Book 3. Operational Risk

FRM Part 2

OR 13. Case Study: Third-Party Risk Management

Presented by: Sudhanshu

Module 1. Third-Party Risk Management and Responsibilities

Module 1. Third-Party Risk Management and Responsibilities

Topic 1. Overview of Third-Party Risk Management

Topic 2. key Risks Associated with TPRM

Topic 3. TPRM Life Cycle

Topic 4. Third Party Case Studies

Topic 5. Capital One

Topic 6. Morgan Stanley

Topic 1. Overview of Third-Party Risk Management

• Definition: Identifying, monitoring, and assessing risks arising from using external entities (vendors, contractors, service providers, suppliers, business partners).

• Scope: Extends beyond third parties to the entire supply chain, including fourth parties (third parties of third parties) and even fifth parties.

• Why Engage Third Parties?

  • Cost Savings: Outsourcing to specialized firms with competitive advantages in systems and processes.

  • Risk Mitigation: Contracting with experts to reduce operational and other risks, such as process and data errors.

• Key Risks Associated with Third Parties: Service quality issues and disruptions, Fraud, Data and compliance breaches, Leaks of sensitive or confidential information, Intellectual property theft, Espionage

• Additional Risks (Offshore Vendors): Country risk, legal, and compliance risks.

• Growing Importance of TPRM

  • Increased outsourcing of core processes (e.g., loan processing, electronic fund transfers, payroll, treasury management).

  • Accelerated by IoT devices and the COVID-19 pandemic.

  • Criticality: Storing and protecting sensitive data (e.g., Avanti Markets vending machine hack).

• Statistics

  • Nearly 60% of firms experienced a data breach through third parties.

  • 77% of firms have limited visibility into their third parties.

  • 80% experienced at least one breach related to third parties in the last year.

Topic 2. Key Risks Associated with TPRM

Topic 3. TPRM Life Cycle

• The TPRM process consists of five key stages
• ​​​Stage 1: Business Model Decision

  • Purpose: Decide whether and which activities should be outsourced versus kept in-house.

  • Consideration: Firm's risk appetite.​

• Stage 2: Evaluation, Risk Rating, and Due Diligence

  • Purpose: Proper due diligence on new third-party relationships.

  • Principle: Proportionality – more complex/long-term arrangements (e.g., cloud hosting) require more extensive due diligence than short-term/less complex ones (e.g., a one-day consultant).​

• Stage 3: Contracts, Service Level Agreements (SLAs), and Contract Management

  • Purpose: Formally define responsibilities and expectations of each party.

  • Benefits: Reduces ambiguity, defines quality and timing, clarifies tasks and functions.

  • Best Practices:

    • Assess and remediate all open issues before signing.

    • Periodically review contracts and address deficiencies.

    • Establish limits on outsourcing to third and fourth parties.

    • Include audit rights on vendors for continuous monitoring.

  • Example: Adapting contracts for offshore call centers during COVID-19 to allow remote work.

• ​Stage 4: Ongoing Monitoring

  • Purpose: Continuously assess third-party and outsourced relationships.

  • Efficiency: Robust earlier stages reduce the need for frequent reassessment.

  • Triggers for Reassessment:

    • Data breaches and incidents

    • Legal or regulatory changes

    • Changes in business circumstances (mergers, acquisitions)

    • "Acts of God" (natural unavoidable circumstances, highlighted by COVID-19).

  • Benefit of Triggers: Provide an effective exit strategy.​

• ​Stage 5: Remediation or Termination

  • Purpose: Manage the conclusion of third-party relationships.

  • Standard: Relationships typically end when contracts expire.

  • Good Practice:

    • Include a grievance period.

    • Define an exit strategy.

    • Include a termination clause allowing firms to end contracts when processes wind down, circumstances dictate, or regulations change.

    • Clearly define the proper transfer of intellectual property from third parties back in-house.

