Welcome to the new 'know your third party' world

Published: 01 Oct 2014 Average Rating: 4 / 5 Print
This article appeared in Contracting Excellence magazine on 01 Oct 2014 view edition

Author: Linda Tuck Chapman, President, ONTALA Performance Solutions Ltd

So you think you know all about the third parties - vendors, channel partners, agents and others - supporting your business...but do you? In my experience, the first time business leaders see an integrated picture of key third parties supporting their business, it's a real eye opener.

Not knowing third-party risks costs money, wastes time, and possibly your reputation. Would you like to know key strategies that can prevent unpleasant surprises from happening in the first place?

Catalysts propelling the need for better third party risk management include expensive information security breaches, corruption, cyber-spying and ever-growing regulation. Corporations, institutions and governments rely on a huge and growing pool of third parties to run their operations and deliver customer outcomes.

But here's good news: the “know your third parties world” has been gaining increasing respect worldwide recently because of the benefits and protection it now offers.  This growing trend was absent a few years ago when it was almost impossible to get the resources or technology necessary to build and support an effective third party management program. But now, third-party risk management practitioners are becoming recognized as disciplined professionals who add major value because they enable three things that, if done well, reap big benefits:

  1. risk identification and pre-contract risk assessment
  2. risk-adjusted contracting and
  3. effective post-contract third party management.


Avoid years of headaches

If you put all new, renewing and amending contracts through a quick “triage” risk assessment process to determine all risks present and which of them to assess, you can fast track low value/low risk contracts through sourcing and contracting with little downside. Business, procurement, risk and legal experts can then spend their energy on the risks that really count.

Usually only the “finalist” third party receives rigorous risk assessments. But if professional sourcing and risk experts are involved, a problematic third party will rarely reach the finalist stage. Pre-contract risk assessments assess the strength of the third party's key internal controls and their ability to comply with business and statutory requirements and relevant laws.

The biggest benefit is that the buyer knows what they are getting into and can introduce measurable controls during the contracting phase. If serious issues exist, the deal will die on the table and the buyer will avoid years of headaches. In most cases, once risks are known, they can be adequately controlled through specific operational stipulations, contract terms and/or tight third-party management.

Beware of 'over-contracting'

A recent and growing practice involves aligning standard buy-side contract terms with the criticality of the services and the nature of known and potential risks.  You must evaluate three factors when crafting the contract: exposure, likelihood and impact:

  • Impact is your assessment of the consequences of the third party's failure.
  • Exposure is your fact-based awareness of the type of risks your company faces if it moves forward with the third party selected.
  • Likelihood is your evaluation of the reasonable probability of things going seriously sideways.

Think of the three as forming a risk equation: Impact = Exposure x (times) Likelihood.

For example, management may routinely require specific subcontractor management terms and conditions for any contract with a critical third party that hosts a large volume of your customers' non-public personal information and outsources their infrastructure. Contrast this with the much lower risk of contracting with a vendor for software that, although on your critical applications list, is implemented behind your firewall.

This illustrates why you need risk-adjusted contract terms. By negotiating the terms that are most appropriate for the size, complexity and actual risks – no more and no less – you can focus your resources and attention where they are most needed.

Over-contracting consumes too much time and can be expensive. Failing to negotiate risk-adjusted terms that are appropriate for the risks you face as a buyer can prove even more expensive when things go wrong. Not to mention potential damage to your reputation, fines and/or regulatory sanctions for failing to appropriately contract with and control your third parties.

Separate the 'must' from the 'should'

Because third party management is still a relatively new profession, most business leaders appreciate clear direction regarding what must or should be done to effectively manage critical and high-risk relationships. Sound programs describe the often long list of tasks and activities third party managers need to carry out and how often, differentiating between mandatory tasks versus recommended ones. Such programs also specify the evidence that needs to be in place - clarity that makes it easier to meet the expectations of an internal audit department and regulators.

“Mandatory” tasks include verifying invoices, periodically retesting the adequacy of the third party's key internal controls, validating that service level agreements (SLAs) have been met, and reviewing the contract to ensure both parties are living up to their obligations.

“Recommended” third party management activities may include establishing communication protocols or reviewing change control logs. These are typically determined by the business unit, not by the third party management program designer.

