For years after the financial crisis, the primary catalyst behind enterprise efforts to strengthen third-party management was regulatory scrutiny. Today however, companies are recognizing that by proactively detecting and mitigating third-party risks and other issues, they aren’t just ticking a compliance check-box. They are actually building trust with customers, strengthening confidence with boards and investors, and improving overall business performance. Put simply, effective third-party governance just makes good business sense
As a result, companies are now going beyond traditional third-party surveys and assessments. They’re taking comprehensive steps to ensure that their third parties are protecting confidential IT information, avoiding unethical practices, keeping up a safe and healthy working environment, strengthening supply chain security, handling disruptions effectively, and sustaining high quality and performance levels. It is in this context that there emerges the need for an integrated view of third-party risk, compliance, performance, quality, and adherence to contracts. Developing a strategy to optimize third party relationships is essential, as is knowing the third parties one deals with.
As the world gets flatter, third-party ecosystems are rapidly expanding. With more third parties come more risks, regulations, rules, policies, standards, and data that need to be managed in a holistic manner.
The advent of the cloud, virtual data centers, and hosted apps has given rise to multiple IT service vendors who can efficiently process critical business information. The result is more convenience but also more risk exposure.
On one hand, social media provides a platform for companies to strengthen communication and collaboration with their third parties in an informal setting. On the other hand, it creates potential data security and privacy risks that can get out of control if not managed efficiently.
The Office of the Comptroller of the Currency in the US, the Financial Conduct Authority in the UK, and many others have stipulated regulations and guidelines for third-party governance. The underlying message is that while companies can outsource their activities, they can’t outsource their responsibilities.
Each third-party relationship introduces a number of risks. Some of these risks are multi-dimensional i.e. they extend across suppliers, vendors, contractors, service providers, and other third parties. Other risks may impact different levels of the organization such as product lines, business units, and geographies. Staying ahead of these risks requires a systematic approach:
a. Identify important third-party risks such as political risks, undesirable events, financial risks, contract risks, legal and regulatory compliance risks, and information system failures. Follow it up with an analysis of the specific drivers that increase third-party risk.
b. Focus on contracts that govern third-party relationships. A comprehensive and carefully written contract will outline the rights and responsibilities of all parties, enabling the organization to effectively manage its third-party relationships.
c. Design and implement policies and controls to mitigate third-party risks. Also, build appropriate monitoring and testing processes to ensure that the controls are working as expected.
d. Leverage content from external sources such as Dow Jones, Dun & Bradstreet, BitSight, and SecurityScorecard. These firms curate third-party data from adverse media reports, sanction lists, information on politically exposed persons (PEP), cybersecurity ratings, and other sources – all of which can be invaluable when identifying potentially high-risk third parties
A robust third-party screening and due diligence process provides a clear understanding of third-party risks. It also helps companies choose the right firms to work with. The process is often part of a larger third-party onboarding program which forms the backbone of effective third-party management. During onboarding, companies can capture all the required third-party information along with certifications, contracts, and documents. Meanwhile, onboarding assessments can help determine the level of risk monitoring required for each third party.
Many organizations adopt a risk-based approach to third-party due diligence. They stratify third parties into various risk categories based on the offered product or service, as well as third-party location, countries of operation, and other key factors. Based on the resulting risk category and score, the appropriate level of screening and due diligence can be defined. One thing to remember is that due diligence isn’t a one-time event. Third-party risks can change anytime, and therefore, companies need to have continuous monitoring and screening processes to ensure that nothing slips through the cracks.
Parties Often, companies have landed in trouble over worker exploitation issues or data breaches resulting not from their primary third parties, but from sub-contractors – particularly unauthorized sub-contractors. That’s why it’s important to have complete visibility into the third-party ecosystem. Companies need to be able to determine if products and services are being provided by third parties, or if they are actually being sub-contracted to a fourth party. One way of doing that is to contractually bind third parties to inform and gain approvals on any kind of fourth-party involvement. Another good practice is to ensure that all essential fourth-party information is collected and stored. Fourth parties should also be included in the scope of the screening and risk management process.
The senior management, including the C-suite and board, are ultimately accountable for third-party risks. It is their responsibility to ensure that sufficient risk management processes, frameworks, and controls are in place. They also need to be aware of the top risks inherent in third-party relationships, so that they can make informed decisions.
The health of a third-party risk management program depends, to a large extent, on the involvement of the C-suite and board. When they demonstrate a commitment towards fostering a culture of risk awareness and accountability, as well as investing sufficient resources in risk mitigation, that’s when third-party governance programs are likely to succeed
With more third parties being given access to sensitive company information, the likelihood and impact of data security incidents have risen. In the past few years, some of the biggest companies have been brought to their knees by data breaches resulting from a vendor vulnerability or unsecured network. Therefore, vendor data security and privacy risk management have become important elements of any third-party governance program. To keep risks in check, vendors need to be categorized based on their risk profile, and then subject to an appropriate level of risk monitoring.
A useful tool in these efforts is the “Standard Information Gathering” (SIG) questionnaires from Shared Assessments which can be used to gather key information about a vendor’s IT, privacy, and data security controls. Content providers like BitSight and SecurityScorecard also provide useful information on the cybersecurity posture of third parties
How do you know if your approach to third-party management is effective? How do you determine if any gaps or issues have risen? Here’s where it helps to regularly evaluate all aspects of third-party management, including policies, codes of conduct, processes, controls, compliance surveys, assessments, and audits. By measuring the effectiveness of third-party management programs, stakeholders can determine if potential risks are being identified and mitigated, if compliance requirements are being met, and if appropriate remediation actions are being carried out when red flags arise.
As part of the evaluation, companies can also check if sufficient resources have been allocated to third-party management with well-defined responsibilities. A 360-degree view of the third-party ecosystem is a must
A “siloed” approach to third-party management—wherein different departments manage different third-party processes—can often lead to redundancies and duplication of effort. It also complicates the aggregation and roll-up of risk information, making it difficult for senior management to achieve a holistic view of third-party relationships.
Overcoming this challenge calls for greater integration and collaboration. A common language can be established across the enterprise to talk about third-party risks. Additionally, a single system can be used to coordinate third-party risk management, as well as third-party compliance, performance management, due diligence, and other key processes.
As third-party ecosystems grow more complex, technology is playing a critical role in strengthening risk evaluation, monitoring, and management. An integrated third-party management solution can offer the following benefits:
a. Comprehensive visibility into third-party risks, compliance issues, and other key insights that enable companies to take pre-emptive risk mitigation measures towards protecting the business
b. Ability to automate and streamline third-party information management, onboarding and due diligence, as well as risk management, audits, compliance management, and performance management
c. Agility to respond to changes in competitive markets, regulations, and geopolitical environments
d. Comprehensive and validated information about a third party, including their profile, contracts, documents, and service level agreements
e. Risk intelligence to support decision-making with advanced reporting and dashboard capabilities that consolidate and roll up third-party data
The average mid-sized enterprise has anywhere between 500 and 5,000 third parties, while large-sized enterprises can have up to 10,000 third parties. These numbers aren’t likely to decrease anytime soon, and that makes it all the more imperative for companies to step up their third-party management efforts. An integrated, streamlined third-party management process built on a strong technology solution can provide the required level of third-party visibility that companies need to make confident sourcing decisions.
It can also strengthen one’s ability to prevent, detect, and respond to third-party risks and disruptions proactively. The result is a more resilient enterprise that is well-positioned to maximize the value of their third-party relationships.