Author: Linda Tuck Chapman, President, ONTALA Performance Solutions Ltd
So you think you know all about the third parties - vendors, channel partners, agents and others - supporting your business...but do you? In my experience, the first time business leaders see an integrated picture of key third parties supporting their business, it's a real eye opener.
Not knowing third-party risks costs money, wastes time, and possibly your reputation. Would you like to know key strategies that can prevent unpleasant surprises from happening in the first place?
Catalysts propelling the need for better third party risk management include expensive information security breaches, corruption, cyber-spying and ever-growing regulation. Corporations, institutions and governments rely on a huge and growing pool of third parties to run their operations and deliver customer outcomes.
But here's good news: the “know your third parties world” has been gaining increasing respect worldwide recently because of the benefits and protection it now offers. This growing trend was absent a few years ago when it was almost impossible to get the resources or technology necessary to build and support an effective third party management program. But now, third-party risk management practitioners are becoming recognized as disciplined professionals who add major value because they enable three things that, if done well, reap big benefits:
GETTING THESE BENEFITS
Avoid years of headaches
If you put all new, renewing and amending contracts through a quick “triage” risk assessment process to determine all risks present and which of them to assess, you can fast track low value/low risk contracts through sourcing and contracting with little downside. Business, procurement, risk and legal experts can then spend their energy on the risks that really count.
Usually only the “finalist” third party receives rigorous risk assessments. But if professional sourcing and risk experts are involved, a problematic third party will rarely reach the finalist stage. Pre-contract risk assessments assess the strength of the third party's key internal controls and their ability to comply with business and statutory requirements and relevant laws.
The biggest benefit is that the buyer knows what they are getting into and can introduce measurable controls during the contracting phase. If serious issues exist, the deal will die on the table and the buyer will avoid years of headaches. In most cases, once risks are known, they can be adequately controlled through specific operational stipulations, contract terms and/or tight third-party management.
Beware of 'over-contracting'
A recent and growing practice involves aligning standard buy-side contract terms with the criticality of the services and the nature of known and potential risks. You must evaluate three factors when crafting the contract: exposure, likelihood and impact:
Think of the three as forming a risk equation: Impact = Exposure x (times) Likelihood.
For example, management may routinely require specific subcontractor management terms and conditions for any contract with a critical third party that hosts a large volume of your customers' non-public personal information and outsources their infrastructure. Contrast this with the much lower risk of contracting with a vendor for software that, although on your critical applications list, is implemented behind your firewall.
This illustrates why you need risk-adjusted contract terms. By negotiating the terms that are most appropriate for the size, complexity and actual risks – no more and no less – you can focus your resources and attention where they are most needed.
Over-contracting consumes too much time and can be expensive. Failing to negotiate risk-adjusted terms that are appropriate for the risks you face as a buyer can prove even more expensive when things go wrong. Not to mention potential damage to your reputation, fines and/or regulatory sanctions for failing to appropriately contract with and control your third parties.
Separate the 'must' from the 'should'
Because third party management is still a relatively new profession, most business leaders appreciate clear direction regarding what must or should be done to effectively manage critical and high-risk relationships. Sound programs describe the often long list of tasks and activities third party managers need to carry out and how often, differentiating between mandatory tasks versus recommended ones. Such programs also specify the evidence that needs to be in place - clarity that makes it easier to meet the expectations of an internal audit department and regulators.
“Mandatory” tasks include verifying invoices, periodically retesting the adequacy of the third party's key internal controls, validating that service level agreements (SLAs) have been met, and reviewing the contract to ensure both parties are living up to their obligations.
“Recommended” third party management activities may include establishing communication protocols or reviewing change control logs. These are typically determined by the business unit, not by the third party management program designer.
The job of the risk management program designer is to create the policies and protocols to identify, assess, measure, monitor and manage risks. Therefore in most companies it isn't appropriate for the program designer to dictate day-to-day operational management practices.
Risk assess the mandatory requirements
Mandatory requirements should also be risk-adjusted. For example in a low risk third party relationship you may require the third party to attest that certain provisions are contained in the business continuity and disaster recovery plan - and that the plan is updated every year.
If the risk is moderate you may also require that the third party provides a copy of their plan, to be reviewed by your business continuity plan (BCP) experts or third party manager to ensure it meets the needs of the business.
For a high risk, critical third party you may also require that the third party allows your experts to participate in their annual BCP testing processes. In some cases, the third party may be required to create a custom BCP plan for your company.
Three key areas for development
Sound, effective third party management is a source of value, delivering so many benefits. Sound third party risk management programs offer a high degree of protection before and throughout the relationship and enable an early warning system that allows the buyer to quickly take appropriate action if something does go wrong.
Third party managers need to concentrate on three key areas to continue to expand and evolve:
Industry-specific risks may include model risk, anti-money laundering, supplier's supply chain and/or anti-corruption risk. Mature third party management organizations will have implemented a third party management risk framework, standards and policies, processes, assessments, training, and quality assurance reviews.
These sources of value merge together neatly to form an information-rich third party "portfolio management" strategy. With robust capabilities and risk reporting, your business leaders will have insight into relative strengths and weaknesses in each key third party's internal control environment, true and comparative costs, and the third party's performance against negotiated SLAs or contractual terms.
Welcome to your “know your third party world.” It's time to reap the benefits, don't you think?
About the author
Linda Tuck Chapman is a recognized expert in third party management, outsourcing governance, contract remediation/renegotiation and procurement transformation. She can be reached at email@example.com or 416-452-4635
ONTALA Performance Solutions provides advisory services that improve business performance by conceptualizing, structuring, creating and negotiating high-impact third party relationships; leveraging best practices and proven methodologies in strategic sourcing, outsourcing, offshoring, shared services, competency benchmarking and training; and governance and vendor risk management