WHITE PAPER

Best Practice in Third

Party Risk Management
Contents
Background 3

What is Risk Management? 5

What is a third party? 6

Third Party Oversight 7

What happens when it goes wrong? 9

Relationship Life Cycle 10

Steps for Success 11

Due Diligence 12

Contract Negotiation 13

Operational Resilience 15

Ruleguard's Supplier Oversight Solution 16

Why Ruleguard? 18

About Ruleguard 19

Get in touch! 20
Background
Third party risk management is top of the regulatory agenda.

It started with cyber risk management and the need to manage third party
service providers. That initial concern increased to encompass a multitude of
third party arrangements and has become a hot topic worldwide.

The regulatory message is that firms must consider the risk posed by third
party relationships.

Regardless of whether a firm conducts activities itself or relies on another party,

the firm remains accountable to the regulator. This point is one that supervisors
worldwide are eager to stress.

Firms must have processes in place to appropriately manage and

evaluate the risks associated with third party arrangements. Reliance
upon third parties does not diminish a firm’s regulatory obligations.

3 www.ruleguard.com
Best Practice in Third Party Risk Management 4
What is Risk Management?
There is a basic requirement that all regulated firms must identify,
assess and manage any risks to the business. How this requirement
is interpreted varies widely from firm to firm.

Most firms will be familiar with the process of identifying and ranking risks
according to the level of risk posed, but how many firms understand the
links between that process and how it relates to their monitoring and audit
processes? When the board reviews the reports from these reviews, do the
senior managers understand how the findings relate back to the risks within
the business?

The risk management process needs to be linked to a firm’s strategy and

raison d’être. It relies upon a robust governance process for setting standards
of conduct and communications, both internal and external.

Key steps in Risk

Management Framework

Identify Prioritise Mitigate Measure Report

To be truly effective this process needs to be considered within individual

departments to identify specific risks within each process and determine
appropriate controls to mitigate any risks.

Given that the risk management framework supports the business to achieve
its strategy, it’s not surprising that firms have traditionally focused their
attention internally. Aside from due diligence on potential suppliers, firms tend
to forget about ongoing risk management of any third party arrangements.

5 www.ruleguard.com
What is a third party?
One simple definition of a third party relationship is that it generally
excludes customers. It would include relationships such as:

• Suppliers - office facilities, storage facilities

• Contractors - ad hoc project managers or consultants

• Outsource providers - IT outsourcing providers, business process

outsourcing providers, call centre providers, HR outsourcing providers

• Platform providers

• Fund management or administration

• Custodians

• Transfer agents

• Portfolio or investment management services

• Distribution agents

NB: any of the above could outsource or sub-contract to their own third
parties. It also brings additional risk.

All these relationships add value by providing services which a firm

is unable to fulfil themselves due to lack of skills, knowledge or
resources. By using third parties, a firm might improve efficiencies
and make cost savings.

Best Practice in Third Party Risk Management 6

Third Party Oversight
Given that firms need to identify and manage risks, it’s important that
a firm maintains a current list of all their third party relationships.
Sadly, this is an oversight that the regulators have identified during
its thematic reviews. The FCA’s cross-sector survey from 2017-18
provides some context for consideration.

Cross-sector survey 2017/18

Issues at third parties included:
• IT failure in one important supplier accounted for
15% of incidents reported to the FCA.
• IT changes caused 20% of the operational
incidents reported to the FCA
• 50% of firms do not have a comprehensive list of
all third-parties with whom they do business and
who have access to their systems and data
• 26% of firms did not have a board approved
information security strategy
• Only 56% of firms said they could measure the
effectiveness of their information asset controls

Source CP19/32

7 www.ruleguard.com
According to a supplier’s individual risk profile, it’s important that
regular information is provided to boards to enable oversight and to
inform decision-making.

For example, the proposals with Parliament to reform the audit and
corporate governance standards in the UK. If these proposals are
passed, the board will need to ensure that there are appropriate
controls in place to prevent fraud. Auditors will consider these
arrangements when undertaking the annual review.

Areas of Weakness Oversight

In order to implement appropriate (a) Board
controls, a firm needs to understand
A recurring regulatory message is
where risks could materialise and
that the board must have oversight of
how to manage those risks.
a firm’s risk management framework.
Common weaknesses identified in It’s the board that sets the risk
third party risk management include: appetite within the firm’s business
strategy. Similarly, the board needs
• Lack of consistent approach
to decide where to invest its funds
• Lack of common standards, and resources to achieve its goals.
instead firms manage providers
(b) Senior Manager
on a case-bycase basis
The board is also responsible for
• Lack of complete oversight
ensuring that a senior manager
frameworks
implements the agreed risk
Additionally, firms tend to focus framework within the business. This
attention on selecting third parties includes ensuring:
and due diligence. This means that
• Risk policy and procedures that
ongoing monitoring often receives
are documented and updated
less attention.
regularly
• Risk awareness to encourage
the right corporate conduct that
represents the firm’s values
• Producing regular reports to the
board on risk management both
internally and externally
• Maintaining a risk register which
includes risk owner attestations

Best Practice in Third Party Risk Management 8

What happens
when it goes wrong?
Outsourcing helps firms become more efficient, but it also poses
challenges, including an increase in regulatory action for breaches
such as poor oversight.