The job of the risk management program designer is to create the policies and protocols to identify, assess, measure, monitor and manage risks. Therefore in most companies it isn't appropriate for the program designer to dictate day-to-day operational management practices.  

Risk assess the mandatory requirements

Mandatory requirements should also be risk-adjusted. For example in a low risk third party relationship you may require the third party to attest that certain provisions are contained in the business continuity and disaster recovery plan - and that the plan is updated every year.

If the risk is moderate you may also require that the third party provides a copy of their plan, to be reviewed by your business continuity plan (BCP) experts or third party manager to ensure it meets the needs of the business.

For a high risk, critical third party you may also require that the third party allows your experts to participate in their annual BCP testing processes. In some cases, the third party may be required to create a custom BCP plan for your company.

Three key areas for development

Sound, effective third party management is a source of value, delivering so many benefits. Sound third party risk management programs offer a high degree of protection before and throughout the relationship and enable an early warning system that allows the buyer to quickly take appropriate action if something does go wrong.

Third party managers need to concentrate on three key areas to continue to expand and evolve:

  1. Cost management must be fact-based and deliver visibility into actual costs for contracted goods and services. This includes transition and implementation costs and the calculated costs of managing the relationship, realizing negotiated savings and threshold discounts, and leveraging price de-escalation clauses. This is broader than a total cost of ownership (TCO) calculation, because it includes visibility and reporting for baseline costs, cost/price de-escalations and TCO over time.
  2. Risk management must be consistent and sustainable (repeatable). It must enable structured assessment of the strengths of the third party's internal controls over many facets of risk. While some may be industry-specific, common risks include information security, privacy, business continuity planning, compliance with your code of conduct, reputation, regulatory and legal risks, financial viability and subcontractor management, to name a few.

Industry-specific risks may include model risk, anti-money laundering, supplier's supply chain and/or anti-corruption risk. Mature third party management organizations will have implemented a third party management risk framework, standards and policies, processes, assessments, training, and quality assurance reviews.

  1. Performance management must apply to the negotiated contract, and ensure that you are receiving everything contracted. It addresses all aspects of a healthy working relationship with your critical third parties.  It also means monitoring your third parties throughout the relationship so you know if something has changed.  It includes the following:
  • transition and implementation management, relationship management, operations management, change management, compliance management, service level agreement management;
  • communications, business reviews;
  • insurance coverage verification; and
  • independent quality and control assessments like SSAE16 or ITIL.

These sources of value merge together neatly to form an information-rich third party "portfolio management" strategy. With robust capabilities and risk reporting, your business leaders will have insight into relative strengths and weaknesses in each key third party's internal control environment, true and comparative costs, and the third party's performance against negotiated SLAs or contractual terms.

Welcome to your “know your third party world.”  It's time to reap the benefits, don't you think?

About the author

Linda Tuck Chapman is a recognized expert in third party management, outsourcing governance, contract remediation/renegotiation and procurement transformation. She can be reached at lindatuckchapman@ontala.com or 416-452-4635

ONTALA Performance Solutions  provides advisory services that improve business performance by conceptualizing, structuring, creating and negotiating high-impact third party relationships; leveraging best practices and proven methodologies in strategic sourcing, outsourcing, offshoring, shared services, competency benchmarking and training; and governance and vendor risk management


Related Discussions

Please sign in or register to post on this forum

2020-09-02 05:48:52


Is there a list of risks which can be risk transferred through Insurance?
Replies: 1

2020-09-02 05:48:26


An unlimited liability agreed with a customer can be covered through insurance?
Replies: 1

2020-09-02 05:47:58


What are the inclusions & exclusions in cyber risk insurance
Replies: 1
2020-08-17 09:46:19


What are key risks generally not covered in commercial insurance
Replies: 1

Avon Cosmetics Ltd
2020-08-03 17:04:51

Outcome based commercial model

Hi, we're looking to evolve one of our outsourcing contracts from traditional FTE's governed by SLA's to outcome based contract and metrics. Does anyone...
Replies: 5

2020-07-29 23:12:10

Contract Forgery and other Fraud (Sell-side POV) - What preventive controls do you have in place and does your organization allow sellers to send contracts to customers directly for signature/review

Hello Folks: We have a number of processes in place to present various types of contract fraud for example customer forgery or side letters which we do not tolerate....
Older entries »
Replies: 1