Third-party risk reporting in financial services: navigating the need for greater insight

Fragmented system and data landscape

Effective third-party risk management (TPRM) requires the synthesis of data that is typically stored in systems including sourcing, finance and TPRM. Often the existing data architecture does not support easy integration of data from these fragmented sources. 

Two challenges are particularly noteworthy:

• The 'supplier' view: Third-party arrangements are recorded in systems either by supplier, by contract, or by service. Different systems record one or more of these elements as their primary key, but there is no consistent and reliable mapping between the three elements.
• The ‘consumer’ view: Across a group, third-party services are consumed by different legal entities and business units. There is no systematic record of who consumes what, which hinders both the production of effective management information for business units and the ability to report by legal entity to regulators.

Addressing these challenges does not necessarily entail extensive investment in tooling and re-architecting of the systems landscape, but where such investment is underway it should account for these objectives. In the absence of such investment, firms can develop mappings between suppliers, contracts, services and consumers, but must implement strong maintenance controls for these.

Maintenance of data quality

One-off data remediation exercises can only improve data quality on a temporary basis. Without ongoing and effective data governance, data quality will quickly deteriorate again, undermining the investment in remediation and preventing reliable reporting.

Ownership definition for data relevant to TPRM has often been neglected, resulting in a lack of accountability for ongoing maintenance. Likewise, data quality controls may not be effective, meaning changes in arrangements are not reflected in the data.

Most firms will have a group-wide data quality framework but without this having been applied to TPRM data and systems. Doing so is an important step towards sustaining the quality of the information required by senior management and regulators alike. Firms can also seek better integration between their TPRM systems and their enterprise technology, enabling seamless access management and ownership definition to support better data quality controls.

Organisational challenges

Addressing data challenges and leveraging data to improve reporting requires teams to have appropriate systems and data skill sets, which can often be in short supply in traditional TPRM functions. Likewise, there may be cultural or organisational blockers that prevent successful remediation of issues and improvements in reporting quality.

Firms that tackle these issues directly through investment and education are best positioned to take advantage of the benefits that improved data quality and reporting capabilities can bring. Where organisational change programmes are planned or underway, they must take account of the need for these skill sets and appropriately prioritise them.

Future readiness

One of the most common inquiries we receive currently concerns the future of TPRM: how can firms make use of predictive analytics and generative AI to achieve higher-quality insights in their management of third-party risk? 

It is undoubtedly the case that these new technologies will allow for powerful approaches to be employed, but unless the quality of underlying internal data is addressed, the scope to generate meaningful insight will be severely limited. Firms can act now to ensure that they are in the best possible position to realise the benefits new technologies will bring, at the same time as they ensure they meet the baseline regulatory expectation.