Organizations rely heavily on their third parties for improved profitability, faster time to market, competitive advantage, and decreased costs. However, third-party relationships come with multiple risks, including strategic, reputational, regulatory, information security, and financial risks. Penalties and reputational damage from non-compliance, supply chain disruptions, security breaches, and data thefts involving third parties are driving companies to continually improve their Third-Party Management (TPM) programs.
With third parties spread across the world, supply chain disruption risks are on the rise. Be it the earthquake and tsunami in Japan, the Thailand floods, or the labor dispute at the West Coast port, these disruptions greatly affected the flow of goods and services to organizations. Without an appropriate business continuity plan to deal with these unpredictable events, organizations suffer not only monetary losses, but also customer losses to competitors.
To minimize the impact of third-party risks on business performance and brand image, the scope of TPM is expanding beyond traditional surveys and assessments for third-party risks and compliance. Companies are now taking more comprehensive steps to ensure that their third parties not only comply with regulations, but also protect confidential IT information, avoid unethical practices, keep up a safe and healthy working environment, strengthen supply chain security, handle disruptions effectively, and sustain high quality and performance levels.
It is in this context that there emerges the need for an integrated view of third-party risk, compliance, performance, quality, and adherence to contracts. Developing a strategy for optimizing third party relationships is essential, as is knowing the third parties one deals with.
Globalization - As the world gets flatter, organizations with global third-party networks are faced with a multitude of rules, policies, data, standards and regulations – all of which make the case for a robust TPM program.
Virtualization - Technology has dramatically changed the way organizations operate. With the advent of the cloud, virtual data centers, and hosted apps, companies are using vendors to process their critical business information, thus transferring data outside their firewalls. Recent data breaches and security incidents have highlighted the vendor risks that come with virtualization, and the need to have deeper visibility into the third-party ecosystem.
Social Media - On one hand social media improves transparency, collaboration, and efficiency across the third-party network. On the other hand it brings along potential security risks and privacy concerns for business-critical information. The key is to leverage social media to gather third-party intelligence, while also identifying and mitigating the risks that come along.
Mobility - Ubiquitous access to data across mobile devices poses multiple security risks. As data access becomes easier, and as security breaches proliferate, a strong TPM program is essential to ensure accountability.
Each third-party relationship brings with it a number of risks that need to be identified in time. These risks are often multi-dimensional as they extend across suppliers, vendors, contractors, service providers, and other parties, and can have an impact on different levels of the organization such as product lines, business units, and geographies.
An effective third-party risk management process begins by comprehensively identifying third-party risks such as process risks, political risks, undesirable events, contract risks, legal and regulatory non-compliance risks, and information system failures. This risk identification process should be followed by an analysis of the specific drivers that increase third-party risk.
A good practice is to focus strongly on contracts that govern third-party relationships. A comprehensive and carefully written contract that outlines the rights and responsibilities of all parties can help you better manage third-party relationships.
It’s also important to frame policies, and implement controls to mitigate third-party risks. Appropriate monitoring and testing processes are key in ensuring that risk mitigating controls are working as expected.
To strengthen third-party monitoring, leverage content from external sources such as Dow Jones, D&B, and Regulatory DataCorp (RDC) which curate adverse media reports, sanction lists, Politically Exposed Persons (PEP), and other third-party data. This external content is invaluable in identifying and flagging potentially high-risk third parties before they cause a failure.
An effective third-party screening and due diligence program provides a better understanding of third parties, and helps you choose the right firm to work with.
Leading organizations are taking a risk-based approach to third-party screening and due diligence. As part of the onboarding process and on a regular basis, these organizations stratify their third parties into various risk categories based on the offered product or service, as well as the third-party’s location, countries of operation, and other key factors. They then define screening and due-diligence process based on the risk categories. The level of due diligence is based on the risk score of the third party.
The third-party onboarding process is really the backbone of an effective TPM program. It helps capture complete third-party information along with the necessary certifications, contracts, and documents. Onboarding assessments are also needed to help determine the level of risk monitoring required for each supplier.
Continuous third-party monitoring and screening is the key to helping companies make informed decisions about their third parties. Many organizations leverage screening data providers to receive real-time alerts and data feeds on third parties. They also screen their third parties against global sanctions lists, as well as global regulatory, law enforcement, and watch lists, adverse media reports, PEPs, and state-owned enterprises.
