the industry operators. In the past financial firms have been managing their supplier risks through dedicated SRM programmes that have mainly been focused around commercial operations risk issues, such as credit uncertainties and business continuity- a feature which now has become less valuable.
The rising weight given to customer protection, as well as 4C’s own experience in helping leading public and private sector organisations mitigate and understand risks from their supplier base, it is worth considering the following best practices when managing vendor relations.
Risk-based segmentation of supplier base
Although still crucial, it is no longer sufficient to just have an exhaustive, detailed, and harmonised database containing all third party suppliers and the different risk types associated with their dealings.
Assigning the appropriate risk categories at the enterprise level, rather than on a supplier by supplier basis, is becoming increasingly crucial for firms to maximise operational efficiency, especially when they are faced with limited resources.
Companies that employ this method can concentrate in areas where high risks overlap, thereby understanding how the mishaps of individual vendors can influence events beyond their own narrow business scope.
Better technology, such as ones that provide quicker access to the ever changing landscape of risk information, can also help reduce manual efforts by automating regular reviews of low risk suppliers.
Activity-triggered due diligence checks
In segmenting their third-party suppliers, firms tend to be using either score-based or activity-based approach. To save up to 40 per cent of employees’ working hours, a less resource intensive activity-based segmentation approach is highly recommended.
Where the score-based approach tends to assign high risk suppliers to comprehensive diligence checks every time they enter an agreement, an activity-based approach will assign risky activities only to agreements that are relevant to specific suppliers. This way, for instance, suppliers not handling sensitive commercial information can avoid going through time-consuming security clearance scrutiny.