In today’s fast-paced, increasingly competitive business climate, an efficient TPRM program is not only an invaluable asset but a vital one. It enables banks to quickly respond to – and keep up with – rapidly changing market dynamics.
As technology continues to redefine consumer expectations, it has become critical for banks to adopt new digital technologies to remain competitive—especially in the face of increasing competition from large global financial institutions, which have infinitely more resources. Digital transformation is not just a goal anymore; it is a necessity.
One key area of banking that is ripe for digital transformation is third-party risk management (TPRM). Third parties play an increasingly important role for banks and are entrusted with a variety of important tasks, from helping ensure uninterrupted business operations to protecting highly sensitive customer data. Banks recognize that if a business partner, supplier or vendor suffers a data breach, security compromise or operational disruption, the bank’s operations and reputation can also be at risk.
As a result, third-party risk management (TPRM) has become a priority for bank leaders, on par with innovation, efficiency and productivity. Yet many TPRM programs remain reliant on tasks that are highly manual and prone to human error. This hidden risk within TPRM is difficult to quantify but important to recognize, as is the increasing frequency of high-impact events, or “black swans,” that adversely affect third parties. The recent winter storms in Texas are an example of a low-probability, high-impact event that exposed banks that depend on third parties in that location to greater risk, as servers went down and data was lost in the days-long power outage.
Traditional TPRM Practices Are Not Sufficient for Today’s Risk Environment
Banks must evolve to meet these new risk realities, and harness technologies to digitally transform their TPRM programs. The introduction of Artificial Intelligence (AI), Machine Learning (ML) and Natural Language Processing (NLP) can provide views of risk and risk concentration in ways never before available.
After the many challenges in 2020 and early 2021, banks have had to take a step back and rethink how they acquire and analyze data, develop new ways to bring disparate mitigation plans together and find new levels of visibility across their organizations’ many risk areas. This is even more complex for smaller institutions such as community banks and credit unions that are resource strapped and have more limited technology expertise at their disposal.
The ultimate problem is that vetting new suppliers requires both time and money, leaving banks struggling to find the resources needed to meet frequent changes in their business landscapes, let alone the ongoing management of existing relationships and mitigation plan commitments.
Banks rarely have one single view of their third-party risk. Most manage their TPRM programs in silos, separating risk into operational units. Critical details are collected on documents located throughout the organization, with no ability to connect and analyze data points centrally. The variety of data sources, risk domains and a lack of standardized information results in different “narrow” departments, duplicating efforts or failing to learn from each other – causing critical information gaps and making it very difficult to connect the data to look across the bank’s entire third-party risk.
Operational risk teams are also personnel heavy. Many TPRM processes are performed manually by subject matter experts who spend much of their time on data collection and administration, managing a tremendous volume of data, from questionnaires and plan documentation to findings from external data searches. Human oversight can be flawed and incomplete, and the risk of error or bias increases with higher volumes of data and the repetitive nature of the monitoring tasks. Subtle details can be overlooked, patterns may go undetected, and important signals may be missed. The monotonous and repetitive nature of the manual work involved, the periodic nature of ongoing checks, and the lack of external validation (i.e., assessment is mostly based on what a supplier says) invites costly errors.
Compounding this problem is the fact that current methods of data collection, such as questionnaires, provide only a pinhole view of a third party, limited by the questions asked, and the way the third party has chosen to present the answer at the time of the questionnaire. A better source would be the third party’s internal documents, such as business continuity plans (BCP) and other operative documents that contain much more valuable data than the questionnaire. For example, a questionnaire may not have asked the third party about its readiness to handle a pandemic like COVID-19 – but the company’s BCP probably would have held the answer. This might also prove useful for the third parties, since answering a questionnaire takes more time and effort than providing an existing document.
Applying Digitization to the TPRM Program
This intensity of change requires banks to manage and harness the power of their data as quickly as new threats are identified. Risk managers can now leverage advanced technologies to apply a greater level of automation and intelligence to TPRM, including cognitive computing technologies like AI and NLP used to augment TPRM processes and power performance alongside human thought processes and traditional analytics. In fact, risk management lends itself particularly well to these capabilities, as risk issues frequently include unlikely and/or ambiguous events. This helps financial institutions strengthen their TPRM programs to anticipate, identify and adapt to the accelerated risk environment.
AI-driven digital TPRM technology can help by orchestrating and automating the TPRM program, from initial assessment to continuous monitoring and mitigation. AI is uniquely able to handle and evaluate unstructured data, enabling these solutions to extract data from questionnaires, evidence documents, financial stability sources, cyber posture or the deep web and turn it into actionable insights about a bank’s risk exposure to online assets, fourth parties, people, locations and other vulnerabilities.
Advanced analytics can also provide financial institutions with real-time visibility into their concentration risk and the domino effects from a manifestation of an event. AI-driven TPRM technology can enable risk managers to model the potential cascading effects from a risk event across their supply chain by allowing users to view concentration risk from whatever aggregator they choose such as geographic location, fourth parties or other vulnerabilities.
This eliminates much of the manual work that burdens third-party risk management subject matter experts, freeing up resources to enable them to focus on business-critical activities such as risk mitigation customer experience. This is critically important for smaller community banks and credit unions that often face a technology skills gap.
The complexity of outsourced services and other third-party relationships can bring increased uncertainty and new threats to banks. But non-financial risks are also evolving. Consider the extraordinary series of “black swan” events of the last year alone:
- COVID-19 moved entire organizations to a remote workstyle that introduced untold IT risks.
- SolarWinds customers were exposed to a sustained, critical-level data event for months.
- A shipping mishap in the Suez Canal triggered worldwide supply chain disruptions.
These high-impact events are happening with increasing frequency, enough to be considered part of the new normal. Banks can apply new tools and technologies to their TPRM programs to make them more intelligent and responsive to today’s growing risk environment.
Today’s increasingly competitive business climate requires an efficient TPRM program that enables banks to keep up with changing market dynamics. It also helps speed up important yet slow processes, like vendor onboarding, in a potentially more secure way. The best way for banks to operate more intelligently when it comes to risk is to be better prepared for it by applying technologies that can effectively leverage the available data to more quickly define, assess and prevent risk.
About Aki Eldar
CEO and co-founder of Mirato, entrepreneur, mentor and high-tech executive, Aki Eldar brings to Mirato more than two decades of senior-level management experience as CxO and CEO of Variance Technologies. Aki worked for the Israeli government and was the founder & CEO of Secure Islands Technologies, which was acquired by Microsoft (NASDAQ: MSFT). Aki’s professional expertise and proven track record have led to cumulative sales in the hundreds of millions of dollars spanning multiple global industries, ranging from cybersecurity to enterprise software, telecommunication, networking and defense.