Did you say that there is Fourth Party Risk Management?!

Previous article, which was titled “What is the difference between Operational Resilience and Business Continuity Management (BCM)?”, highlighted that the scope of applying operational resilience is not limited to internal stakeholders/departments only. It also includes external market players, which are third and fourth parties/vendors and outsourcing companies.

This article is important, because of the following reasons:

• Achieving operational resilience approach is essential nowadays, especially the dynamic changes in technology & unprecedented risks (i.e. COVID pandemic, cybersecurity, etc.) , which face all companies. Accordingly, none denies that effective management of outsourcing companies contributes to organization’s success dramatically.
• Moreover, currently, Basel committee monitors the raised risks from third and fourth parties and it is going to publish guidelines and regulation regarding them (especially 4th parties). Moreover, Basel committee revisits the implementation of operational risk and Operational Resilience principles as well.

Surprisingly, Basel committee has not defined what is third party risk management in previous publication, which were operational resilience and/or operational risk principles!

Anyway, it can be defined – based on observation – that is losses/damages/disruption took place due to failure from outsourcing/vendor/contractor companies, which are responsible for providing service to an entity or a financial institution.

On the other hand, to elaborate what is fourth party, let’s consider the following example:

Do you think a car manufacturer – i.e. BMW – produces every aspect in a car. Definitely not, BMW would rely on vendors. For example, BMW relies on an outsourcing company (3rd party) to manufacture an engine based on BMW’s specification and design.

Again, do you think this outsourcing company is responsible for producing every element and aspect in the engine? No, since there are many components in engine that is not possible to be handled by a company. Therefore, this outsourcing company will assign/delegate another vendor to handle producing a component of the engine (i.e. turbo). That is fourth party, which is Also Known As sub-contracting or vendor’s of the vendor.

So, Basel committee may govern standards and regulation regarding 4th Parties Risk Management as follows:

• First, Basel committee may define what fourth party is and may set boundaries between 3rd and 4th parties to remove potential confusion.
• Second, under governance section, Basel committee may highlight the importance of involving Board of Director (BOD) and Senior Management (SM) to define:

o??Strategic 4th parties, who are essential to a bank.

o??The main standards to consider whether a 4th party whether is strategic, critical, or non-critical.

o??BOD and SM shall monitor the activities the strategic 4th parties on periodical basis (It is believed that it would be monthly basis).

o??To initiate the importance of conducting partnership with 4th parties.

o??Also, how to make sure the 4th parties does not violate regulation and standards.

§?I mean, do you remember when Apple discovered that one of its Chinese vendors and supply chain employed several kids and children? Apple company that time was exposed to severe reputational risk (regardless whether it was 3rd or 4th party).

§?Therefore, Basel committee will do its best and apply restricted regulations to avoid similar incidents.

• Basel committee will govern the accountability of concerned business lines, which will be operational risk department, and how to handle 4th parties.
• Basel committee may be inspired by the issued standards, which was published by Federal reserve system in December 2013 (Supervisory Letter SR 13-19/CA 13-21), to handle 3rd parties, and will use it to forge its 4th parties’ standards.
• In this paper, federal reserve established standards of handling third parties based on main the following pillars:

Finally, Basel will enhance regulation and guidelines through considering offshore 4th parties (a.k.a foreign based service provider). Beside what is mentioned above, indeed, Basel will answer the following questions:

• How to make sure offshore 4th parties are not violating the international regulation (i.e. Money laundry, Tax Evasion (FATCA), Child labor, etc.)
• How to enhance internal controls for such companies?
• Will financial supervisors and central banks have the access to the foreign based service provider conduct audit missions? (Hint: there will be difficulty due to central banks jurisdiction).
• How about transferring 4th parties risks through insurance companies?

So, guys what do you think? please add comments how to manage 4th party risks :)

References:

https://www.bis.org/publ/bcbs_nl28.htm

https://www.theguardian.com/technology/2013/jan/25/apple-child-labour-supply