The due-diligence process does not end with third-party on-boarding. It’s important to continue identifying risk areas, and conducting appropriate due diligence on an ongoing basis.
The factory fires in Bangladesh highlighted, yet again, the problem of unauthorized sub-contracting. It exposed how organizations do not often have complete visibility into their supply chains which puts them in a risky position.
It’s critical to determine if products and services are actually provided by third parties, or if they are in fact sub-contracted to a fourth party. The key is to contractually bind third parties to inform and get approvals on any fourth-party involvement. Also, gather and manage fourth-party information as part of the third-party ecosystem. Ensure that fourth parties are in the scope of screening and risk management processes.
The senior management, including the C-suite and Board, are accountable for the risks in third-party relationships. It is their responsibility to create a culture of transparency and collaboration in the third-party ecosystem, while also identifying and controlling the risks that arise from such relationships.
With third parties accessing regulated company information, the likelihood and impact of IT security incidents are on the rise. Therefore, view IT vendor risk in the purview of the larger third-party risk management program. Categorize vendors based on their risk profile, and define an appropriate monitoring mechanism. Also, leverage external sources for third-party risk assurance. For instance, there are standard “Standard Information Gathering” (SIG) questionnaires from content providers such as Shared Assessments, which can be used to obtain the necessary information about a vendor’s IT, privacy, and data security controls.
As organizations realize the importance of a TPM program, many are increasing their investments in these programs. The investments should ideally be focused not only on ensuring regulatory compliance, but also on managing third-party risk, and improving third-party performance. Appropriate staffing is also essential to manage TPM initiatives at optimal levels, both locally and across the globe.
Implement a robust process to ensure the effectiveness of the TPM program, including policies, codes of conduct, processes, controls, compliance surveys, assessments, and audits. Make sure that all allocated TPM resources are available, have their responsibilities defined, and are working as planned. A 360-degree view of the third-party ecosystem is also a must.
Evaluate the program at regular intervals to determine if potential risks are being identified and mitigated, if compliance requirements are being met, and if appropriate remediation actions are being carried out when red flags arise. Also, have well-defined metrics to measure the effectiveness of the TPM program.
Many companies adopt a “siloed” approach to TPM wherein different departments manage different third-party processes. This leads to redundancies, and makes it difficult to gain a holistic view of third-party relationships. The best way to overcome this challenge is to standardize TPM processes across departments and functions. Adopt consistent, well-defined processes for third-party screening, onboarding, risk assessments, due-diligence, audits, performance management, and continuous monitoring. Make third-party information available centrally to facilitate oversight, accountability, monitoring, and risk management, and to ensure that nothing falls through the cracks.
As the TPM program extends beyond the first tier of the supply chain, technology will play a critical role in strengthening third-party risk assessments, monitoring, and management. Integrated technology solutions offer a common platform to manage multiple third parties, and provide greater visibility into risks and compliance issues.
Technology can also streamline third-party information management, onboarding and due diligence processes, risk management, audits, compliance management, and performance management.
Many companies leverage technology to automate TPM processes, and to map third-party information for better traceability. They also maintain third-party contracts, documents, SLAs, and other important information in a centralized database for easy access.
Advanced technology solutions consolidate and roll up third-party risk intelligence to support decision-making. These solutions also integrate with reliable industry sources to aggregate, validate, and enrich third-party data. They help identify high-risk third parties, assess their risk impact and likelihood, identify risk ratings, and monitor controls to keep risks in check. Sophisticated solutions also provide advanced survey and assessment capabilities for due-diligence, compliance monitoring, and control effectiveness evaluations.
In today’s complex, outsourced environment, it’s critical to step up TPM initiatives to protect both reputation and revenue. Gain a clear view of the third-party ecosystem, and adopt a proactive approach to manage associated risks. Be well-prepared to manage supply chain disruptions by proactively identifying hidden risks, and using well-defined business continuity plans. Also, establish a robust closed-loop process to continuously evaluate third parties based on regulatory compliance and performance. The key is to effectively manage the third-party ecosystem in such a way as to create a culture of transparency and accountability.