The fact that geopolitical risks to the complex digital ecosystems of the banking and financial sector are increasing has become a truism, especially since the Russian attack on Ukraine. The finance industry is therefore representative of others: Management surveys regularly reflect executives’ concerns about international upheaval and its potential impact on business processes and supply chains. In the EY CEO Survey of January 2023, 31% of respondents (in Germany and globally) identified “increasing cybersecurity risks”, while 30% expected “further increases in geopolitical tensions”.
These concerns are by no means unfounded. Digital supply and service chains are increasingly being used as vectors for cyber attacks. The attacks on SolarWinds and Uber are examples of this trend. The 3XC case was even a supply chain attack, which in turn could be traced back to different supply chain attack earlier. As a result of these developments, banks, as part of the national critical infrastructure, are targeted by state-sponsored hacking collectives.
However, digital or physical supply chains are not only targets in the cyber domain. Increasing global protectionist trends and the associated use of sanctions as a geo-economic tool have become a challenge in coordinating and managing the availability of various third parties. In short, geopolitical crises that directly affect service providers are becoming a threat to an organisation’s ability to do business.
This is accompanied by a political and regulatory trend in Western countries: the exclusion of IT components from untrustworthy states within the information networks of critical infrastructures. The exclusion of the Chinese telecommunications provider Huawei from European telecommunications networks – already completed in some Member States – can only be interpreted as a first step in this direction.
The consequences of geopolitical risks will be a focus of banking supervision in the coming years. For example, the ECB’s supervisory focus is on “strengthening resilience to immediate macro-financial and geopolitical shocks” and on the digitisation of banks and the associated operational resilience to cyber risks. However, the priorities of BaFin and the Bundesbank also address risks stemming from geopolitical tensions. For example, the current economic developments and the consequences of the Russian aggression against Ukraine are one reason why the resilience of financial institutions, in addition to cyber and IT risks, is coming to the fore. One inherent vulnerability is the outsourcing of processes and the associated dependencies.
However, when looking at the practical application of Third-Party Risk Management (TPRM) in German and European banking institutions, it is clear that there are still many opportunities to further develop the active management of geopolitical risks within TPRM. We aim to show how this can be achieved, where the levers in TPRM lie and what challenges need to be considered.
Mapping geopolitical risk….
If an organisation is to control and manage the impact of geopolitical risks arising from third-party relationships, it must consider the entire lifecycle of its service providers. As a starting point, the relevant business units should appropriately map the risk factors relevant to the company. This initial step should include both qualitative and quantitative elements, and must be aligned with the core information security protection objectives (confidentiality, integrity, availability, and authenticity).
At the qualitative level, the first step is to identify geopolitical risk factors within the digital supply and service chain. However, these factors should not only consider the current state of the business. Instead, the focus should be on adopting a forward-looking perspective derived from the business and IT strategy. This perspective can enable the development of methodical scenarios, which in turn can help to derive threat variables and attack vectors specific to one’s own organisation. As an analytical framework, the PESTEL scheme (political, economic, social, technological, environmental, legal) is generally suitable for this purpose.
The PESTEL framework is not only suitable for identifying and analysing risk factors with a focus on one’s own company. It allows variables from qualitative observations and quantitative country indices to be formulated and combined. These can then be applied to the service providers under management.
Various international database providers offer a range of services for this purpose: indices or combinations of indices relating to political and economic stability, levels of domestic and international violence, corruption, enforcement of intellectual property rights, sanctions and more. However, reconciling the individual factors can be particularly challenging. It is not just a matter of combining variables disjointedly and discretely to minimise covariances. Their interfaces with other areas of the bank also need to be clearly delineated or complementary in terms of areas of competence. This applies, for example, to areas such as physical security management, anti-money laundering or sanctions compliance.
Creating a meaningful index from relevant data points is one thing. Another is to map a service provider’s entire supply and service chain. This means that not only the legal domicile of a counterparty needs to be included in the country risk calculation, but also all countries involved in the supply and production chain. This can be done using either a high watermark approach or a weighting based on the criticality of the components.
