Operational Resilience: Vendor Risk Management and Due Diligence

PART 4

Operational disruptions have the potential to threaten the viability of firms causing instability to the products and services that they provide. The impact this can have to consumers and market participants is far reaching and wide as we have witnessed with the onset of the pandemic and other significant and notable market events affecting the financial system in recent years.

As we continue to work with firms in helping them prepare and respond to such unforeseen events we have provided you with an overview of Operational Resilience, Outsourcing and Third Party Risk Management and Identifying Important Business Services. Today, our Senior Director and Regulatory Compliance Lead, Lindsey Domingo at Xcina Consulting, highlights the importance of the requirements for firms to perform appropriate and proportionate due diligence on all potential service providers and to assess the risks of every outsourcing arrangement. We outlined the regulatory expectations and concept of materiality in our edition on Outsourcing and Third-Party Risk Management. But what is due diligence and how does it relate to risk management?

PART 5 | IMPACT TOLERANCES >>

Understanding due diligence and how it supports risk management

A risk assessment is a review conducted by an organisation to assess the hazards it may face in its activities, and to determine whether its policies, procedures and controls are adequate to reduce the potential impact of these risks to an acceptable level. Risk assessments are a component of the enterprise risk management framework.

Depending on the nature of the initiative or transaction being considered, the risk assessment may look at a variety of firm-wide risks. We cover some of the key areas below:

Risk Management

Risk assessment and due diligence are separate concepts, but they are interrelated and work together. Due diligence is a form of risk assessment. Before proceeding further with a complex acquisition or business venture, it makes sense to try and uncover or confirm any risks and benefits associated with the asset or new initiative. This examination serves to:

Provide assurance on the value or viability of the project or purchase by analysing strengths and weaknesses and
Weigh possible risks they may pose to the organisation.

The outcome and recommendations from the due diligence would be fed back into the relevant risk assessment.

In principle, it is possible to undertake a risk assessment without undertaking specific due diligence. This would normally be the case in relation to transactions, projects or business partners which are likely to present a low level of risk. Whilst it is possible for a risk assessment to stand alone without due diligence, the latter is usually employed in cases where the firm is assessing risk and requires further information to complete its assessment accurately and thoroughly.

Both risk assessment and due diligence can be undertaken at different levels.

An overview assessment, which looks in general terms, at the risks faced by the organisation in relation to its overall activities.
A focused assessment which examines in depth a specific country, transaction, project or business partner.

The following diagram depicts the typical steps involved in a due diligence process:

Risk Management

Types of due diligence

There are different types of due diligence with specific areas of focus. These range from traditional areas like tax, finance, and law to digital security, social and environmental responsibility. When contemplating a material transaction or business relationship, it is usually recommended to cover all or most of these aspects, as any significant risks that materialise can quickly have a negative impact on business and reduce any benefits. Types of due diligence include the following:

Risk Management

Vendor Risk Assessment and Vendor Due Diligence

Vendor due diligence is an assessment process designed to obtain assurance that the service provider is suitable. It is an important component of an effective third-party risk management process whereby firms manage their third-party dependencies for the delivery of critical operations.

During the due diligence process, a firm is expected to collect and analyse information to determine whether third-party service provider relationships would support its strategic and business goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements.

The scope of Vendor Risk Assessments and Vendor Due Diligence would typically cover the following aspects: financial, operational capacity, information security and data protection, legal and regulatory compliance, geographical, concentration risk, certifications, reputation, technical infrastructure, capabilities, as well as cultural fit and integration with the organisation’s processes.
Before entering into, or significantly changing, an outsourcing arrangement, a firm is expected by the regulators to:

Analyse how the arrangement will fit with its organisation and reporting structure, business strategy, overall risk profile, and ability to meet its regulatory obligations.
Examine whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing.
Conduct appropriate due diligence of the service provider’s financial stability and expertise
Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on contract termination).
Give regard to any concentration risk implications such as the business continuity considerations that may arise if a single service provider is used by several firms.

Where the vendor due diligence and/or risk assessment establish that the firm’s existing policies, procedures and controls are not adequate to reduce the assessed risks to an acceptable level, the policies and procedures should be strengthened and/or additional countermeasures need to be implemented. Such risk mitigation measures could, for example, include putting in place additional monitoring, requiring a more senior level of management approval or specific contractual clauses and conditions.

