Third party risk management

(TPRM)

COVID-19 impact on third party resilience

March 2020
Contents

Topic

1. Executive summary — Impact of COVID-19 on third parties and key questions 3

2. Background — COVID-19 and third parties 5

3. Key challenges and approach — Now, Next and Beyond 7

4. Now — Operational resilience of third parties 8

5. Next — Financial stability of third parties 9

6. Beyond — Learnings from COVID-19 10

7. Key contacts 11

Appendix 12

Page 2 Third party risk management (TPRM)

1. Executive summary — The impact of COVID-19 on third parties

The rapid spread of the COVID-19 is impacting economic growth and market volatility is increasing. This has impacted the industry
through weakening investment returns and a potential adverse impact on the capital position of financial institutions around the world.
From a TPRM perspective, it remains key to understand third party inventories and continue to risk assess third parties to recognize
their criticality for continuity of services.

The immediate TPRM actions Additional procurement concerns Financial risk exposure
► Evaluation of Critical and Tier 1 relationships for ► Firms are experiencing issues with conducting risk ► Consider potential impact to third party’s P&L due to
technology infrastructure challenges and financial assessments and on-site supplier assurance volatility in earnings, increased costs and loss in revenue
health concerns ► Information security concerns change within ► Assess third party’s liquidity and capital impact due to
► Send a series of focused questions about their distributed working scenarios global economic downturn
response to COVID-19, business impact and their ► For offshore entities, where suppliers have centres ► Evaluate your own exposure to third party business
planning for the future in less developed countries, there is limited interruption, supply claims and event cancellation claims
► Critical global dependencies and location analysis as confidence in the backbone infrastructure
all countries go into and out of lock down scenarios Review of material Master Service Agreements and
► Non-financial risk exposure
► Geographical load balancing of non-technical capacity contracts for Service Level Agreements and
and considerations for long term resource stress credit/penalty scenarios for enhanced close ► Understand third party landscape servicing your critical
► Laptop allocations and other infrastructure needs, monitoring and governance technology and cyber operations to prepare, sense, and
which need to be provided internally before ► Short and long term evaluation for stringency vs. respond to most forms of disruption
addressing third-party needs and remote access leniency in enforcing contract obligations given ► Understand third party resilience; confirming alignment
capabilities working circumstances with your own plans, and how to communicate the “end”
of the pandemic

How EY teams can help

► Now: Impact assessments for remote work, security operations, third and fourth party readiness for critical vendors and supporting contingency programmes, including
regulatory responses and process work-arounds (including automated access provisioning)
► Next: Testing to assess remote infrastructure and capabilities; including stress testing for financial impact and resilience
► Beyond: Enhancing your TPRM framework through enhanced awareness, reporting, technology and collaboration, learning from COVID -19

Page 3 Third party risk management (TPRM)

1. Executive summary — Key C-Suite questions related to third party resilience

To navigate this challenging environment, firms should focus on better communication, enhanced consumer relationships and more
transparently with customers and investors. In order to do so, it’s important that senior members of organizations consider the
following questions in relation to third parties and their resilience:
Questions related to third party resilience
1. Can you map your key third parties to impacted jurisdictions and industries?
2. Do you have standardised questions to ask of your third parties and who is reviewing their responses?
Do you have clear policies regarding the presence of third parties onsite and are you clear which of your third parties can operate
3.
remotely?
4. Do you know, talking to relationship managers, IT and facilities, which services you can’t afford to lose?
5. Are you clear which of your third parties preform any part of a critical economic function?
6. Do you have a method of understanding the supply chains of your third parties and where the second order effect may arise?
7. Can you quickly tell how many contracts, third parties, employees and other key relationships might be affected?
8. Does the “Force Majeure” or hardship clauses in your standard terms and conditions or key contracts apply to this crisis?
When evaluating alternative third parties, are there exclusivity clauses in current third party contracts that may complicate
9.
switching?
10. Can you determine the your third parties’ financial viability or attitude to the crisis facing your organization?
11. Have you already given any consideration to the reintegration of third parties after COVID-19?
12. Do you think the new normal will be different compared to the previous normal (working models/behaviors)?

Page 4 Third party risk management (TPRM)

2. Background — The unexpected outbreak of COVID-19 is having a significant impact on
global third party chains

The COVID-19 outbreak has over 700,000 confirmed cases which is higher than previous recent disease outbreaks such as Ebola,
MERS and SARS combined.

