By Phil Racco, Senior Manager, and Deepak Jaswal, LLB, CTPRP, Senior Manager.
In recent years, more organizations have had to rely on third parties to meet their operational needs. As the global business landscape continues to evolve and demands for uniquely qualified talent increase, the need for organizations to onboard third parties (vendors, service providers, contractors, and other external parties) also continues to grow. In their pursuit of efficiency, productivity, and profitability, organizations are looking to increase their use of third parties which increases their susceptibility to additional risk exposures. Driven by a combination of factors such as the supply chain disruption, geo-political conflicts and increasing expectations of corporate responsibility, the need to better manage the risk exposures introduced through the use of third parties has heightened.
Third-party risks are potential threats to an organization derived from placing reliance on vendors, affiliates, partners, and other external parties in delivering on the organization’s business objectives. These third-party risks include exposure to cyber attacks and/or data breaches, lawsuits, reputational damage, etc. stemming from errors, vulnerabilities, or mismanagement by the third party and can result in legal, financial, strategic, security, reputational and operational damages for an organization.
What can your organization do?
As a first party (the entity delegating a function to another entity), by placing reliance on a third party, you are absolutely going to be exposed to risk, but the question becomes ‘how do you respond to that risk exposure?’. While some may consider the option of avoiding or minimizing risk exposures by reducing their reliance on third parties, this in turn creates its own inherent and residual risks, as well as potentially missing out on the benefits received from relying on a third party (i.e., enhanced efficiency, productivity, and profitability). Because your need for third parties is inevitable, your organization would benefit from designing a fit for purpose third-party risk management framework that can reflect your broader approach to risk management.
Third-party risk management focuses on identifying, evaluating, reducing, and compensating for potential threats associated with your organization’s use of third parties. In many cases, the relationship and associated risks also extend to fourth parties (subcontractors) which are entities independent of but working on behalf of the third party to deliver services to you.
Click the download button below to view an accessible version of the image.
With a fit for purpose third-party risk management framework that takes a holistic and cost-effective approach to managing your vendors and suppliers, your organization gains a better understanding of the third parties you use, the value you derive from them, the cost of services provided, and very importantly, the mutually agreed terms of service.
In the absence of a unified and integrated framework, each department across your organization will build and maintain siloed relationships with third parties leading to uncoordinated and duplicative risk management practices. This lack of coordination, in turn, leads to an ineffective use of resources, increased risk exposures, and process inefficiencies as each silo may only have a limited understanding of the value and potential threats posed by a third-party. In many organizations, the procurement, IT, legal and human resource teams are those most likely to engage third parties and a framework makes it possible to harmonize their activities into a single and effective process.
The third-party risk management lifecycle
Throughout your third-party relationship, risk exposures and the corresponding risk management activities vary according to the stage of the relationship and managing them begins well before a contract is signed and they continue to the contract’s expiration.
The third-party risk management lifestyle can be broken down into the following stages:
Click the download button below to view an accessible version of the image.
Identification and Due Diligence
This is the pre-contract stage where you identify and attempt to understand the third party you’re looking to engage, and the potential risks associated with using them. In this stage, you define requirements and conduct research on the entity and its capability to deliver the services you require. Your research will include a materiality assessment of the third party,which will help to determine the criticality and level of risk exposure posed by the relationship with your organization. Considerations for this assessment will cover the internal and external aspects of the contract.
On the internal side, you will review the nature and scope of the business activity you are seeking third party support for, the terms on which the relationship will be managed, the business case for using the third party (including both the benefits and potential risk exposures), amongst others.
Externally, you will consider the entity’s experience and technical competence, financial stability, reputation, Environment Social and Governance (“ESG”) practices, internal controls environment, business resumption and contingency measures, and possible links to unlawful acts such as financial crimes and corruption. For entities engaging in competitive procurement, your purchasing process should involve your vendors sharing information on each of these attributes, as well as how they would manage the potential risk exposures you’ve identified in the development of the business case. This will allow you to evaluate their adequacy as part of award decision.
Contracting and Onboarding
This is a crucial stage in your organization’s third-party management where you will establish the parameters for the relationship’s success. Both parties will agree on the risks to be managed and how they will be distributed, the terms for data ownership and transfer, the scope of services to be delivered and delivery methods, Service Level Agreements, penalties for non-performance, subcontracting rules and limitations, the right to audit and offboarding process, among many others.
Contracting Provisions |
---|
Data ownership and transfer |
Scope of services |
Delivery methods |
Service Level Agreements |
Penalties for non-performance |
Subcontracting rules and limitations |
Right to audit |
Offboarding process |
As this is a key stage in the process, you and your team must pay attention to all the details and handle the contract with care and precision.
Risk Trends in 2023 and Beyond: Navigating the complexities of Canada’s new normal
After two years of COVID-19 dominating the global risk cycle, Canadian organizations finally started to see a light at the end of the tunnel in 2022. However, the celebratory atmosphere has been hampered with new and ongoing challenges. We surveyed 14 practice leaders across our firm about the risks and opportunities they’re most concerned about heading into 2023 – and specifically what organizations should focus on (with an internal audit lens).
Performance monitoring
Now that you have a contract, the real work lies in the ongoing visibility into the activities of your third party. Organisations often take a backseat in monitoring contractual arrangements after the contract has been signed thus exposing themselves to risks and undesirable consequences.
In this stage, you monitor third parties by tracking agreed upon service levels and supporting key performance indicators to help ensure service delivery meets or surpasses agreed to expectations. There is also an opportunity to conduct periodic risks examinations by reviewing assurance reports, financial statements, and other documents.
Keeping in mind that your relationship with third parties will continue to evolve, it is also important that you regularly review the terms of the contract considering possible changes in circumstances or the need for additional diligence.
Evaluation and Offboarding/Renewal
This is a determining stage where you will make decisions on the effectiveness of the relationship after considering costs, regulatory changes, the quality of services you received, and the overall relationship with the third-party.
Your next move will depend on what your management team decides. Will you create a renewal or transition plan? Will you update or terminate the contract? Will it be necessary to blacklist certain third parties and update your vendor database?
How can you get ahead?
Setting up a third-party risk management framework for your organization is a tough but necessary task. With the right guidance, you can better manage exposures created through the use of third parties.