Service providers that would fall within scope of the vendor due diligence process could be upstream or downstream, and might include:

Risk Management

Consequences of not conducting adequate Third-Party Due Diligence

Take the example of a provider which is considering bidding for a major contract to provide business services. It undertakes due diligence on its prospective client and discovers that one of the latter’s key shareholders is under investigation for a major fraud. If the shareholder did undertake this fraud and the client uses some of the proceeds to finance the contract, then the provider would be paid out of the proceeds of crime. The provider may therefore become involved in a money laundering transaction with potential criminal consequences for them.

Merely identifying the existence of the risk does not mean that the factors identified are necessarily true or will materialise. However, the organisation must give careful consideration to the risk, and to the likely effectiveness of its own policies and procedures to prevent this risk from occurring. The firm should only proceed with the contract if it believes the residual risk to be sufficiently low and that it is a reasonable business decision to proceed.

Firms need to be satisfied that any third-party service provider has at least, equivalent internal controls and operational resilience conditions to safeguard its business services when outsourcing critical or important operational functions.

Case Study 1: Asset Manager

The following table provides examples of outsourcing arrangements in place between an asset manager and third-party service providers, including the potential impact of disruption which could follow a failure to conduct adequate due diligence.

Risk Management

Firms retain full responsibility for the effective governance and management of any risks to which the firm is exposed as a result of reliance on third parties. Hence, the regulators would be unlikely to take a lenient approach in the event of a failure to conduct adequate due diligence on service providers.

Case Study 2: R. Raphael & Sons PLC (“Raphael”) – UK Bank

The table below provides summarised extracts from the Final Notices issued by the FCA and PRA to R. Raphael & Sons PLC (“Raphael”), a UK bank, on 29 May 2019, in relation to failures by its Payment Services Division (“PSD”) to manage the operational responsibilities of the prepaid card (or charge card) programmes (“Card Programmes”). The noted failings also serve to illustrate the level of due diligence expected by the regulators.

Risk Management

Case Study 3: UNAT DIRECT Insurance Management Ltd (“UNAT”) –
Insurance intermediary

The table below provides summarised extracts from the Final Notice issued by the FCA to UNAT DIRECT Insurance Management Ltd (“UNAT”), an insurance intermediary, on 19 May 2008, in respect of failures associated with making arrangements for the sale of an associated insurers’ general insurance products (in particular personal accident insurance policies) to consumers through third-party call centres (“General Insurance Products”).

Risk Management

Applying the right level of Due Diligence

Simplified versus Enhanced Due Diligence

Regulators expect an enhanced level of due diligence to be carried out for material outsourcing and material third-party providers.

Simplified due diligence: Where a third-party arrangement is likely to be low risk and not material, simplified analysis may be sufficient to inform the risk assessment. Methods such as online research of publicly available information, screening against databases and basic financial analysis may provide the required assurance.

The PRA supervisory statement on Outsourcing and Third-Party Risk Management expects due diligence to consider whether potential service providers:

Have the authorisations or registrations required to perform the service
Comply with GDPR, the Data Protection Act, and other applicable legal and regulatory requirements on data protection
Can demonstrate certified adherence to recognised, relevant industry standards
Can provide relevant certificates and documentation
Have the ability and capacity to provide the service that the firm needs in a manner compliant with UK regulatory requirements (including in the event of a sudden spike in demand or shift to remote working).

Enhanced due diligence: Material third-party and outsourcing arrangements generally represent a greater risk. In this situation, regulators expect firms to conduct an enhanced level of due diligence which notably considers the potential provider’s:

Business model, complexity, financial situation, nature, ownership structure and scale
Capability, expertise and reputation
Financial, human, and technology resources
ICT controls and security
Sub-outsourced service providers.

Initial versus Ongoing Due Diligence

Risk assessment and due diligence are not just something you conduct at the point of onboarding.

Risk Management

Onboarding Vendor Due Diligence is carried out when you intend to enter into a long-term relationship with suppliers or place significant orders. A due diligence review helps assess the risks associated with the potential supplier.

Due diligence in the context of onboarding not only includes the risk assessment before you enter into a business relationship, but also the necessary diligence when you integrate and introduce providers into your processes.

Ongoing due diligence and Vendor Risk Management are carried out in the course of the business relationship. The reviews typically take place at regular intervals, and as soon as you become aware of a red flag. Regular reviews of this kind ensure that your service delivery standards are not disrupted and continue to be met.

