Operational disruptions have the potential to threaten the viability of firms causing instability to the products and services that they provide. The impact this can have to consumers and market participants is far reaching and wide as we have witnessed with the onset of the pandemic and other significant and notable market events affecting the financial system in recent years.
As we continue to work with firms in helping them prepare and respond to such unforeseen events we have provided you with an overview of Operational Resilience, Outsourcing and Third Party Risk Management and Identifying Important Business Services. Today, our Senior Director and Regulatory Compliance Lead, Lindsey Domingo at Xcina Consulting, highlights the importance of the requirements for firms to perform appropriate and proportionate due diligence on all potential service providers and to assess the risks of every outsourcing arrangement. We outlined the regulatory expectations and concept of materiality in our edition on Outsourcing and Third-Party Risk Management. But what is due diligence and how does it relate to risk management?
A risk assessment is a review conducted by an organisation to assess the hazards it may face in its activities, and to determine whether its policies, procedures and controls are adequate to reduce the potential impact of these risks to an acceptable level. Risk assessments are a component of the enterprise risk management framework.
Depending on the nature of the initiative or transaction being considered, the risk assessment may look at a variety of firm-wide risks. We cover some of the key areas below:
Risk assessment and due diligence are separate concepts, but they are interrelated and work together. Due diligence is a form of risk assessment. Before proceeding further with a complex acquisition or business venture, it makes sense to try and uncover or confirm any risks and benefits associated with the asset or new initiative. This examination serves to:
The outcome and recommendations from the due diligence would be fed back into the relevant risk assessment.
In principle, it is possible to undertake a risk assessment without undertaking specific due diligence. This would normally be the case in relation to transactions, projects or business partners which are likely to present a low level of risk. Whilst it is possible for a risk assessment to stand alone without due diligence, the latter is usually employed in cases where the firm is assessing risk and requires further information to complete its assessment accurately and thoroughly.
Both risk assessment and due diligence can be undertaken at different levels.
The following diagram depicts the typical steps involved in a due diligence process:
There are different types of due diligence with specific areas of focus. These range from traditional areas like tax, finance, and law to digital security, social and environmental responsibility. When contemplating a material transaction or business relationship, it is usually recommended to cover all or most of these aspects, as any significant risks that materialise can quickly have a negative impact on business and reduce any benefits. Types of due diligence include the following:
Vendor due diligence is an assessment process designed to obtain assurance that the service provider is suitable. It is an important component of an effective third-party risk management process whereby firms manage their third-party dependencies for the delivery of critical operations.
During the due diligence process, a firm is expected to collect and analyse information to determine whether third-party service provider relationships would support its strategic and business goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements.
The scope of Vendor Risk Assessments and Vendor Due Diligence would typically cover the following aspects: financial, operational capacity, information security and data protection, legal and regulatory compliance, geographical, concentration risk, certifications, reputation, technical infrastructure, capabilities, as well as cultural fit and integration with the organisation’s processes.
Before entering into, or significantly changing, an outsourcing arrangement, a firm is expected by the regulators to:
Where the vendor due diligence and/or risk assessment establish that the firm’s existing policies, procedures and controls are not adequate to reduce the assessed risks to an acceptable level, the policies and procedures should be strengthened and/or additional countermeasures need to be implemented. Such risk mitigation measures could, for example, include putting in place additional monitoring, requiring a more senior level of management approval or specific contractual clauses and conditions.
Service providers that would fall within scope of the vendor due diligence process could be upstream or downstream, and might include:
Take the example of a provider which is considering bidding for a major contract to provide business services. It undertakes due diligence on its prospective client and discovers that one of the latter’s key shareholders is under investigation for a major fraud. If the shareholder did undertake this fraud and the client uses some of the proceeds to finance the contract, then the provider would be paid out of the proceeds of crime. The provider may therefore become involved in a money laundering transaction with potential criminal consequences for them.
Merely identifying the existence of the risk does not mean that the factors identified are necessarily true or will materialise. However, the organisation must give careful consideration to the risk, and to the likely effectiveness of its own policies and procedures to prevent this risk from occurring. The firm should only proceed with the contract if it believes the residual risk to be sufficiently low and that it is a reasonable business decision to proceed.
Firms need to be satisfied that any third-party service provider has at least, equivalent internal controls and operational resilience conditions to safeguard its business services when outsourcing critical or important operational functions.
Case Study 1: Asset Manager
The following table provides examples of outsourcing arrangements in place between an asset manager and third-party service providers, including the potential impact of disruption which could follow a failure to conduct adequate due diligence.