9 www.ruleguard.com
Relationship Life Cycle
Effective third party risk management generally follows a continuous
life cycle for all relationships and incorporates the following
principles applicable to all stages of the life cycle:

Relationship
Life Cycle
Planning

Due Diligence
Termination
& Selection

Ongoing Contract
Monitoring Negotiation

Best Practice in Third Party Risk Management 10

Steps for Success
The FCA’s key priorities for 2022/23 are aligned to its Strategy.

1 DUE
DILIGENCE

2 CONTRACT
NEGOTIATION

3 ONGOING
MONITORING

11 www.ruleguard.com
Due Diligence
Efficiencies and cost savings appeal to management, but when
deciding to engage with a new supplier, what risks are considered?

Firms should review their due diligence processes to enable them to easily
identify risks prior to engaging third party services.

1. Draft list of requirements 7. Own the relationship – a senior

manager who has oversight of
2. List of potential suppliers
the relationship, reviews progress
3. Request due diligence information against the contract, service level
– how in-depth is this? Complete agreement and metrics. Reporting
identity checks, but also to the board on the relationship
understand the service provider’s and risks posed
risk profile
8. Ongoing monitoring – third parties
4. Short list such as appointed representatives

5. Decision made – how is that need greater oversight

decision made? Where in the 9. Collate data from third parties

process do you identify potential about services provided – ensure
risks posed by each potential that there is consistency in the
supplier and consider how you information requested, including
mitigate it? frequency and reporting periods

6. Onboarding – not just initial 10. Implement an issues process

checks, but ongoing, - how often for informing you when the third
do you monitor & review these party has encountered a problem
relationships?
11. Breaches – how quickly are they
identified and escalated to ensure
reporting on time.

Best Practice in Third Party Risk Management 12

Contract Negotiation
When discussing contractual arrangements, firms should ensure
that risk management including reporting and escalation processes
are included.

The contract should also outline responsibilities for the firm and the third
parties (including any sub-contractors).

Sub-Contractors Ongoing Monitoring

Sub-contractors can pose additional To assure the board that its risks
risk. Often firms may be unaware are managed, the firm should
of the underlying relationships or have a monitoring programme that
dependencies which a service undertakes periodic reviews. The
provider has. focus should be on how the firm
delivers its services. How might you
Firms should capture information
achieve this? What information do
relating to sub-contractors during the
you need from the third parties and
diligence and selection process. Early
any sub-contractors?
identification of such relationships
aids decision-making. This requires consistent reporting
from all third parties on agreed key
Foreign-based Third Parties
metrics. This information needs to
Firms should understand that be delivered at specific times. The
contracts may be subject to the accuracy of that data needs to be
interpretation of foreign courts tested periodically to verify the data
relying on local laws. It is important and provide assurance to the board.
to seek legal advice to confirm Firms require timely and accurate
the enforceability of all aspects reporting.
of a a proposed contract with an
overseas third party and other legal
ramifications of each such business
arrangement, including privacy laws
and cross-border flow of information.

13 www.ruleguard.com
(a) Risk Management: (b) Incident Reporting and
Management Programs:
• Evaluate the effectiveness of the
third party’s own risk management, • Review and consider the third
including policies, processes, and party’s incident reporting and
internal controls. management programs to ensure
there are clearly documented
• Consider whether the third party’s
processes, timelines, and
risk management processes
accountability for identifying,
align with your firm’s policies and
reporting, investigating, and
expectations surrounding the
escalating incidents.
activity.
• Confirm that the third party’s
• Assess the third party’s change
escalation and notification
management processes, including
processes meet the firm’s
clear roles, responsibilities, and
expectations and regulatory
segregation of duties are in place.
requirements.
• Where applicable, determine
(c) Complaints Handling:
whether the third party’s internal
audit function independently and • Ensure the contract includes
effectively tests and reports on the responsibilities and provisions
third party’s internal controls. for assisting in complaint
investigations. Access to data and
• Evaluate processes for escalating,
reporting on such matters should
remediating, and holding
be provided to the firm.
management accountable for
concerns identified during audits
or other independent tests.

Best Practice in Third Party Risk Management 14

Operational Resilience
Assess the third party’s ability to deliver operations through
a disruption from any hazard with effective operational risk
management combined with sufficient financial and operational
resources to prepare, adapt, withstand, and recover from
disruptions.

