More organizations are utilizing third parties to achieve their strategic objectives, increasing efficiency and cost savings by shifting non-core or specialized functions to more experienced providers. As outsourcing grows in popularity and provider options rapidly increase, regulatory oversight is also expanding to monitor the sensitive data and processes that third parties are managing. What must be remembered is that while processes can be outsourced, their inherent risks cannot.
With resulting productivity and financial benefits, the use of third parties is projected to further increase in the future. Therefore, your third-party controls and monitoring strategies must evolve, not only to ensure that third parties are performing effectively and in compliance with your agreements, but also to secure proprietary information and protect your company from brand reputational damage or inadvertently violating laws.
Here are five concepts to consider when evaluating your third-party relationships:
Know your third-party relationships. A third-party relationship is any business arrangement between an organization and another entity, by contract or otherwise. You already recognize that companies with which you have contracts and business transactions such as vendors, suppliers, distributors and contractors are third parties. However, you may not realize that undocumented agreements that have been in place for long periods of time also qualify, including those with contract manufacturers, brokers, agents and resellers. To complicate matters, some third parties may themselves be utilizing a third party without your knowledge or consent, providing additional challenges in contract management and oversight. As part of your third-party relationship management, you should obtain an understanding of whether your third parties will be subcontracting any of their obligations and whether your agreement terms and conditions flow through to them.
Ensure adequate insurance coverage. Have your insurance coverage needs changed since the contract was signed with the third party? While the insurance coverage may have been adequate when the agreement was originally signed, any number of items such as technology, delivery locations or manufacturing locations may have changed over time, and thus your coverage may no longer be adequate. Normally, third-party relationships have a requirement for specified levels of insurance coverage. If a third party fails to maintain the proper coverages and an uncovered event or situation occurs, your organization may face additional risk and exposure which could have been prevented during the contracting phase. Are you confident that your third parties have sufficient coverage in the event of a disaster or data breach?
Review contracts to align with new laws. Have your contracts been updated to reflect the latest regulations for data security and privacy? With new laws regarding data security and privacy enacted over the past few years, some of your agreements likely need to be updated to clearly delineate responsibilities between the parties. For instance, do you have a clear segregation of responsibility regarding the protection of data and a plan in the event of a data breach? As companies expand internationally, compliance with the Foreign Corrupt Practices Act (FCPA) has received more attention due in part to concerns pertaining to foreign third parties’ compliance measures. Additionally, several countries have passed anti-bribery laws that are equally, if not more, stringent; these laws create a somewhat complicated lattice of legal jurisdictional issues should a company be subject to an investigation.
Develop and implement a third-party risk management process. A key objective of a third-party risk management process is to determine your highest-risk third-party relationships and then put activities in place to mitigate these risks to a tolerable level. You should take a holistic approach to assess third-party relationships and utilize a framework that is flexible to the evolving needs of your organization. Developing and implementing a third-party risk assessment begins with utilizing a cross-functional team and defining roles and responsibilities in performing the assessment. Examples of individuals who may participate in this assessment include procurement, information technology (IT), finance and the business owners responsible for managing the relationship after execution of the agreement. You should internally define the risk assessment project plan and identify the population of your third-party relationships. Next, identify the risk categories to be assessed and deemed critical to your organization (e.g., strategic, reputational, operational, financial, compliance, security, fraud) and develop weighting criteria for each risk category to be applied to your third party. For each third party, the cross-functional team should then score the risks based on impact and likelihood so that the third parties can be categorized and prioritized in tiers. Tools such as third-party surveys may be utilized as part of this process. Once the third parties are scored and subsequently tiered, you can develop risk mitigation plans and allocate resources to focus on the higher-risk third parties. Some mitigating activities may include more focus on contract monitoring activities of that third party—including potentially conducting compliance audits.
Use of audits to help manage risk expectations. Third-party agreements should have a right-to-audit clause—which allows you to assess if the third party is in compliance with the terms and conditions of the agreement. With the change in security and privacy concerns and with various financial regulatory laws, you may need to upgrade the wording of contract clauses or potentially create addendums to include an audit provision that addresses new risks that have arisen since the original signing of the agreement and not just the monetary provisions. Depending on the significance of the contract to your organization, you should perform periodic third-party audits to ensure the terms of the contract are being fulfilled. With a new agreement, you may want to conduct an audit to make sure the third party is aligned to your interpretation of the agreement and to induce future compliance. Conversely, if an agreement is coming to an end, a close-out audit may be beneficial to ensure the third party has performed in accordance with the conditions of the agreement. How do you determine which third party to audit and when? This information should be one of the outcomes from your third-party risk assessment.
Leveraging third parties can help your business gain significant efficiencies, but you must remember that the inherent risk still lies with your organization. Taking these five key points into consideration will enable you to implement a flexible third-party relationship risk framework that helps ensure third parties are performing effectively, and your organization remains in compliance with evolving laws and regulations.