Third Party Risk Management
Why is third-party risk management becoming so important?
For many organisations their operating model has evolved to include a complex mix of suppliers, service providers and alliance partners that make up their extended enterprise ecosystem.
This serves as an important source of business value and strategic advantage, however, the reliance on third parties increases in variety and complexity, so do the associated risks. These business models can introduce heightened exposure to possible non-compliance and reputational damage, supply chain disruption and inconsistent customer experience.
Reputation is more important than ever in the Financial Services industry. Gone are the days when trade was purely transactional. In our expanding world of company due diligence, the term has become much broader, extending to any person or entity outside your organisation with whom you have any sort of contractual relationship; and it implies quite the opposite: inextricable closeness. One that could come under scrutiny from anyone it directly or indirectly impacts, such as regulators, customers, industry and, media and social media.
What are the 5 key things to consider in third-party risk management?
Knowing now that management of third parties is imperative to protecting your organising from brand reputational damage, data breach costs, costly operational failures and legal and ethical obligations, here are five concepts to consider when evaluating your third-party relationships:
- Know your third-party relationships. A third-party relationship is any business arrangement between an organisation and another entity, by contract or otherwise. You already recognise that companies with which you have contracts and business transactions such as vendors, suppliers, distributors and contractors are third parties. However, you may not realise that undocumented agreements that have been in place for long periods of time also qualify, including those with contract manufacturers, brokers, agents and resellers. To complicate matters, some third parties may themselves be utilising a third party without your knowledge or consent, providing additional challenges in contract management and oversight. As part of your third-party relationship management, you should obtain an understanding of whether your third parties will be subcontracting any of their obligations and whether your agreement terms and conditions flow through to them.
- Ensure adequate insurance coverage. Have your insurance coverage needs changed since the contract was signed with the third party? While the insurance coverage may have been adequate when the agreement was originally signed, any number of items such as technology, delivery locations or manufacturing locations may have changed over time, and thus your coverage may no longer be adequate. Normally, third-party relationships have a requirement for specified levels of insurance coverage. If a third party fails to maintain the proper coverages and an uncovered event or situation occurs, your organisation may face additional risk and exposure which could have been prevented during the contracting phase. Are you confident that your third parties have sufficient coverage in the event of a disaster or data breach?
- Review contracts to align with new laws. Have your contracts been updated to reflect the latest regulations for data security and privacy? With new laws regarding data security and privacy enacted over the past few years, some of your agreements likely need to be updated to clearly delineate responsibilities between the parties. For instance, do you have a clear segregation of responsibility regarding the protection of data and a plan in the event of a data breach?
- Develop and implement a third-party risk management process. A key objective of a third-party risk management process is to determine your highest-risk third-party relationships and then put activities in place to mitigate these risks to a tolerable level. You should take a holistic approach to assess third-party relationships and utilise a framework that is flexible to the evolving needs of your organization. Developing and implementing a third-party risk assessment begins with utilising a cross-functional team and defining roles and responsibilities in performing the assessment. Examples of individuals who may participate in this assessment include procurement, information technology (IT), finance and the business owners responsible for managing the relationship after execution of the agreement. You should internally define the risk assessment project plan and identify the population of your third-party relationships. Next, identify the risk categories to be assessed and deemed critical to your organization (e.g., strategic, reputational, operational, financial, compliance, security, fraud) and develop weighting criteria for each risk category to be applied to your third party. For each third party, the cross-functional team should then score the risks based on impact and likelihood so that the third parties can be categorized and prioritized in tiers. Tools such as third-party surveys may be utilized as part of this process. Once the third parties are scored and subsequently tiered, you can develop risk mitigation plans and allocate resources to focus on the higher-risk third parties. Some mitigating activities may include more focus on contract monitoring activities of that third party—including potentially conducting compliance audits.
- Use of audits to help manage risk expectations. Third-party agreements should have a right-to-audit clause—which allows you to assess if the third party is in compliance with the terms and conditions of the agreement. With the change in security and privacy concerns and with various financial regulatory laws, you may need to upgrade the wording of contract clauses or potentially create addendums to include an audit provision that addresses new risks that have arisen since the original signing of the agreement and not just the monetary provisions. Depending on the significance of the contract to your organization, you should perform periodic third-party audits to ensure the terms of the contract are being fulfilled. With a new agreement, you may want to conduct an audit to make sure the third party is aligned to your interpretation of the agreement and to induce future compliance. Conversely, if an agreement is coming to an end, a close-out audit may be beneficial to ensure the third party has performed in accordance with the conditions of the agreement. How do you determine which third party to audit and when? This information should be one of the outcomes from your third-party risk assessment
Who is responsible for managing third-party risk?
Increasingly, third-party risk is becoming a regular item on Board agendas, with CEO/Board level responsibility. It is also on the rise in more progressive organisations or those operating in highly regulated environments. It is their responsibility to create a culture of transparency and collaboration in the third-party ecosystem, while also identifying and controlling the risks that arise from such relationships.
How do you manage third-party risk?
As incidents relating to third-parties continue to rise, organisations are becoming more and more concerned about any disruption to customer service this can create or any regulation this may breach, given the growing severity of the related punitive action by regulators, and customers. At the same time, increasing decentralisation of operating units in organisations is starting to create challenges to a unified and consistent approach to third-party risk management, driving organisations to mandate consistent third-party management standards across their operating units and aspiring to increase their monitoring and assurance activities over third-parties.
The key to managing this effectively, is to implement a specific third party risk management program, strategy or framework. For greatest efficiency, organisations in the Financial Industry must:
Manage and Assess Third-Party Risks:
- Conduct Third-Party Screening, Onboarding, and Due Diligence
- Focus on Fourth Parties
- Establish a Tone at the Top with Board-level oversight
- Focus on IT Vendor Risk
- Ensure Appropriate Investment and Staffing
- Evaluate the Effectiveness of the third-party risk management program
- Build Mature third party management processes
- Leverage Technology
What are the regulators saying about Third Party Risk Management?
Our regulators are starting to implement processes to address the changing regulatory environment and cyber threat landscape associated with Third Parties.
From July 2020, APRA’s CPS 234 Information Security Prudential Standard will impact all APRA regulated entities and all their suppliers. It is now widely acknowledged that it is time to enforce the issues of cyber risk management, especially as it relates to third parties.
Third parties are often the weakest link in an organisation’s information security and data management chain for APRA-regulated entities. In fact, 44% of all Financial Services (FS) organisations have experienced a data breach or outage caused by a third party. This is predominantly due to many third parties having fewer or less stringent security controls in place, making them ideal targets for threats.
In today’s complex, outsourced environment, it’s critical to step up third-party risk management initiatives to protect both reputation and revenue. Organisations and regulators within the Financial Services industry must be proactive in identifying risks, set clear and accountable third-party risk frameworks and continuously monitor and regulate their third party ecosystem to remain compliant and avoid damage.