.png)
Blog
How to Integrate ESG in Your TPRM Programme
‘Should there be greater industry collaboration on TPRM in financial services, including among building societies?’ In short: yes.
This question was asked by the audience during our recent webinar with Skipton Building Society. It’s a drum we've long been beating and one that financial services regulators have made central to sectoral resilience efforts. Put simply: in today’s interconnected world, collaborative supply chain defence is the only way forward.
But how can financial services organisations actually collaborate? How can IT security teams convince the C-suite to share supplier intelligence? What can firms do to navigate critical supplier challenges in a sector with limited transparency?
These questions were also raised during the webinar. This blog will explain what you can do.
No matter if you’re an established Tier 1 bank with fortress-style digital security and the most efficient third-party risk management (TPRM) machine on the market, you’re still susceptible to supply chain concentration risks. If a critical third-party supplier, fourth-party AI platform or 5th-party cloud service provider fails, your ability to deliver your services is at best hampered, at worst halted. Operating in siloes not only leaves you blind to these risks, but leaves you firefighting alone when a breach occurs.
On the flip side, sharing supplier information with the industry helps the whole sector pinpoint critical concentration risks and take premeditated action to avoid costly incidents. Sharing the TPRM burden also optimises industry resources for suppliers and enterprises (i.e. reducing duplicated effort on supplier security reviews) and elevates compliance standards across the entire ecosystem.
TPRM collaboration should be framed as a necessity for operational resilience. Sharing TRPM information with the network - be it the suppliers you use or the risks you’re seeing - does not impact your competitive advantage, but does impact your ability to deliver essential services.
Your C-Suite executives are understandably wary about working with competitors, but TPRM collaboration delivers sector-wide and organisational benefits. When having discussions with the C-Suite, make sure to highlight how TPRM collaboration is:
It’s hard to fight what you can’t see, so mapping your critical third-party suppliers is the first port of call. First, identify your priority services and the suppliers required to carry these out. Next, map out the key third-party suppliers that underpin Important Business Services and would adversely impact your service delivery if they weren’t available.
In addition, Nick Cameron, Operational Resilience Leader at Skipton Building Society says ‘prioritising around IBS’ helps you understand the core business functions that need to be in place to provide basic services, so you know what's meaningful from a business risk and resilience perspective.
In the past, there has been reluctance to share information from a legal or competitive perspective, but finding out you share the same infrastructure or SaaS platforms doesn’t threaten your competitive advantage or your contractual agreements. It simply reveals your shared risks and enables mitigation action.
If in doubt, start by sharing the ‘non-competitive type services and suppliers’ you use, which doesn’t reveal any secret sauce, such as a work management tool (i.e. Monday). Sharing this data can take place across a variety of channels, such as through cybersecurity forums (i.e. FS-ISAC or NCSC), dedicated mapping platforms (i.e. Risk Ledger) or even just getting on the phone and having an informal conversation about which critical suppliers you use.
As the financial services sector relies on a small network of specific suppliers, such as clearing houses or payment messaging service providers (i.e. SWIFT), there’s a high chance that you’ll have many third-party suppliers in common with your peers. But today’s supply chain risks tend to originate from obscure 4th, 5th or nth-party connections.
That’s why the next step is to share your supplier data with multiple financial service organisations (who share their data in return). When you combine multiple supplier maps, it reveals shared concentration risks and vulnerabilities beyond third parties, such as your payroll provider’s work management platform (4th-party) or the work management platform’s data centre (5th-party).
Now you have a map of shared suppliers to the nth degree, you should continuously monitor for emerging issues at these suppliers and share these insights with the wider network. For example, if you learn a critical supplier has changed its data service provider creating a single point of failure or you spot a potential breach at a fifth party supplier, informing the network can ensure issues like 2025 SitusAMC breach doesn’t cascade through the ecosystem.
This becomes tricky to do manually, so Nick Cameron recommends using a platform that enables real-time transmission of insights:
“Where we want to get to is live performance…what is our exposure, what is the outcome we're after, where is our service, how is it being impacted.”
Supply chain mapping, continuous risk monitoring and seamless risk communication are core ingredients to greater TPRM collaboration and sectoral resilience in financial services.
Risk Ledger’s Active Supply Chain Security platform helps banks, building societies, asset managers and fintechs do all three. By mapping thousands of organisations on a living network, you can see nth-party concentration risks at a glance, as well as the blast radius of any potential breach. The platform also provides a seamless way to share intelligence and triage mitigation action without impacting your competitive advantage.
Many financial services organisations are already collaborating on the Risk Ledger platform. Check out our Lloyds Wealth (formerly SPW) case study to learn more.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
.svg)