The current COVID-19 pandemic has

caused disruption through all sectors
with various degrees of impact. It is
“94% of the Fortune 1000 are seeing coronavirus supply chain disruptions.

time for companies to rapidly assess,

recover and respond quickly through
numerous obstacles and challenges “Coronavirus raises fears of US drug supply disruptions 14% of
that will stand in the way. Through the facilities that make active pharmaceutical ingredients are
in China.
the chaos of recovery, it will be very
easy to overlook the root cause and
gaps within a supply chain that may
have paralysed businesses during
this unpredictable major event in the
“European companies face coronavirus hit to supply chains
Italian auto supplier warns car groups’ production lines may be brought to a standstill.
first place. Building towards a
resilient third party chain will be at
the epicenter of future discussion for
years to come.
“1.3%
Oxford Economics warned that the spread of the virus to regions outside Asia would knock
off global growth this year, the equivalent of $1.1t in lost income.

Page 5 Third party risk management (TPRM)

2. Background — but COVID-19 is only the latest in an increasing number of unexpected
disruptions hitting third party chains, impacting overall business performance

Natural events Trade barriers

► $210b Tohoku earthquake in ► US $63b tariffs on EU autos and
Japan halts production for auto parts, place strain on decades’
Toyota, GM and Nissan old Global Supply Chain

Civil unrest
Cyber attacks ► March at La Escondida, Chile copper
► WannaCry ransomware attack mine reduced global copper capacity
losses could reach $4b by 5%
► 50% increase in attacks from
2018, makes Supply Chain more
vulnerable
Terrorism
► Border restrictions after Paris
Attack led to $3.5m increase to
Belgium shippers in 1st month
Epidemics
► Covid-19 outbreak expected to Distressed suppliers
cause a ~$400B dent in the global
► Crop disease, dry weather and
economy in two years- an
government policy changes
estimated 8X bigger impact than
cause cocoa shortage for food
SARS
manufacturer

Page 6 Third party risk management (TPRM)

3. Key challenges — EY clients have to execute now, and prepare for the next and beyond as a
result of COVID-19 challenges

The rapidly evolving threat around the COVID-19 virus is raising concerns among many organizations across the globe. The
interconnected landscape of today’s business environment with third parties pose serious risk of disruption that can result in significant
loss of revenue.

1 Now
Solve the now 2 Next
Manage this year 3 Beyond
The current crisis

► Help manage the immediate ► Monitor the financial stability of your ► Learn from COVID-19 and enhance
operational resiliency challenges critical and important third parties your TPRM delivery models to future
linked to your third parties proof your third party operations

► The extent to which critical third parties can continue to operate under significant stress for prolonged periods
of time
► Increasing concerns over data security or data leakage due to third parties moving to remote working/access
Key Client ► Difficulties to obtain holistic third-party universal view to fully understand dependencies and vulnerabilities
Challenges
► Inability to conduct appropriate third party risk assessments and supplier assurance activities
related to Third
Party Risk ► Do not have the capacity or technical capabilities to conduct the required on-going monitoring activities on third
Management parties
► Meeting existing regulatory/Internal Audit deadlines or complying with on-going regulatory requirements
► Ethical considerations, including how to manage small- and medium- sized third parties with the variation of
demand through the pandemic

Page 7 Third party risk management (TPRM)

4. Now: Third party operational resilience

The interconnected landscape of today’s business environment poses serious risk of disruption that can result in significant loss of
revenue. Organizations need to evaluate the ability of their critical off-shore presence and third-parties to continuously support critical
functions such as IT, human resources, payroll, financial reporting, cybersecurity and others.

How EY teams can help?

EY COVID-19 Third-Party Risk Management Assessment offering provides a rapid, scalable and automated assessment to evaluate and monitor third-party risks
due to COVID-19. This will help enable the organization to assess the impact to their critical third parties and understand how they are responding to
continuously support key IT and business operations in a rapid and efficient manner. As a result of COVID-19, it is increasingly important for these assessments
to take place rapidly and dynamically.
The approach includes three phases:

1. Plan 2. Assess 3. Respond and monitor

Identify and prioritise third parties providing Gather information from third parties to Summarise and review the third-party
critical services to your organization. understand the impact and how they are responses.
Confirm third-party status and services, and any responding to COVID-19. The assessment Evaluate the impact and ability of third-parties
reach outs performed with internal third-party includes the following areas but not limited to: to support the organization’s critical functions.
relationship owner(s). ► Business continuity / pandemic plan Develop recommendations and report on
Leveraging TPRM technology, launch the ► Remote access for Work-From-Home (WFH) evaluation results.
COVID-19 assessment questionnaire to third- resources Support the triage and monitoring of agreed key
party contact(s). ► Network security and operations actions.
management
► Security event management
► Dependency on fourth parties