Once these initial steps have been implemented, the opportunities go beyond TPRM: within the institution, the redesign of service and supply chains of service providers can potentially lead to synergies, especially if there are parallel implementation projects related to the German Supply Chain Due Diligence Act (LkSG) or the recently adopted European Supply Chain Act.
…and actively manage along the vendor lifecycle
With regard to the third party ecosystem of digitised banking institutions, the increase in geopolitical threats and instability requires their consideration and management throughout the vendor lifecycle. This includes (1) the selection and qualification phase, (2) onboarding, (3) determining criticality, (4) risk assessment and vendor monitoring, and (5) reporting.
(1) Selection and Qualification Phase
Geopolitical risks need to be managed even before entering into a contractual relationship with a service provider. This means that even at the selection stage, for example, when obtaining bids, a country risk score can provide a critical indication of the inherent risks associated with a potential service provider. If these risks outweigh the organisation’s business and protection objectives, they can be avoided at an early stage. If the inherent risks are within an acceptable range, they can be addressed and potentially mitigated during contract negotiation or design with the potential service provider.
Taking full account of the country risk identified at this early stage provides an opportunity to exclude certain regions on the basis of their inherent risk profile. However, it also makes it possible to actively seek proposals from countries and regions that help to diversify the supplier portfolio regionally, thereby avoiding concentration risks.
(2) Onboarding
During the onboarding of a new service provider or service contract, the aim is both to facilitate a rapid start to the service or performance and, importantly, to achieve high data quality for TPRM. To adequately manage geopolitical risks, the supply and service chain needs to be reconstructed. This is the only way to ensure that all countries in the service chain are actually known at this point and can be taken into account using the selected country risk indices.
In addition, during the onboarding process, the TPRM unit should re-examine whether all regulatory requirements for availability, including the corresponding incident reporting timelines or deployment delays, are sufficiently addressed in the contract.
(3) Determine criticality
To adequately manage a service provider and its portfolio of active service contracts, their criticality must be methodically determined. This process should include the country risk identified from the onboarding data as part of the service provider’s inherent risk. In addition to the geopolitical component, criticality should primarily be derived from the (inherited) protection requirements of the business processes. To achieve this, the technical and organisational interfaces with Business Continuity Management (BCM) need to be well defined and process-integrated.
(4) Risk assessment and vendor monitoring
Risk assessment and vendor monitoring is the longest phase in the service provider lifecycle. Accordingly, geopolitical risk factors need to be continuously captured and analysed. An appropriate GRC tool (Governance, Risk, Compliance) is essential. It must reflect changes in country risk indices in real time, recalculate suppliers’ risk calculations accordingly, and provide automated alerts based on the institution’s risk appetite in the event of negative changes or trends. This is the only way for the organisation to identify timely and consistent indications for event-driven reassessment of service providers. As part of the supplier assessment process, it’s essential to verify the evidence provided by the supplier for all country locations within the supply and service chain. Similarly, these location details can provide useful clues and rationale for potential in-depth on-site audits as part of the assessment and audit process.
(5) Reporting
Targeted third party risk management requires well-informed decisions. In times of geopolitical and economic tension, the management of these relationships becomes a key management task. To promote fully informed management decisions, geopolitical risk indicators should be fully reported at least quarterly. In particular, these indicators should be clearly separated from other types of operational risk within the institution.
to achieve agility and resilience through diversity.
It is not surprising, given global trends, that German and European banking supervisors are now placing greater emphasis on geopolitical risks in their examination activities. Some of these risks can be addressed through active assessment of service providers and outsourcing arrangements. However, it’s clear that in many financial institutions geopolitical risks are not yet being managed throughout the supplier lifecycle.
Yet, only those who understand their entire digital supply and service chains can prevent crisis situations, globally diversify third-party risks and adjust their service provider portfolio in an emergency. The ability to actively manage geopolitical risk in third-party risk management is far more than a regulatory compliance exercise in times of global power shifts. It is increasingly becoming an essential component of the operational resilience of the business model.
The sooner financial institutions can understand and control their entire supply chains, the better their prospects for a resilient future in times of global geopolitical tension.
