Improving operational resilience has long been a goal of the banking and financial sector and will continue to be top of the regulator’s agenda. In this article for Finance Monthly, Jake Holloway, Chief Product Officer at Crossword Cybersecurity, explains why Supplier Assurance Frameworks are becoming more and more essential for an organisation’s operational resilience.
The introduction of SMF24 (Senior Management Functions) under the Financial Conduct Authority’s Senior Managers and Certification Regime has put the ownership of resilience firmly in the boardroom. Those in the new SMF24 role need to have complete visibility of the operational risks that might exist not only in the organisation, but also within its own supply chains and partnerships. As we have seen with recent IT outages and high-profile cyber security incidents, it is not always the institution itself that is at fault, but it is them that faces the critical attention of their customers, the media and the regulators.
A new era of supplier risk management for the financial sector
In order to manage risk and build healthy supply chains in the financial sector, the right supplier assurance processes need to be in place. This could be seen as a challenge for procurement teams and the supplier onboarding process, but it reaches much further, with risk assessments needed across areas as diverse as anti-money laundering, the Modern Slavery Act, Health & Safety, GDPR and cyber security to name but a few.
Each of these areas impacts institutions in different ways, and indeed may require specialist expertise to assess the risks. Cyber security is a great example, where a weakness such as an unpatched VoIP phone or laptop, may be exploited in one supplier to reach back into the financial institutions themselves.
Normally, supplier assurance and procurement teams would stay well away from such technical and complex areas. For instance, with cyber security, where supplier due diligence requires a cyber security assessment, it’s happily handed over to specialists – whether internal or external. Any reports, risk acceptance or remediation activities are left with the specialists while supplier assurance teams focus on the core of financial risk, insurance cover, regulatory standards, governance and so on.
Building a Supplier Assurance Framework
Institutions need a different approach to reduce risks associated with suppliers, vendors and other third parties. One that combines the supplier assurance and procurement team’s approach based on good practice, controls, evidence of governance and commitments to improvement, with the deeper technical understanding of other teams. Supplier assurance and procurement teams have a far greater role to play in this than they may imagine through the implementation of a Supplier Assurance Framework.
Find out more about how Crossword Cybersecurity can support companies with a Supplier Assurance Framework.
You can read the full article in Finance Monthly here