Some of the most noteworthy third party risk management (TPRM) trends that warrant monitoring in 2022 will sound familiar to TPRM practitioners given that these issues posed formidable challenges in 2021 and will give rise to new challenges this year.
In that way, the following focal points identified by Shared Assessments Senior Advisor Gary Roboff, resemble cascading risks.
How can a single risk event trigger a number of effects?
- ESG Risks and Rules: Global climate events, the Biden administration’s emphasis on addressing climate change, and actions by other governments around the world have combined to make ESG-related risks a top TPRM concern – and one that remains fluid from a rules-making and standards perspective. “There’s been enough movement on the standards front, and enough headlines about green-washing, that a wide range of organizations are paying more attention to metrics and trying to make sure that the metrics they publish bear some resemblance to reality,” Roboff notes. “In 2021, ESG became a significant matter across many, if not most, sectors of the economy.” Increasing investor pressure among many other factors ensures that this trend will continue in 2022. As a result, it will be important for TPRM teams to collaborate with the groups in their organizations charged with managing and reporting ESG risks. TPRM teams should also monitor global ESG laws, rules, and reporting standards this year while paying close attention to guidance concerning Scope 3 emissions. “In the best of all possible worlds, you would want to understand what a third party’s greenhouse gas emissions look like, and you would have a standard way to verify that what they’re telling you is correct,” Roboff adds. “Ideally, that activity would take place very early in the third-party risk management life cycle – before on-boarding, even at the RFP stage in some cases. Right now, that’s a tall ladder to climb, so we’ll have to see how ESG metrics and reporting requirements evolve.”
- Regulatory Harmonization vs. Divergence: Last spring, the Bank of England released new regulations concerning third party risk management. Those rules were notable on several counts, including the fact that they diverged from rules promulgated by various U.S. regulatory jurisdictions in some meaningful ways. This divergence poses challenges related to how organizations perform nth party risk management, due diligence on third party cloud-technology providers, and sector-specific concentration risk (which Roboff discusses in more detail here). U.S. regulators are aware of this divergence as well as the need for more consistency among different domestic rule-makers. This year, three of the four federal banking regulators will continue a sweeping effort to harmonize third party risk management guidance for U.S. financial institutions. “These regulators have pledged to work together to make sure that US regulators are not requiring radically different things at radically different ways at the same time,” reports Roboff, who stresses that it will be important to monitor how this promise plays out in 2022.
- Cascading Risks: Some risks are like the first domino in an installation: when it falls, it triggers numerous other risks. Think of how a cyberattack on a major cloud services vendor causes an outage that takes dozens of customers (and, in some cases, their customers) offline. Consider how a major supply chain snafu, such as the grounding of a massive container ship, hinders ports and logistics activities around the world for weeks. “At the general risk management level, we saw a lot more attention paid to cascading risks – the notion of cascading consequences from a single risk last year,” Roboff reports. “That will continue to be a risk management, and third party risk management, a focal point in 2022.