Firms retain full responsibility for the effective governance and management of any risks to which the firm is exposed as a result of reliance on third parties. Hence, the regulators would be unlikely to take a lenient approach in the event of a failure to conduct adequate due diligence on service providers.
Case Study 2: R. Raphael & Sons PLC (“Raphael”) – UK Bank
The table below provides summarised extracts from the Final Notices issued by the FCA and PRA to R. Raphael & Sons PLC (“Raphael”), a UK bank, on 29 May 2019, in relation to failures by its Payment Services Division (“PSD”) to manage the operational responsibilities of the prepaid card (or charge card) programmes (“Card Programmes”). The noted failings also serve to illustrate the level of due diligence expected by the regulators.
Case Study 3: UNAT DIRECT Insurance Management Ltd (“UNAT”) –
Insurance intermediary
The table below provides summarised extracts from the Final Notice issued by the FCA to UNAT DIRECT Insurance Management Ltd (“UNAT”), an insurance intermediary, on 19 May 2008, in respect of failures associated with making arrangements for the sale of an associated insurers’ general insurance products (in particular personal accident insurance policies) to consumers through third-party call centres (“General Insurance Products”).
Simplified versus Enhanced Due Diligence
Regulators expect an enhanced level of due diligence to be carried out for material outsourcing and material third-party providers.
Simplified due diligence: Where a third-party arrangement is likely to be low risk and not material, simplified analysis may be sufficient to inform the risk assessment. Methods such as online research of publicly available information, screening against databases and basic financial analysis may provide the required assurance.
The PRA supervisory statement on Outsourcing and Third-Party Risk Management expects due diligence to consider whether potential service providers:
Enhanced due diligence: Material third-party and outsourcing arrangements generally represent a greater risk. In this situation, regulators expect firms to conduct an enhanced level of due diligence which notably considers the potential provider’s:
Initial versus Ongoing Due Diligence
Risk assessment and due diligence are not just something you conduct at the point of onboarding.
Onboarding Vendor Due Diligence is carried out when you intend to enter into a long-term relationship with suppliers or place significant orders. A due diligence review helps assess the risks associated with the potential supplier.
Due diligence in the context of onboarding not only includes the risk assessment before you enter into a business relationship, but also the necessary diligence when you integrate and introduce providers into your processes.
Ongoing due diligence and Vendor Risk Management are carried out in the course of the business relationship. The reviews typically take place at regular intervals, and as soon as you become aware of a red flag. Regular reviews of this kind ensure that your service delivery standards are not disrupted and continue to be met.
In relation to vendors and other business associates, the firm may choose to undertake a regular risk assessment of associates by vendor category (e.g. high, medium and low risk). Determining the appropriate categorisation and frequency would depend on various factors such as:
How to make risk assessments and due diligence more effective
In summary, the main purpose of vendor due diligence is to inform risk assessments, and specifically allow firms to:
When must vendor due diligence and risk assessments be performed?
Initial vendor due diligence and risk assessment must be conducted prior to entering an agreement with an outsourcing or material third-party provider. During the course of the contractual relationship, due diligence and risk assessment must be carried out on an ongoing basis. The frequency of these ongoing assessments will be determined by the risk and materiality of the relationship as well as the nature of the products or services involved and any red flags that may come up.
Firms in scope are required to comply with the Outsourcing and Third-Party Risk Management obligations by 31 March 2022. Outsourcing arrangements entered into after 31 March 2021 should meet the expectations, including those relating to due diligence and risk assessment, by 31 March 2022. Any legacy outsourcing agreements should also be aligned to meet the expectations.
Why is vendor due diligence required?
In summary, the main purpose of vendor due diligence is to inform risk assessments, and specifically allow firms to:
When must vendor due diligence and risk assessments be performed?
Initial vendor due diligence and risk assessment must be conducted prior to entering an agreement with an outsourcing or material third-party provider. During the course of the contractual relationship, due diligence and risk assessment must be carried out on an ongoing basis. The frequency of these ongoing assessments will be determined by the risk and materiality of the relationship as well as the nature of the products or services involved and any red flags that may come up.
Firms in scope are required to comply with the Outsourcing and Third-Party Risk Management obligations by 31 March 2022. Outsourcing arrangements entered into after 31 March 2021 should meet the expectations, including those relating to due diligence and risk assessment, by 31 March 2022. Any legacy outsourcing agreements should also be aligned to meet the expectations.
Operational Resilience and Third Party Risk Management >>
Outsourcing and Third Party Risk Management >>
Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.
Subscribe >>