Save page

A round-up of third-party risk management regulations

26 Jun 2024

The pandemic turbocharged a pre-existing trend toward higher levels of third-party dependence, particularly dependence on cloud-service providers (CSPs) to perform mission-critical tasks. For context, a staggering 88% of Deloitte global survey respondents stated that they expect to have moderate to high levels of dependence on CSPs in the coming years.

As a result, regulators, particularly in the financial services industry, have been intervening.

Which regulators and which regulations? That’s what this article tackles, summarizing some of the most significant interventions in advanced markets.

Operational resilience: Impact tolerances for important business services

The first in the space, U.K. financial and prudential regulators put out operational resilience regulations in the late 2010s, whose effective date was subsequently delayed due to COVID.

Parsing out these regulations, we find that regulated entities are required to map their important business services and test their ability to remain within impact tolerances for the purposes of building operational resilience.

Bringing it back to third-party risk, compliance is expected regardless of whether the operational resources are being provided wholly or in part by a third party.

Indeed, mapping and testing on third parties is necessary, per the statute, for the entity and the supervisor to obtain an accurate understanding of the entity’s level of operational resilience.

The Digital Operational Resilience Act (DORA)

A binding EU regulation on digital operational resilience for the financial sector, DORA addresses potential systemic and concentration risks posed by the financial sector’s reliance on information and communication technology (ICT) third-party providers (TPPs).

Indeed, the very rationale for the regulation came from the clear emergence of ICT third-party risk as a key threat to digital operational resilience.

To regulate third-party risk, therefore, DORA requires entities to adopt and regularly review their ICT third-party risk strategies, as part of the broader ICT risk management framework.

Sound practices to strengthen operational resilience

Like their counterparts in the EU, U.S. regulators have also acknowledged that firms have become increasingly dependent on third parties for business-critical functions – third parties who are themselves vulnerable to disruption.

As a result, the Sound Practices to Strengthen Operational Resilience, which brings together already-existing regulations and guidance to better assist in the development of comprehensive approaches to operational resilience, requires measures like the following to promote the sound management of third-party risk:

Identify and analyze third-party risk of critical operations and core business lines
Prioritize third-party dependencies that are most significant and understand, manage, and mitigate risks
Periodically review reports of systems and controls and summaries of test results or other equivalent assessments of third parties

APRA CPS 230

APRA CPS 230 is a relatively new prudential standard designed to strengthen the management of operational risk in the Australian banking, insurance, and superannuation industries. It works by establishing minimum standards for managing operational risk, including updated requirements for service provider management.

What are the specific requirements for the management of service provider arrangements?

For one, regulated entities are being asked to maintain a comprehensive service provider management policy. That policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements.

Finally, regulators have cottoned on to the explosion of third-party risk. In the financial services space, they’ve imposed stringent requirements on regulated entities to better understand and manage the third-party risk management lifecycle.

This article summarizes some – but by no means all – of the regulations. However, what’s clear from even this cursory look is that addressing this new regulatory environment will take robust third-party risk management measures.

What are some of those best-practice measures? Check out Noggin’s Introductory Guide to Third-Party Risk Management to find out.

A round-up of third-party risk management regulations

Operational resilience: Impact tolerances for important business services

The Digital Operational Resilience Act (DORA)

Sound practices to strengthen operational resilience

APRA CPS 230

What are the specific requirements for the management of service provider arrangements?

More on

Events

iluminr: Experience live microsimulations, AI & cyber focussed

Championing female leadership in resilience

GPG Edition 7.0 - PP5 - Enabling Solutions

News

Mentoring interview profile: Dionne Procter

Ensure preparedness with operational resilience

Patterns

You may also be interested in

Operational resilience: beyond theory

BCI Operational Resilience Report 2024 EMEA Launch

BCI Operational Resilience Report 2024

Case study: a real crisis that improved our business continuity planning and made us more resilient

Lessons learned: conducting an engaging and effective post-crisis debriefing

Learning from the past to prepare for the future

Resilience and innovation: building agility in ever-changing environments

Navigating the path to technology integration in resilience

Crafting realistic crisis scenarios in minutes with AI

BCAW+R Resilience questionnaire

BCAW+R White paper: Building proactive community resilience

ISO standards that contribute to resilience

BCI Membership Roadshows - EMEA

BCAW+R Poster: Staff awareness

BCAW+R Toolkit: Teams background

BCAW+R Toolkit: Email banner

BCAW+R Toolkit: Sponsored email signature

BCAW+R Toolkit: Sponsored Facebook image

BCAW+R Poster: Emerging technologies

BCAW+R Toolkit: Email signature

BCAW+R Poster: Learning from the past

BCAW+R Sponsored poster pack (for print)

BCAW+R Toolkit: Twitter / X image

BCAW+R Poster: Proactive resilience

BCAW+R Poster pack (for print)

BCAW+R Poster: Collaborating

BCAW+R Toolkit: LinkedIn image

BCAW+R Toolkit: Sponsored LinkedIn image

BCAW+R Toolkit: Facebook image

BCAW+R Poster: EDI

BCAW+R Toolkit: Instagram image

BCAW+R Toolkit: Wallpaper / screensaver

Transforming crisis exercises with AI: new insights and strategies

Foundations of enterprise resilience: leveraging the commonalities of operational resilience & risk

GPG Edition 7.0 - PP1 – Establishing a business continuity management system

Preparing for DORA: Automating ICT Risk Management for Operational Resilience

BCI Emergency & Crisis Communications Report 2024 EMEA Launch

BCI Emergency & Crisis Communications Report 2024

BCI Emergency & Crisis Communications Regional Outlook 2024 Europe

Operational Resilience: Lessons Learned & Key Strategies for Success