Page 8 Third party risk management (TPRM)

5. Next: Third party financial resilience

At a time when industries are severely stressed, contingency plans developed in better times are proving to be ineffective. In this
environment, firms are subjected not only to the financial health of immediate third parties, but also to the collective financial positions
of all those which their third parties rely. With complex supply chains and deteriorating market conditions, the risks today are an order
of magnitude greater than in prior years. Firms need to deploy significantly greater resources toward identifying third parties
experiencing financial duress, and even more, finding the best ways to deal with these heightened risks.
As a direct result of COVID-19, firms will also need to consider existing financial arrangements and refund procedures if third parties
cannot continue to operate.

Life cycle of a Companies need to think in terms of both near- and

then longer-term actions. Companies need to be
distressed third prepared to, where necessary, take more dramatic
party action.
The EY Stress Pendulum gives an indication of the
An effective typical stability monitoring and risk mitigation
program of processes which exist to support companies in such
adversity as a result of COVID-19
identifying and
managing the risks
of a distressed Early warning
screening system
Troubled third party
risk assessment
Distressed third
party management
supply chain can be
described in three Operational, financial Detailed risk Further evaluation
and qualitative assessment and and review of
principle or metrics used to mitigation planning distressed third party
workstreams profile third parties for third parties with a view to
based on risk level which pose significant protecting supply
risk

Page 9
Third party risk management (TPRM)
6. Beyond: Learning from COVID-19 and the future of TPRM

Enhanced awareness and reporting

COVID-19 has brought a dramatic insight into the business continuity and operational resilience of third

1 parties. We expect organizations to adopt an approach to TPRM that is increasingly data driven, proactive
and action oriented, drawing on the strengths of machine learning (ML) and artificial intelligence (AI). Client
will be facing rejuvenated regulatory pressure, which will consider the proportional and appropriate
management of third parties.

Technology
Organizations are increasingly looking to the technology to improve the end to end TPRM programme across

2 the three lines of defence, and also help tackle the nth party challenge. COVID-19 has highlighted the need
for enhanced BAU TPRM activities, naturally enabled by technology, whilst technology will be able to support
with root-case analysis and simulations.

Collaboration

3
Any incident emphasizes the need for increase collaboration, both internally (between functions and
divisions) and externally (across the industry). Internal and sector-based external utilities which more
efficiently manage third party risks, and at a lower cost, will continue to feature.

Page 10 Third party risk management (TPRM)

7. Key Contacts

Kanika Seth
Partner, Ernst & Young LLP
EY EMEIA FSO TPRM Leader
kseth@uk.ey.com

James Ellery-Gower
Senior Manager, Ernst & Young LLP
EY EMEIA FSO TPRM
jgower@uk.ey.com

Shriparna Ghosh
Senior Manager, Ernst & Young LLP
EY EMEIA FSO TPRM
sghosh2@uk.ey.com

Page 11 Third party risk management (TPRM)

Appendix

Page 12 Third party risk management (TPRM)

Now: Third party operational resilience — What can you do?

TPRM lifecycle
1. Plan 4. Monitor
Execute rapid end-to-end ► Assessment intake process ► Development of service risk profile
TPRM processes on facilitated by either the EY baseline reassessment timeline (e.g., every
behalf of the client methodology or directly using the 2 years)
organization’s existing ► Establishment of third-party risk
methodology assessment monitoring approach
► Third-party’s product and service (based on residual risk rating)
Integrate all EY leading risk profiling using a targeted ► Data mining looking for supplier
scope COVID-19 questionnaire chain linkages
methodologies and
enablers TPRM

Supported by a
Assessment Monitoring
technology platform, execution
(for client, third parties, 2. Assessment execution
EY) 3. Respond
► Rapid assessment planning and
coordination ► Risks and findings monitoring,
► Execution of remote global third-party from registration to closure
risk assessments in 5+ risk areas ► Evaluate the impact and ability of
including Information Security, third-parties to support the
Privacy, Business Continuity and organization’s critical functions
Regulatory Compliance
► Residual risk calculation

Page 13 Third party risk management (TPRM)

Next: Third party financial resilience — What can you do?

