Talk to an Expert
Pricing

Navigating the PRA’s SS2/21 Third-Party Risk Management Requirements with Connected Risk

In March 2022, a pivotal shift occurred in the regulatory landscape for financial institutions in the UK, orchestrated by the Bank of England’s Prudential Regulation Authority (PRA). This came in the form of a new Supervisory Statement, known as SS2/21, which laid down a comprehensive framework for managing outsourcing and third-party risks. Its enactment was not just a regulatory adjustment; it was a forward-looking approach to bolstering business resilience in an era increasingly reliant on digital technologies, including cloud computing. This blog post delves into the intricate details of SS2/21, its objectives, and the expectations it sets for regulated firms, offering insights into how organizations can navigate these requirements to ensure compliance and minimize risks.

Understanding the Objectives of SS2/21

At its core, SS2/21 aims to enhance the operational resilience of UK banks, investment firms, insurance companies, and the UK branches of overseas banks and insurance firms. This ambition is realized through a set of directives that encourage the adoption of cloud services and other modern technologies, ensuring that these advances do not compromise the integrity and reliability of financial services. SS2/21 operates in harmony with the broader regulatory framework, including the PRA Rulebook and SS1/21 on operational resilience, as well as integrating the European Banking Authority’s (EBA) Guidelines on outsourcing arrangements.

A notable feature of SS2/21 is its delineation between material outsourcing arrangements and non-outsourcing third-party engagements. This distinction is crucial as it dictates the level of scrutiny and due diligence required, tailoring the regulatory approach to the risk profile of each arrangement.

Key Areas of Focus in SS2/21

SS2/21 outlines several critical areas for regulated firms to address, including:

  • Data Security: Ensuring the confidentiality, integrity, and availability of data handled by third parties.
  • Access, Audit, and Information Rights: Establishing the right to review and audit third-party services to ensure compliance and security.
  • Sub-outsourcing: Managing risks associated with further outsourcing by third-party vendors.
  • Business Continuity and Exit Strategies: Preparing for and mitigating the impact of potential disruptions in third-party services.

Navigating Third-Party Risk Management with Connected Risk

To meet the demands of SS2/21, organizations must adopt a robust third-party risk management strategy. The Connected Risk Third-Party Risk Management Solution emerges as a valuable ally in this context, offering a suite of tools designed to align with the PRA’s expectations.

Materiality Assessment and Due Diligence: Connected Risk aids firms in conducting thorough materiality assessments for vendors upon onboarding and periodically thereafter. This is a critical step to identify which third parties are considered material and thus subject to more stringent oversight.

Compliance and Risk Reporting: The solution offers extensive capabilities for risk and compliance reporting, making it easier for firms to demonstrate adherence to regulatory frameworks and to identify and mitigate risks associated with outsourcing and third-party engagements.

Addressing Specific SS2/21 Requirements: Connected Risk’s solution is designed to tackle the specific areas of focus highlighted in SS2/21. This includes tools for RFx management, contract lifecycle management, privacy impact assessments, and incident response, among others. Each of these features plays a vital role in ensuring that organizations can effectively manage the risks associated with their third-party relationships.

Conclusion

The activation of SS2/21 by the PRA marks a significant step towards enhancing the resilience of the financial sector in the face of evolving technologies and outsourcing practices. Compliance with this supervisory statement requires a comprehensive approach to third-party risk management, emphasizing the importance of due diligence, continuous monitoring, and effective governance. Solutions like Connected Risk offer the necessary tools and capabilities to meet these regulatory requirements, providing a pathway for organizations to safeguard their operations and maintain trust in an increasingly interconnected and digital financial landscape.

Like this article?

Email
Share on Facebook
Share on LinkedIn
Share on XING

Empowered Systems is a leading provider of environmental, sustainability, and governance as well as governance, risk and compliance solutions with an expansive global customer base. 

Linkedin-in Facebook Youtube Instagram

our products

our Solutions

Company info

website disclaimer

Any capabilities or technologies described on this site or shown to you are subject to intellectual property protection, including, without limitation, international copyright laws and treaties (and in some cases patents/patent applications) and all rights are reserved. Any quotation provided must be kept confidential and used only for your purchasing decision. You can share a quotation or proposal with your advisers for that purpose if they have signed an agreement with you covering non-disclosure of such information, but you may not share it with anyone else without Empowered Systems prior written consent. Any supplementary information provided by Empowered Systems shall also be treated as confidential and may only be used in the same way as the information set out in your quotation or proposal (unless otherwise specified). This website is not a quotation or proposal.

This website is provided for informational purposes only. It neither constitute an advice nor an offer capable of acceptance or create any right or obligation between Empowered Systems and the user of this website or anyone associated with the aforementioned user. Any contract will be made based on Empowered Systems standard terms and conditions. Nothing on this site creates any agreement between Empowered Systems and the user of this website.

The information on this site has been compiled with care, but Empowered Systems does not make any express or implied representation or warranty that the information is without errors or omissions and shall have no liability resulting from use of or reliance on the information (except when arising from fraudulent misrepresentation or other matters where liability cannot be excluded or limited under law).

References to Empowered Systems capability may include capability provided to Empowered Systems by third parties.

 AutoAudit® and Empowered Systems are all registered trademarks of Empowered Systems IP Holder LLC.

© 1995-2024 Empowered Systems. All rights reserved.

Empowered Systems is the trade name of Empowered Systems Ltd. in the United Kingdom. Registered Number: 13416888 in England and Wales. Registered office: 6 Lloyds Avenue, Suite 4cl, London, England EC3N 3AX.

Talk to an Expert
Pricing
Talk to an Expert
Pricing

Talk to an Expert

"*" indicates required fields

Are you looking for support?

If you're looking for product support, please login to our support center by clicking here.

First, what's your name?*
This field is for validation purposes and should be left unchanged.

Submit a Pricing Request

"*" indicates required fields

First, what's your name?*
This field is for validation purposes and should be left unchanged.

Submit an RFP Request

"*" indicates required fields

First, what's your name?*
Which solution does your RFP require a response on?*
Drop files here or
Accepted file types: pdf, doc, docx, Max. file size: 1 MB, Max. files: 4.
    This field is for validation purposes and should be left unchanged.

    GDPR Cookie Consent with Real Cookie Banner Skip to content