Stronger together: building Third Party Resilience in the Financial Sector

Precis

Most organisations want to be resilient and want to be seen to be resilient but many struggle to reconcile their own resilience posture with that of their extended ecosystem – the Third Parties and FMIs on which they critically – and increasingly - depend to deliver their own services. Third Party Resilience is one of the most pressing agenda items for the Boards and Executive Committees of most of the Financial Services Institutions that we work with. It is also an area in which effort and attention is only likely to intensify as firms’ reliance on external providers increases in the era of AI and automation.

This dialogue has been amplified by an increase in regulation both here in the UK and internationally including through the following policies and frameworks:

• HM Treasury’s Critical Third Party Regime¹;
• The UK PRA and FCA policies on Impact Tolerances for Important Business Services²
• The UK PRA policy on Outsourcing and Third Party Risk Management³;
• EU Digital Operational Resilience Act⁴;
• The UK PRA and FCA policies on Incident and Third Party reporting⁵

The topic has also been brought into sharp relief due to the impact caused by high profile incidents involving Third Parties that have affected FSIs over the past few years.

Within the financial sector, achieving Third Party Resilience can be a challenging proposition because of the unique and highly concentrated nature of the industry, meaning that vulnerabilities may be high-profile, systemic and in many cases difficult to remediate. However, we believe that this is why firms must focus effort and attention on building, embedding and sustaining proportionate and effective frameworks to deal with Third Party disruption.

In this three-part article series, we define what we mean by Third Party Resilience and explore why it requires specific and unique consideration as part of both the Operational Resilience and Third Party Risk Management frameworks. We provide practical examples of how Third Party Resilience outcomes can be enhanced within these frameworks but also how Third Party Resilience requires contributions from a broad range of areas including Technology, Risk Management, and Cyber to be fully effective. We also consider how FMI Resilience differs from Third Party Resilience and how AI will change the way in which Third Party Resilience outcomes can be achieved. In our first article below, we discuss our definition for Third Party Resilience and the foundational elements required to construct an effective framework. In two subsequent articles, we will explore the framework's application, operational management, adaptation, and long-term sustainability.

Introduction

Let’s start with some simple framing. From our perspective, Third Party Resilience refers to the successful management of disruptions emanating from Third Party Services. That does not mean that Third Parties are always responsible for compromising the resilience of an organisation and indeed in many cases they may be a mitigant to disruption. It is critical that firms understand that Third Party Resilience requires consideration of three lenses:

1. The resilience of the service provided by a Third Party;
2. The resilient use of that service when it is deployed within the recipient’s own environment;
3. The cultivation of mutually supportive responsive capabilities when both the service provider and recipient experience disruption.

In simple terms: resilient provision; resilient use; resilient together.

Defining Third Party Resilience

Defining the scope of Third Party Resilience is key to building a proportionate, sustainable and risk-based framework. In addition to standard Third Party services, Third Party Resilience focusses on the indirect application of resilience standards on 4th and nth parties as well as to outsourcing and interfirm arrangements.

We have found that defining this scope has been challenging for many firms due to overlapping – and sometimes loosely applied – terminology with important, critical, and material being used interchangeably to describe Third Party services that support Important Business Services (IBSs). From our perspective, ‘important’ refers to a Third Party service that supports an IBS but firms may wish to distinguish between those that are genuinely important and vital to its delivery versus those that are ‘relevant’ to the IBS (but not essential its delivery). Those that are considered Important are likely to be where firms should spend most of their time building resilience to a broad range of disruptive impacts since they support externally consumed services where market and customer harm will be acutely felt in the event of their failure. Materiality refers to a broader set of services which may include internal services but it does also include IBSs. Therefore, IBSs will always be Material but not all material services will be Important.

Building a Third Party Resilience framework

Achieving Third Party Resilience requires contributions from a broad range of relevant teams and functions including Procurement, Technology, Operational Risk, and Cyber and involves the intentional and systematic application of resilience practices throughout the TPRM lifecycle. In our experience, many organisations consider this too late, missing the opportunity to embed resilience standards in source to contract phases, thereby enabling better selection of partners who will genuinely be able to match the service recipient’s own expectations for resilience.

In terms of how to define the minimum expectations for resilience, firms need to gain an understanding of whether both they and the Third Party are effective in their ability to:

1. Anticipate future failure and demonstrate how this is achieved - for example through problem management, horizon scanning and notification of, and planning for, upcoming change;
2. Build absorbative capacity by ensuring that services are resilient by design and deployed in such a way that any innate resilience is not compromised;
3. Operate responsive capabilities such as Business Continuity, Incident and Crisis Management (and understand how digitisation of these processes might enable a more timely response, e.g. e-bonding technology incident tickets straight to the recipient’s service desk);
4. Adapt following disruption, with the Third Party committing to robust Post Incident and service remediation requirements or – in more severe scenarios - developing a shared understanding of when exit and disengagement may be required.