Topic 3. TPRM Life Cycle

Practice Questions: Q1

Q1. Establishing limits on third-party and fourth-party vendor outsourcing would be considered under which of the following third-party risk management (TPRM) steps?
A. Business model decision.
B. Remediation or termination.
C. Evaluation, risk rating, and due diligence.
D. Contracts, service level agreements, and contract management.

Practice Questions: Q1 Answer

Explanation: D is correct.

The third phase in the life cycle of TPRM relates to contracts, service level agreements, and contract management. This phase includes establishing and defining the terms of contracts for third-party (or fourth-party) arrangements, including establishing standards or limits on outsourcing.

Practice Questions: Q2

Q2.Which of the following tasks is not one of the life cycle stages of third-party risk management (TPRM)?
A. Business model decision.
B. Evaluation, risk rating, and due diligence.
C. Management of third- and fourth-party vendor relationships.
D. Contracts, service level agreements, and contract management.

Practice Questions: Q2 Answer

Explanation: C is correct.

The TPRM process has five steps: (1) business model decision, (2) evaluation, risk rating, and due diligence, (3) contracts, service level agreements, and contract management, (4) ongoing monitoring, and (5) remediation or termination. Management of third- and fourth-party vendor relationships is an overall component of TPRM and not a specific life cycle stage.

Topic 4. Third-Party Case Studies

• There are two interesting case studies discussed in this section relating to vendor risk management:

  1. A data breach at the bank Capital One by a former third-party vendor employee, and

  2. Weak third-party controls at the financial services company Morgan

     Stanley.

• Both cases highlight the relationship between data security and TPRM.

• They also illustrate that the ultimate responsibility for any risks rests with the institution using third-party vendors because that accountability is not transferable.

Practice Questions: Q3

Q3. A key conclusion from the Capital One and Morgan Stanley case studies is that accountability for operational risk:
A. is not transferable.
B. ultimately rests with the third-party vendor.
C. ultimately rests with either the third-party vendor or subcontractor, whichever experienced the
risk control problem.
D. is a fully shared responsibility between the company using third-party vendors and the third party vendors themselves.

Practice Questions: Q3 Answer

Explanation: A is correct.

The accountability for risk control problems rests with the company that uses third-party vendors. Although third-party vendors and subcontractors should share some of the blame for risk control breakdowns, the ultimate responsibility rests with the company that outsources its services to third parties.

Topic 5. Capital One Case Study

• Background
  • Incident: Data breach through Amazon Web Services (AWS), a third-party cloud services provider.
  • Date: July 2019.
  • Perpetrator: Former AWS employee.
• The Breach
  • Method: Exploited a weakness in AWS system's firewall.

  • Stolen Data: Data from 100 million U.S. bank customers (and many international), including 140,000 Social Security numbers and 80,000 bank accounts.

  • Vulnerability: Both Capital One and AWS knew about system vulnerabilities but continued to use unencrypted data, allowing immediate use of stolen data.

• Consequences
  • Fine: $80 million in 2020 by the U.S. Office of the Comptroller of the Currency (OCC).

  • Reason for Fine: Failure to adequately identify and manage risks related to vendor services (e.g., moving data to the cloud with AWS) prior to the breach.

  • OCC Findings: Capital One had weak risk management controls and failed to detect/address vulnerabilities, even after a 2015 internal audit missed several control weaknesses.

Topic 6. Morgan Stanley Case Study

• Background

  • Incident: Risk management deficiencies related to third-party vendors and the decommissioning of two wealth management business data servers.

  • Date of Fine: 2020.

  • Regulator: Office of the Comptroller of the Currency (OCC).

• The Deficiencies (2016 and 2019)

  • Failure 1: Did not properly assess and address risks related to decommissioning hardware.

  • Failure 2: Failed to properly assess the risk of using third-party vendors and subcontractors, and did not adequately monitor their performance.

  • Failure 3: Failed to maintain a proper inventory of customer data.

• Consequences

  • Fine: $60 million by the OCC.

  • Trigger: Morgan Stanley began notifying wealth management customers in July 2019 that disposed computer hardware still contained confidential customer data.