What is BRETA?
EY business relationship and economic threat analysis (BRETA) capability focuses
on identifying and triaging business, economic and operational-related risks across
a client’s ecosystem of business relationships (customers, suppliers, joint ventures,
partnerships, etc.). BRETA leverages the firm’s experience across six disciplines
(financial, technical, regulatory, supply chain, cyber and geopolitical) to provide a
multi-dimensional view of risk and potential mitigation strategies.

How is it used?
The automated tool assists clients with threat screening, exploratory analysis and
risk scoring of individual entities or sub-populations. This differentiated capability
uses publicly-available data sources to produce comprehensive reports. The reports
feature interactive visualisations of market trends, business relationships, location
and geographic data, market transactions and automated aggregation and analysis
of key indicators of financial health to rapidly identify where threats or
vulnerabilities exist.

Page 14 Third party risk management (TPRM)

TPRM market dynamics: key trends of 2020

1 Resilience of third parties 2 Growing market interest 3 Board level attention 4 Expanded risk landscape

Significant business disruption TPRM started off being a focus Third party risks are being Organizations have expanded
as a result of COVID-19 for financial services due to discussed at the board level, their risk focus from
highlights the need for regulatory requirements and and more board members are IT/information security risk to
organizations to have a clear has since moved to other becoming aware of the topic a broader, more inclusive risk
understanding of the resilience regulated sectors and need landscape
of their third parties

Technology-enabled
5 Integrated TPRM function 6 Operating model evolution 7 Common frameworks 8 Intelligence
Organizations are setting up Organizations are reducing in- Organizations are moving There has been a movement
an integrated TPRM function house reliance and moving toward standardising third from manual activities to on-
comprised of procurement, toward co-source party assessment premise technologies to
supply chain, legal, compliance arrangements or fully methodologies and processes utilising software as a service
and IT managed services cloud based solutions, where
risk data is increasing being
used to provide procurement
and supply chain insights

Page 15 Third party risk management (TPRM)

TPRM framework: It is become more important than ever to deliver robust third party risk
management, utilising an enterprise-wide framework

A TPRM function is comprised of six functional components that enable efficient, consistent and enterprise-wide execution.

The operating model defines clear roles and Oversight and governance is the component that
relationships supportive of consistent, risk based oversees the function to ensure that the relationships
application of all functional enterprise-wide and activities are managed effectively. This consists of
TPRM process. the following sub components: reporting, issue
management and escalation, internal and external
Risk models help ensure monitoring activities programme liaison, quality assurance and policy
are reflective of the inherent/residual risk adherence.
associated with third parties and their services –
essential in quantification and illustration of
TPRM programme value. Technology and data enable TPRM processes to
reduce overall function cost. Additionally, the use of
technology increases data integrity and drive seamless
and reliable reporting.
Monitoring is the periodic assessment and
management of risk and service performance
relative to a third party and the services
provided once contracted. Enterprise-wide policy and procedures
establish clear roles and responsibilities for
all functional owners through the execution of
Risk assessment and due diligence the end-to-end TPRM lifecycle. More mature functions
are essential.to understand the third parties embed service/risk management within third party
control environment around identified risks management policy/procedures for stream-lined
(e.g., enterprise resilience, cyber security, integration and execution.
regulatory compliance, etc.)

41% of firms said primary ownership of the TPRM function falls within procurement (1st line of defense) – 2018 TPRM survey

Page 16 Third party risk management (TPRM)

Regulatory requirements: The EBA outsourcing regulatory requirement provides a framework
to assess, govern and monitor third parties

Core Considerations: EBA emphasizes the following aspects of outsourcing arrangements by institutions
Regulatory Deadline The institution retains full responsibility and
Institution should provide the relevant
► Finalised version of EBA guidelines were made authority with the register of outsourcing accountability for complying with applicable
available March 2019 arrangements regulatory obligations
11 1
► The guidelines apply from 30 September 2019 to
all outsourcing arrangements entered into on or
after this date Institutions should have a clearly defined
Institutions are required to
exit strategy for all outsourcing of critical 10 2
► Complete documentation for all existing contracts have an outsourcing policy in
or important functions
must be completed by first renewal date of each place
contract, but no later than 31 December 2021
Proportionality
► Institutions are expected to apply the principle of Institutions are required to monitor Institutions should identify,
proportionality to achieve the requirements, by the performance by the service assess and manage conflicts
9 3
applying governance that aligns with the nature,
scale and complexity of the operations
provider with regard to all
outsourcing arrangements
EBA guidelines of interest