Assess options to employ if a third party’s ability to deliver operations is

impaired.

Termination Conclusion

The contract needs to have Third party risk management

termination clauses, but also needs processes need to be appropriate
to have realistic timeframes to enable to size and scale of firm, but also the
a collaborative handover to a new complexity and level of risk posed.
party.
We see regulators encouraging
Where permitted, include reporting firms to use technology to improve
requirements on complaints, efficiencies, reduce costs and aid
identified risks and emerging risks; risk management.
termination rights should include
sub-contractor arrangements.

15 www.ruleguard.com
Ruleguard's Supplier
Oversight Solution
Ruleguard for Supplier Oversight takes the core benefit of the
Ruleguard platform – powerful rules-mapping and evidencing – and
uses it to bridge the gap between a firm and its third parties.

Ruleguard provides a seamless Ruleguard allows you to map

control environment between received information into your own
you and your transfer agents and data, letting you incorporate third
administrators for genuine oversight. party regulatory information into your
own risk or monitoring frameworks.
Any information maintained within the
For example, you can generate and
Ruleguard system can be selectively
automatically maintain compliance
shared with others. Control and
documents that reference third party
process documentation, along with
controls – clearly labelled with the
all relevant mapping links to rules
provider that operates them – within
and regulatory frameworks, can be
your account.
provided at the touch of a button.
This can radically transform the
As information changes over time,
third party oversight capabilities of
differences are automatically
a compliance function and allow it
highlighted to ensure that up-to-date
to extend best practice beyond the
records are being maintained.
borders of the firm.

Best Practice in Third Party Risk Management 16

17 www.ruleguard.com
Why Ruleguard?
Ruleguard is an end-to-end GRC software platform designed to help
regulated firms manage the burden of evidencing and monitoring
compliance. It has a range of tools to help firms fulfil their obligations
across the UK, Europe and APAC regions.

An ever-changing regulatory environment requires firms to identify the changes

impacting their business and to adapt their processes and controls quickly
to meet those requirements. It can be time consuming and overwhelming
to be constantly monitoring rule changes from various supervisory bodies
both in the UK and internationally. Senior Management require evidence to
demonstrate that business risks are being managed effectively. Collating data
from various sources to generate timely management information, enable
decision making and facilitate oversight is a key requirement.

Ruleguard has been designed to help you demonstrate and evidence

compliance, by using its comprehensive rules-mapping, risk and control tools,
automated reporting features and powerful dashboards. At its core, Ruleguard
is a single unifying solution for all your compliance processes and procedures
for managing your ongoing compliance.

Our SaaS-delivered software platform, Ruleguard, has been designed to

manage the complex and burdensome issues associated with regulatory
compliance, especially when processes and procedures in place are manual
and fragmented widely across multiple companies, departments and systems.

Using Ruleguard will enable you to show regulators and auditors how your
business has complied with the rules, including providing effective governance
and oversight to your firm.

Best Practice in Third Party Risk Management 18

About Ruleguard
Ruleguard started out in 2013 as a software ‘design and
build’ agency that specialised in financial services projects,
particularly those with a unique requirement for data and
functionality that was far from being available ‘off the shelf’.

Fast-forward to 2024 and we have established Ruleguard as

one of the foremost offerings in the RegTech space, providing
genuine compliance oversight to some of the largest and most
complex financial institutions globally.

Most importantly, we continue to work closely with our clients

to identify the most painful aspects of compliance oversight
and strive to build-out our platform to improve that governance
with increased efficiency and reduced cost.

19 www.ruleguard.com
 Get in touch!
0800 408 3845
[email protected]
www.ruleguard.com

Key points of contact

Priscilla Gaudoin
Head of Risk & Compliance

[email protected]

Ed Buckman
Director of Commercial Strategy

[email protected]

Matthew Bruce
Platform Director

[email protected]

BOOK A DISCOVERY CALL 

Best Practice in Third Party Risk Management 20

Disclaimer:
This document is intended for general information purposes only and does
not take into account the reader’s specific circumstances and may not reflect
the most current developments.

Ruleguard disclaims, to the fullest extent permitted by applicable law, any

and all liability for the accuracy and completeness of the information in this
document and for any acts or omissions made based on such information.
Ruleguard does not provide legal, regulatory, audit or tax advice. Readers are
responsible for obtaining such advice from their own legal counsel or other
licensed professionals.

Copyright © 2024 Ruleguard. All Rights Reserved. Ruleguard is the trading

style of Strategic Software Applications Ltd which is incorporated and
registered in England and Wales with company number 08423947 whose
registered office is at 10 Queen Street Place, London, EC4R 1AG. Ruleguard
and the Ruleguard logo are registered trade marks owned by Strategic
Software Applications Ltd.

Copyright © 2024 Ruleguard. All Rights Reserved.

Ruleguard 2024
WP-Oct-2024