Third-party risk management is increasingly important for (re)insurance and investment firms, many of which are turning to outsourcing for an array of technology and other services. Outsourcing is helping firms become more efficient, but it is also leading to challenges, including a recent increase in regulatory action for breaches such as poor supervision.
In light of increased scrutiny and to boost oversight, a number of (re)insurance and investment firms have instigated reviews of their third-party risk management frameworks. With programmes set to continue for the next few years, ORIC International and McKinsey have joined forces to benchmark progress and explore best-practice models.
Our research highlights good practices across the industry, but also certain areas of weakness. Those include a lack of common standards, and often a case-by-case approach to third-party risk management, in a diverse range of systems, policies and approaches used by firms. Also, coverage varies across the industry with some firms focusing on as few as ten counterparties, while others monitor several thousand – and much of this variation cannot be explained by size differences between the firms in question. Finally, the survey reveals a lack of completeness in oversight frameworks, with the most intense focus often falling on third-party selection and onboarding, while elements of the ongoing monitoring of established third-party relationships often receive much less attention.
Outsourcing has become an established way of working for (re)insurance and investment firms, and we expect it will continue to play an important role in the years ahead. Hence, organisations should adopt strategies that reflect a systematic approach and help build a comprehensive framework. Based on our research, we recommend four actions:
- Design an explicit third-party and/or supplier risk management framework, including a definition of ownership, governance and articulation of risk appetite that will lead to alignment among internal stakeholders.
- Extend the scope to all third parties and apply risk-based segmentation to determine the level of control required.
- Apply a proactive and comprehensive approach to third-party risk management, including ongoing monitoring and escalation processes.
- Invest in IT tools, like data management systems, end-to-end workflow tools and analytics to increase efficiency of and ensure consistency in the process.
On a cross-industry basis, we see an opportunity to define common third-party risk management standards, which will set a course for a more secure and efficient future. They could also bring benefits such as an increase in cybersecurity and improved data management.