► Management body of the institutions retains full on outsourcing

responsibility for the regulatory requirements
Institutions are required to
Outsourcing arrangements The respective rights and obligations
have Business Continuity
of the institution and service provider
► Institutions are required to establish if an Plans available with regard
should be clearly allocated and set out 8 4
arrangement with a third party falls under the to the outsourcing of critical
in a written agreement
definition of outsourcing, and if this constitutes or important functions
the outsourcing of a critical or important function
Outsourcing to cloud
Pre-outsourcing analysis should be performed for 7 5
► EBA outsourcing standards for cloud service
all outsourcing arrangements covering: The internal audit activities should
providers have been applicable since 1 July 2018 6 cover the independent review of
and have been embedded into EBA outsourcing ► Assessment of the criticality of importance
outsourced activities following a risk
guidelines to set the supervisory expectations for ► Due diligence based approach
Institutions should maintain a register
services outsourced through cloud ► Risk assessment of all outsourcing arrangements,
critical or otherwise

Page 17 Third party risk management (TPRM)

Regulatory requirements: The PRA consultation paper requires an enhancement of the
oversight of third parties to help improve their operational resilience

Case for change Key objectives of the CP Key concepts

► Greater reliance is being placed on third ► Modernises expectations ► Definitions – material vs. non material
parties and increasingly on technology ► Facilitates greater resilience outsources
providers, e.g., Cloud ► Intra group – no less risky than external
► Clarifies PRA expectations
► Firms face increased risks, e.g., storing, arrangements
processing and/or sharing of customer data, ► Final policy expected in the second half of
2020 ► Governance – responsibility cannot be
long chains of service providers, regulatory outsourced
reporting
► Data Security – detailed requirements around
► The evolving nature of Outsourcing and security
TPRM brings benefits, opportunities and
potentially enhanced resilience if managed ► Access, audit and information rights – risk
appropriately based approach and concept of pooled audits
► Sub-outsourcing – emphasis to assess this
risk
► Business Continuity and Exit – importance of
defining and testing approaches for stressed
scenarios

Page 18 Third party risk management (TPRM)

TPRM market dynamics: EY FSO TPRM 2019 survey — The survey highlights the key
challenges facing organizations and their response

Operating model Tools and technology Execution Fourth-party management

58%
of organizations
reported having a
centralised
40% of organizations have a TPRM
technology platform. Over half
of those that have links to
41% 70% of organizations rely on the
contractual terms established
with the third party to
structure. external threat intelligence of organizations expect to use assess/monitor fourth parties
data or supplier data. more of managed services to
execute their TPRM

38% 37%
of organizations of organizations that use program/function in 2–3 years.
reported having a tools/technology as part of their
hybrid structure. TPRM programs indicate that
Inherent risk
technology across the
65%
45%
organization is not integrated of organizations refresh
and requires manual
Cybersecurity reconciliations to report out of
of organizations expect to use third party inherent risk
more of market profiles based upon their
multiple systems. inherent rating
38%
of organizations utilities/exchanges to execute
had a data breach their TPRM program/function
caused by a third in 2–3 years.
party over the past
Resourcing model
Assessments
57%
2 years.

20 resources, on average, are

83%
dedicated to supporting the of organzsations reassess
TPRM program/function. of organizations expect to use (risk/control assessment)

52% of organizations
had an outage
more of sector-based
consortiums to execute their
critical third parties on an
annual basis
54
caused by a third resources within the business,
on average, provide support to TPRM program/function in 2–3
party over the past
the TPRM program/function. years.
2 years.

Page 19 Third party risk management (TPRM)

EY thought leadership: examples

Page 20 Third party risk management (TPRM)

 Global
Boilerplate

EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, transaction and advisory services.
The insights and quality services we deliver help build trust and confidence
in the capital markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a better
working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the
member firms of Ernst & Young Global Limited, each of which is a separate
legal entity. Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. Information about how EY
collects and uses personal data and a description of the rights individuals
have under data protection legislation are available via ey.com/privacy. For
more information about our organization, please visit ey.com.
© 2020 EYGM Limited.
All Rights Reserved.

EYG/OC/FEA
EYG no. 001562-20Gbl
no.

EY##### (UK) ##/20.

EY-000119124-01 (UK)
CSG
03/20.
London.
CSG London.

ED MMYY

This material has been prepared for general informational purposes only and is not intended to
be relied upon as accounting, tax or other professional advice. Please refer to your advisors for
specific advice.

ey.com/