What are Third-Party and Concentration Risks?
The external risks posed by the network of external suppliers and vendors are divided into two main categories: third-party risk and concentration risk.
Third-party risk
Third-party risk refers to the potential points of failure directly caused by the firm’s reliance on third parties. This includes using third-party vendors for cloud-based services or using external consultants instead of developing solutions in-house. The greater the levels of reliance on third parties, the greater the potential increase in financial, operational or reputational risk. Third-party risks such as cybersecurity attacks, poor internal controls or a lack of oversight can disrupt the operational resilience of the firm and cause disruption or damage to the firm and its customers.
Concentration risk
Concentration risk, on the other hand, is a specific kind of risk that many financial services firms face as they rely on the same provider for certain functions, such as cloud-based services. If multiple firms in the same financial market are using the same service provider, this becomes a critical point of failure. If this service provider has a security breach, failure or major incident, the impact on multiple financial services firms could be catastrophic. The effect of these impacts could then extend to the wider financial markets, categorising it as a systemic risk.
How Can Firms Protect Against Third-Party and Concentration Risks?
Effectively managing external risk will require a proactive approach, and firms should tackle third-party risk and concentration risk in slightly different ways:
Mitigating Third-Party Risk
The first and most important step in mitigating third-party risk is to identify and assess any potential risks posed by past, present or future third parties. This will involve rigorous due diligence and thorough oversight of the entire supply chain. There must be a contract between the firm and any third-party suppliers that covers agreements for data processes and obligations. This ensures that all third parties are operating in line with the most robust requirements. It also provides them with a framework to protect against their own risks caused by third parties (fourth-party risk). The best way to approach this is to create and maintain centralised documentation that all suppliers have access to, outlining the best practice approaches for every potential situation.
Mitigating Concentration Risk
The wider goal of mitigating concentration risk will involve advanced scenario planning and must also take into consideration the scenario planning for the wider markets. Firms should identify clear exit strategies for disruptions or failures and collaborate with competitors to ensure the market as a whole is protected in the event of a catastrophic failure. Firms should actively engage in industry initiatives such as the provision of assurances and authorisations for third parties, and consider failure of concentrated services as a severe but plausible scenario. Managing third-party risk is now a central pillar of risk management, and firms must demonstrate their commitment to this process to stay compliant. As part of this process, detailed mapping and enhanced oversight should be implemented, along with the creation of a supplier register. Regular and robust risk assessments and dependencies must be meticulously documented and regularly updated. Firms that comply with these requirements and manage these risks will be best placed to prepare, prevent and mitigate third-party and concentration risk in an increasingly outsourced world. Third-party and concentration risks are now regulatory priorities.
Contact Novatus Global to strengthen your oversight frameworks and safeguard resilience across your supply chain.