In relation to vendors and other business associates, the firm may choose to undertake a regular risk assessment of associates by vendor category (e.g. high, medium and low risk). Determining the appropriate categorisation and frequency would depend on various factors such as:

Amount spent or budgeted
Frequency of purchases
Is it considered strategic?
Materiality and outsourcing considerations including the criticality of services, the nature of data processing and likely interaction with the firm’s customers.

Top Six Tips and Points for Attention

How to make risk assessments and due diligence more effective

In summary, the main purpose of vendor due diligence is to inform risk assessments, and specifically allow firms to:

Due diligence should be tailored to the extent of the risk. Effective due diligence is largely a matter of good training and judgment. Due diligence cannot be so thorough and expensive that it results in a business relationship or project not being cost effective.
All risk cannot be avoided, and not all weaknesses of the organisation under examination may be uncovered. The aim of due diligence is a reasonable and proportionate level of enquiry into the specific aspect to enable a decision to be made as to whether the risk is low enough for it to be a reasonable business decision to proceed or continue with a project or business relationship.
Due diligence checklists and questionnaires can facilitate the process. Similarly, there are various supplier assurance standards for assessing third parties. Technology can also help streamline the due diligence and risk management processes. However, it is important for the scope and approach to be tailored to the specific vendor and situation. This is where good judgment and experience come in.
Due diligence has often been primarily Finance or Compliance-led. However, to be effective, it is likely to require a broader range of skillsets. In-house or external specialists should be involved where required to demonstrate due process and reasonable steps. It may not be cost-effective for a firm to develop and maintain all the required expertise in-house. External consultants specialised in due diligence are trained and experienced in identifying risks rigorously and efficiently.
In order to be effective, vendor risk assessments should be geared towards taking full ownership of the risks and should not follow a tick-box approach. This implies gaining a good understanding the vendor itself, not just assigning a RAG or Tier rating. Effective ongoing risk management also has implications in terms of:
- How frequently we engage with critical vendors (more frequent touchpoints)
- The quality and content of the interactions in order to pick up any early warning signs and leading indicators (as opposed to only relying on traditional lagging measures such as quality of service).
- The internal organisation, dedicated resources and skillsets required to support a robust risk management process.
In the context of Operational Resilience, firms need to focus on outcomes, think through severe but plausible scenarios with critical third parties and be able to provide evidence of reasonable steps and oversight exercised by Senior Management.

When must vendor due diligence and risk assessments be performed?

Initial vendor due diligence and risk assessment must be conducted prior to entering an agreement with an outsourcing or material third-party provider. During the course of the contractual relationship, due diligence and risk assessment must be carried out on an ongoing basis. The frequency of these ongoing assessments will be determined by the risk and materiality of the relationship as well as the nature of the products or services involved and any red flags that may come up.

Firms in scope are required to comply with the Outsourcing and Third-Party Risk Management obligations by 31 March 2022. Outsourcing arrangements entered into after 31 March 2021 should meet the expectations, including those relating to due diligence and risk assessment, by 31 March 2022. Any legacy outsourcing agreements should also be aligned to meet the expectations.

Conclusion – Why and when to perform Vendor Due Diligence?

Why is vendor due diligence required?

In summary, the main purpose of vendor due diligence is to inform risk assessments, and specifically allow firms to:

Assess whether its customers’ business objectives and requirements can continue to be met through an outsourcing arrangement.
Evaluate a third-party service provider’s expertise and ability to deliver the services to be outsourced.
Understand the costs and practicalities of service delivery.
Ascertain the risks of entering into an outsourcing arrangement.
Establish a level of cultural and organisational fit with the third-party service provider’s organisation.

When must vendor due diligence and risk assessments be performed?

Initial vendor due diligence and risk assessment must be conducted prior to entering an agreement with an outsourcing or material third-party provider. During the course of the contractual relationship, due diligence and risk assessment must be carried out on an ongoing basis. The frequency of these ongoing assessments will be determined by the risk and materiality of the relationship as well as the nature of the products or services involved and any red flags that may come up.

Firms in scope are required to comply with the Outsourcing and Third-Party Risk Management obligations by 31 March 2022. Outsourcing arrangements entered into after 31 March 2021 should meet the expectations, including those relating to due diligence and risk assessment, by 31 March 2022. Any legacy outsourcing agreements should also be aligned to meet the expectations.