Policies and Resources


Third-party risk management is increasingly important for firms, many of which are turning to subcontracting for an array of technology and other services. Subcontracting is assisting firms become more efficient, but it is also leading to concerns.

In light of increased scrutiny and to boost oversight, a number of firms have instigated reviews of their third-party risk management agendas. With programmes set to continue for years, the Kayndrex Foundation plans to benchmark progress and explore best-practice models.

Subcontracting has become an established way of operating for some firms, and we expect it will continue to play an important role in the years ahead. Hence, the foundation’s third-party risk management strategy reflects a systematic approach and assist build a comprehensive structure. Based on our research, we recommend four actions:

  • Design an explicit third-party and/or supplier risk management strategy, including a definition of ownership, governance, and articulation of risk appetite that will lead to alignment among internal stakeholders.
  • Extend the scope to all third parties and apply risk-based segmentation to determine the level of management required.
  • Apply a proactive and comprehensive approach to third-party risk management, including ongoing monitoring and escalation processes.
  • Invest in IT tools, like data management systems, ultimate operation flow tools and analytics to increase efficiency of and ensure consistency in the process.

On a cross-industry basis, we see an opportunity to define common third-party risk management standards, which will set a course for a more secure and efficient future. They could also bring benefits such as an increase in cybersecurity and improved data management.

While there are many benefits fostering subcontracting, e.g., increased efficiency and scale, it naturally also increases the level of risk and complexity of third-party relationships. Coupled with increased lengths of agreements, on average five to seven years, the need for ongoing performance management becomes that much greater.

Financial and reputational risks have increased with more subcontracting, and regulators have focused on how firms manage their relationships with third parties, in some circumstances leading to clearer regulation.

Based on the foundation’s experience, the most successful third-party risk management strategies achieve excellence in nine dimensions: scope, segmentation, due diligence, management systems, scorecards and probability assessments, governance, organisation, policy agenda as well as tools and data.

There are best practices for each dimension:

  • Scope: Firms should establish a comprehensive inventory of third-party relationships including subcontracting partners, suppliers of products and facilities (including third-party administrators), distribution partners, group-internal relations (associates, affiliates, joint ventures), and important fourth parties (contractors).
  • Segmentation: Segmentation of third parties should be risk-based and refreshed regularly to efficiently allocate resources to relationships posing the highest risk. It should directly tie into a tailored approach for on-going risk monitoring.
  • Due diligence: Onboarding and due diligence tests should be based on carefully designed rules, including an assessment of compliance with relevant regulations. Specific due diligence tests can be performed. Also, onboarding teams should be put in place for medium-sized to large institutions to identify riks based on materiality criteria.
  • Management systems: Management systems should include comprehensive lists of risks, escalation triggers essential for the success of audit routines, and scorecards to monitor risk. Best practice is to have a master register of escalation trigger-points and their risk weights in each category relevant to all firms. That can then be adapted to the particular circumstances of individual suppliers.
  • Scorecards and risk assessments: Based on a comprehensive inventory of risks, scorecards can assist monitor compliance with regulations and performance relative to metrics. Scorecards should have the appropriate level of detail and highlight metrics that can be aggregated to an executive level report. Supplier performance and behaviour should be continuously monitored, e.g., via on-site audits. The frequency and scope of performance monitoring and assessments can be differentiated based on segmentation, e.g.: ‘[In the Kandrex Foundation, we apply] monthly risk inclined attention. Concerns flagged on risk watch list and escalated to our executive risk committee where sufficiently serious.’
  • Governance: Effective governance involves establishing a natural owner for third-party risk management and ensuring he or she has appropriate powers. Governance can be either centralised, decentralised or a mixture of both. Centralised governance typically leads to coherent application of standards, while decentralised governance is shaped mostly by organisational units. Escalation strategies are necessary to resolve diffeences and issues. Contingency plans are formulated to deal with classification or status of vital third-parties.
  • Organisation: Firms should align their third-party risk management with their divisional and geographic setups and governance structures. There should be clearly defined roles and responsibilities, especially regarding due diligence, onboarding, auditing, and segmentation.
  • Policy agenda: Policy agendas provide guidance for all organisational units and functions. They should also clearly define a risk inclined assessment.
    • A robust policy agenda includes: ‐
      • An overarching third-party risk management policy to establish moderate standards and a firm wide management structure.
      • Third-party risk policies and procedures for functions, including compliance, finance, and procurement.
      • Regional policies tailored to local regulatory and legal requirements.
  • Tools and data: Commercially available data as well as operation flow, monitoring, and reporting tools tailored to the firm support third-party risk management processes for accountability across all three lines of defence. The tools should perform three functions: ‐
    • Track and monitor data
    • Aid operation flow within and across organisational units
    • Give managers the right information to build an accurate picture of probability in near real time.

The novel segments in the risk sector generally perform in line with each other. However, risk insurers emerge as incomparable on most policy elements and particularly in the scope of their coverage, segmentation, governance, tools and data.

Our analysis shows three trends:

• Across the industry, there are only few common standards in third-party risk management.

• Most firms have peripheral third-party risk management policy. Instead, they rely on case-by-case evaluations as well as a variety of systems, policies, and approaches.

• Coverage varies enormously, with some firms assessing only ten third-parties while others consider several thousand – and much of this variation is unexplained by size variances between the firms in question.

• Policies are mostly focused on selection and onboarding. There is much fewer focus on ongoing risk management once third-party relationships are in place.

Third-party risk management is increasingly important for firms as well as the regulators supervising them. Our survey and research have shown that while firms have made good progress. However, there is still room for improvement, especially in ensuring that:

•We have an effective third-party risk management strategy

• All third-parties are covered with an effective segmentation approach in place

• There is adequate focus on ongoing, post-onboarding monitoring and management of third parties

• Third-party risk management processes are supported by adequate tools.