Executive summary: Simplify the complexity of third-party management
INSIGHT ARTICLE |
View related recorded webcast:
Simplify the complexity of third-party management
Corporations continue to increase their use of third parties, depending on countless vendors, suppliers, distributors and contractors throughout their value chain. While the use of these organizations is increasingly critical for success, third parties can leave you vulnerable to greater financial, regulatory and reputational risks unless you have the right attention and processes. As these relationships become more commonplace and more strategic, regulatory bodies are paying closer attention, with increased pressure and penalties.
The use of third parties has increased for several reasons, including the ability to scale rapidly, raising capacity to meet demand. Third parties can also provide increased access for organizations seeking an international presence. The right strategy can bring products to market more efficiently; instead of building costly infrastructure, organizations can partner with data centers and application providers to enhance technology resources.
Third-party risk management has been addressed in a siloed and limited fashion for most organizations. However, increased reliance on third parties is causing companies to review their policies and strive for a more holistic approach. For example, data privacy is a key concern amid breaches and increased hacker activity; comprehensive processes that identify and actively manage all vendors that have access to sensitive information are therefore required. If an incident occurs, it does not matter if your third party is the cause; you retain ultimate responsibility and your company's brand is the one that is tarnished.
The elements of an effective third-party management program
Developing a strong third-party management process can be a complex endeavor. Each pillar is dependent on sufficient resources to support the infrastructure, consisting of the right people, processes and technology. Contrary to popular belief, a significant expense is not always necessary, but you need to think through the skill sets of the people that you need and ensure that processes flow appropriately to accomplish their desired goals. Technology allows you to leverage the program across your organization.
Before you select a third party, you should complete a thorough planning phase. Planning assumes that you understand the inherent risks that your organization faces when utilizing a third party. Begin with a high-level business case, assessing alignment with strategy and other priorities, such as information technology (IT) development or mergers and acquisitions. Evaluate what functions you need to outsource, the customer and employee impact if you do so and plan for managing related risks. Only after those steps have taken place should you review the marketplace for qualified third parties.
Performing third-party due diligence involves several steps common to the typical procurement process, including issuing a request for proposal (RFP), ensuring the third party is qualified and that service-level agreements are in place. However, you must also link your inherent risks (identified in the planning stage) back to the due diligence process to ensure that a potential third party has appropriate controls in place to mitigate the relevant risks. In addition, due diligence should include reviewing system architecture, establishing and visiting service locations and assessing reliance on subcontractors.
To effectively assess risk, you should conduct detailed controls assessments of RFP finalists, perform reference calls and background checks. Assess a third party's control effectiveness based on provided responses, documentation and site visits, as applicable.
After analyzing inherent risks and determining potential vendors' controls and comparing them to your needs, link this information to contract negotiations to ensure your gaps (in terms of identified risks) are covered. Contract clauses should directly reflect identified and understood risks. Retain a short list of third parties to maximize leverage on terms and incorporate RFP responses regarding standard terms into the negotiation. Make a final selection based on your total cost of ownership (including risk management) and contractual terms and obtain any required approvals.
Establish a vendor management program
Formulate a plan for each particular third party with whom you do business. The level of required oversight for performance and financial reviews will differ between third parties; some require more significant attention, while others need lighter oversight. Map contractual commitments and residual risk mitigation strategies to third-party management plan activities. Remember that the risks you are assessing, the controls in place and the action plans you establish must be relevant to each particular third party.
Ongoing monitoring and assessment
On an ongoing basis, execute on your third-party management plan activities and periodically reassess risk. Consistently execute your decisions, to demonstrate the plan for auditors or regulators. Escalate any increased risk or deterioration of performance and execute on governance and reporting.
When planning, you must identify issues and strategies for contract termination. Nobody wants to think about it, but it does happen, and both parties must be protected. Detail an orderly transition in-house or to an alternate third party, based on contractual commitments. Assess risk and ensure return or confirmation of destruction of confidential information. Also address ownership of joint intellectual property.
Any program must have oversight and accountability from executives and the board, not just internal audit and risk management. In addition, you must have sufficient documentation and reporting to store information and organize it to be accessed and reported on quickly. Lastly, independent reviews are necessary to analyze your program and address evolving regulations, laws and risks and to enhance processes.
Tools to enable your program
Your program must be flexible enough to be commensurate with the inherent risks in each engagement. You cannot manage every risk with every third party in the same manner. As you think about developing your process, focus on consistent methodology, a contract repository, appropriate workflows and a platform that enables you to track and report on all activities for regulators and the board.
Retain electronic images of contracts, as well as a repository for responses. Maintain a consistent, documented algorithm for calculation of aggregate inherent and residual risk and a tracking mechanism of those calculate risk ratings, as well as action items by third party, relationship and segment. Finally, implement a performance management system to enable program-level reporting of adherence to contractual service levels and highlight degradation of performance.
Critical success factors
You must establish who owns the process and obtain buy-in from leadership to gain support for decisions and to establish goals. A centralized process typically works best, but no one size fits all. Develop a risk assessment that matches your overall risk profile and includes a complete list of third-party relationships. Implement an ongoing monitoring and review program to review documentation that is obtained and ensure it is appropriate and current.
To get started, review your current program to identify gaps and apprise the board and senior management of the need for increased involvement. Develop a detailed plan, schedule and budget to address these gaps and policy, process and technology requirements. Coordinate independent review needs with audit and broaden your view to incorporate strategic, regulatory and other third-party risk expectations that could be addressed simultaneously.
Regulatory changes are inevitable, and your ability to adapt is critical. Your third-party management policies and processes are only half of the battle; consistent execution and evidence are also key. Your third-party management solution must be scalable to accommodate increasing depth and breadth of review, usable by a distributed network of stakeholders, easily configurable by business users and IT programmers and fully adaptable, transparent and comprehensive.