The Basel Committee on Banking and Supervision released a newsletter underscoring internal discussions and outreach sessions took place to improve third- and fourth-party risk management and concentration risk to support day-to-day activities for banks and supervisors. The newsletter further highlighted concerns regarding operational risks that have emerged during the pandemic related to third-party provided technology-based services. Last month the Basel Committee, in response to some of these issues, released Principles for Operational Resilience (POR) and revised its Principles for the Sound Management of Operational Risk (PSMOR). During the Committee’s outreach sessions with private sector participants and supervisors, it was noted that:

• “Primary gaps relating to firms' third-party risk management include a lack of clarity regarding respective bank and service provider responsibilities, insufficient monitoring of critical fourth parties, inadequate challenge or oversight from second lines of defence, and a lack of developed and tested business continuity plans.
• Banks and supervisors are concerned that a lack of complete supply chain transparency may increase operational risk. Risk-management efforts are focused on immediate suppliers, though key risks stemming from outsourcing arrangements may be driven by suppliers further down the supply chain.
• While several banks maintain formal exit strategies with respect to critical suppliers, they often lack sufficient detail and testing, and identifying the appropriate stage to execute a strategy can be unclear.
• There are a range of tools for managing operational disruptions, such as the substitutability of a third-party service provider and contracting for enhanced resilience options or service levels offered by service providers. Exit strategies designed to guide transitions that occur over longer time periods may not be as useful as other tools for curing operational disruptions.”

The full newsletter is available here.