We have found that in practice, many firms will exhibit some of these capabilities, though often by accident rather than design. For some, that lack of formalisation has created a misalignment between their needs for resilience and recovery and what has actually been agreed contractually with their Third Parties.

We have also observed that some firms have not thought early enough about whether the Third Party’s service is resilient or that they lack the foundational principles to systematically perform this assessment. We have found that four key principles of resilience by design have been useful for both anchoring applicable standards and for evaluating and evidencing the resilience of Third Party Services⁶.

These principles are:

1. Modularity (Resilience achieved by providing similar services from multiple resources from individual system components rather than from a single resource to a whole system, thereby reducing the risk of whole system failure – for example a software vendor may incorporate separation of concerns, modular architecture or loose coupling into the design of an application)
2. Diversity (Resilience achieved by having multiple alternative resources available from a variety of suppliers/locations to provide the same service – for example, Business Process Outsourcing providers might cross-skill and geographically disperse their teams)
3. Redundancy (Resilience achieved by having identical resources and/or reserves available on standby in the event that the original resource fails – for example, by having stand-in suppliers or Special Purpose Vehicles)
4. Adaptability (Resilience achieved by having capability to adapt existing resources beyond current use to fulfil wider remit – for example, by agreeing auto-scale, throttling capacity or using a Third Party to fill a gap for a role that it was not originally contracted to do)

We consider Resilience by Design to be a strategic, purposeful and transparent approach to the operational resilience of all of your services, including those delivered by your Third Parties. Resilience by Design aims to ensure that your services are as fault tolerant as possible prior to, and during, deployment. To achieve resilient outcomes, we need to build our foundations on Resilience by Design principles.

Our POV:

• Resilience by Design applies both to how you operate your services as well as how your Third Parties operate theirs. You cannot expect to outsource all of the risk associated with services that your Third Parties provide.
• This means building Resilience by Design expectations into your NFRs and RfX requirements at sourcing and tracing evidence that your suppliers continue to meet at least some of them throughout the Third Party lifecycle.
• Resilience by Design principles will often involve a degree of trade-off. For example, you may be using two payments services which offer redundancy for one another but they are provided by the same Third Party using common infrastructure meaning that in the event of a disruption there is no modularity to contain the failure. This could mean that both the primary and alternate service are lost during certain types of disruption.

Being able to interpret, apply and evaluate against these principles from Requirements for X through the Due Diligence Questionnaire to ongoing management, monitoring and disengagement, can be a useful and pragmatic way of understanding the Third Party’s resilience posture. They can also be expressed at a more granular level to form baseline service obligations to support effective contracting, as well as to perform maturity assessments on both the provider’s service and the service recipient’s own use of it.

This last point is crucial. Firms need to ask these questions of themselves to confirm that they are utilising the service in line with the principle of shared responsibility. For example, ‘are we undermining the resilience of a service by routing it through a single node on the network?’ (inverse of diversity) ‘Are we amplifying concentration risk by putting all of our IBSs on a single supplier platform?’ (inverse of modularity).

Establishing a library of baseline service obligations that are engagement specific (i.e. adapted for SaaS, IaaS, BPO, professional services) is an effective mechanism for agreeing acceptable standards for resilience up front and can be a useful mechanism for standardising quality in the procurement process. Service obligations can form the basis of specific clauses in contracts that address resilience requirements, performance standards during disruptions and data security e.g. dual SLAs, service credits or liquidated damages.

Baseline service obligations can also serve as a guardrail for asking good questions as part of the Supplier Due Diligence Questionnaire. In practice, we see lots of organisations miss the opportunity to generate meaningful intelligence about the resilience of the Third Party service during the DDQ stage. Many will ask open-ended or generic questions about enterprise level BCPs or policies, whilst failing to confirm whether the specific service is designed, architected and operated for resilience.

However, in issuing the Resilience DDQ, organisations should also give thought to whether assessment teams have the requisite skills, knowledge and capacity to interpret the responses. We see many organisations struggle with the volume of DDQ activity created by back and forth requests for information. Sometimes this is as a result of information that has not been shared, but often is because assessors have not been trained to understand the spirit of the questions being posed. Investing comprehensively in remediating skills gaps is important and so too is equipping assessors with the ability to recognise what constitutes an acceptable response. More advanced organisations are also now considering how to leverage AI to help with manual overheads, minimise subjective bias and group themes within DDQ responses to further optimise the questions and framework.

Stay tuned! In our next article, we will explore practical strategies for applying and operating the Third Party Resilience framework.

References:

1. HM_Treasury_Approach_to_Designating_Critical_Third_Parties_2024.pdf
2. SS1/21 Operational resilience: Impact tolerances for important business services | Bank of England; PS21/3: Building operational resilience: Feedback to CP19/32 and final rules
3. Outsourcing and third party risk management
4. Regulation - 2022/2554 - EN - DORA - EUR-Lex
5. PS7/26 – Operational resilience: Operational incident and third-party reporting | Bank of England; PS26/2: Operational incident and third party reporting | FCA
   
6. These standards are expressed in BS65000:2022 and the UK Government’s own resilience framework.