In times of crisis, it’s especially critical to know who critical suppliers are, to proactively monitor them for risk and to ensure they’re complying with business continuity plans. ISG’s David England discusses how organizations can manage supply chain risk in these uncertain times.
When the current year draws to a close, the global business community isn’t likely to remember it fondly. Amid the turbulence, however, 2020 will emerge as the year third-party risk management finally got the credit it’s due as a critical element of long-term success.
Many businesses, of course, understand the importance of knowing their provider ecosystem and having strong back-up plans for one or several locations. Yet the COVID-19 pandemic has brought to light the need to plan for continuity and recovery in the face of all locations going offline, and it has exposed the widespread dependence on – and common weaknesses with – third-party relationships.
What are the elements of robust third-party risk management, and how would the pandemic experience of 2020 have looked different for your company if you’d had one in place?
Organizations need to be confident the services they outsource are secure and resilient – a particular challenge in an environment of fragmented sourcing, rapid growth in as-a-service solutions and increased reliance on dozens, hundreds or even thousands of third-party suppliers.
First, organizations should know who their critical suppliers are. In a crisis, one of the first things to do is quickly analyze delivery locations and be able to connect with the right supplier contacts.
Organizations must also ensure they’re fully equipped to manage the risks created by these relationships, a complicated area that’s seeing an increase in regulatory scrutiny, with good reason. Unless the relationship is well managed, it can pose a significant risk to the organization.
The types of risks third-party suppliers can pose to a business include:
- Reputational risk, based on a failure or event caused by the service or products of the third party;
- Operational risk to the business, in the event a supplier – or the supplier’s suppliers – experience a technology or systems failure that impacts the contracting enterprise;
- Business continuity and resilience risk: Does the third party have adequate disaster recovery and business continuity plans to maintain delivery in a catastrophic event?
- Information security and privacy risk, to guard against a data breach or security event;
- Strategic risk, such as geopolitical, regulatory, legal and economic risk of sourcing to a country or region;
- Regulatory risk from noncompliance with regulations; and
- Financial risk, in the event the supplier is not financially stable and viable enough to continue to provide services or products.
The banking and financial services industry, for example, is well-positioned to successfully manage business interruptions, thanks to stringent reporting regulations that were put in place after previous crises. We recently worked with a financial services company that has more than 13,000 supplier relationships and 7,000 business managers overseeing those relationships, but because they had a broad understanding of who their suppliers are, which suppliers have access to what information and what protections are in place, they could quickly maneuver their business to respond to the shutdown.
All organizations need a comprehensive, data-driven way to control risk throughout the life of the relationship. Third-party risk management services are becoming more common because they help organizations create a safe, coordinated and efficient sourcing environment so the business can focus on its strategic goals rather than on the minutiae of their sourcing relationships. Businesses also need an organizational focus and a single point of contact for third-party risk management.
The First Line of Defense in Third-Party Risk Management
Many mature third-party risk management programs have adopted a three-tier structure: first line of defense, second line of defense and third line of defense (also referred to as internal audit). Implementation of these tiers varies widely across industries, which can lead to confusion and inadequate preventative measures to control third-party risks.
The first line of defense – the business or business unit – is critical in managing the risks associated with using third-party service providers. To prevent risk exposure and protect the organization, a manager should be named and held accountable for third-party risk management activities.
Importantly, managers designated for this role should have enough time and resources available to oversee their assigned third-party supplier relationships. Depending on the number and complexity of relationships, each business unit may need to identify multiple resources and may also need a senior manager to oversee the role.
The manager will ensure third-party risk management life cycle framework standards are followed and will be the single point of contact for all stakeholder groups. The manager and their business unit leadership must understand their role in protecting the company from third-party risk, and must have – or advocate for – the right resources to do the job. The comprehensive activities they supervise can be both preventative and reconciliatory.
The third-party manager should know each relationship, its contracted terms and all its potential risks inside and out, with a particular eye for detail. Successful management of third-party providers is not just done at engagement and termination; it is an ongoing process that takes time and resources. The four key competencies of a third-party risk manager are:
1. Know the Business
A third-party manager will know exactly what each provider is delivering to the business (both to their own business unit and elsewhere across the business). Within their own business unit, they’ll understand all the operational details of the product or service provided and why it is needed.
This includes reviewing and assessing third-party process maps and being knowledgeable about third-party technology systems, as well as understanding any limitations and vulnerabilities of the provider.
When it comes to third-party service providers who have access to sensitive or customer data, the third-party manager must fully understand all the reviews that were carried out as part of the due diligence and selection processes, including information security and data privacy assessments.
2. Manage Due Diligence and Vendor Selection
The third-party risk management framework requires the business to complete due diligence and selection processes in a timely manner and with attention to detail and accuracy. Third-party risks must be identified and addressed before the company engages with the provider.
Depending on the situation and specific engagement, various stakeholders may be responsible for completing these due diligence and selection activities, but it is always the vendor manager’s responsibility to ensure they have been done thoroughly before signing contracts.
Due diligence should provide the third-party manager with key facts about the provider, including the financial profile and leadership structure of the company, who the third party’s competitors are, how the potential supplier is regarded in their industry and how to escalate an issue to senior management if needed. As part of this process, the manager will need to understand industry standards and regulations, pricing structures and industry issues and be able to recognize any red flags.
3. Know the Contract and Ensure Risk Controls are Enforceable
The detail of the contract is a critical part of a third-party manager’s role, so they can use it as an enforcement mechanism to prevent or mitigate third-party risks. The manager must understand the contract deliverables and obligations (for example, certificate of insurance, periodic assessments of risk control obligations) and all the expectations associated with the completion of each commitment, measured by key performance indicators, service levels commitments or other metrics as described by the contract. The manager should also know how the contract terms deal with data use restrictions and permissible use of subcontractors.
Pay particular attention to the risks posed from any nonstandard contract terms, such as how risk will be managed in the event of contract termination. If the provider fails to perform against the contract, the third-party manager will need to know how service credits will be levied.
Finally, the third-party manager must know and understand all terms related to payment, contract term length, contract termination conditions and requirements.
4. Ongoing Monitoring and Management – Maintain and Enforce Controls
Adhering to the third-party risk management framework means constantly and carefully monitoring and managing the third-party relationship in order to identify new or existing risks posed by the provider. Once these risks are identified, they can – and must – be resolved or formally accepted as posing an acceptable level of risk. This should all be clearly defined in the contracted standards.
The third-party manager is responsible for ensuring that providers are meeting all contractual commitments, both standard terms and conditions and any service level agreement, performance metrics or other controls as stated by the contract, statement of work, addendum, etc., and for monitoring service performance levels and anything else that helps keep the contract relationship healthy.
Occasional pricing reviews are necessary as part of regular performance management and may be done either through support partners (such as the vendor management office) or by the third-party manager to ensure the price agreed in the contract is the price invoiced by the provider.
Risk Analysis Leads to Successful Outsourcing
Before contracting a supplier, the hiring organization needs to understand the risks associated with the work the third party will perform. Even before due diligence, risk analysis should assess what capabilities and controls prospective service providers have in place to mitigate specific risks, keeping mind that work that requires access to sensitive information, private data or security gaps carries higher stakes. Risk analysis will reinforce knowledge about good practice and highlight the benefits of risk avoidance, especially around keeping data secure and information safe.
Effective risk analysis must be comprehensive. It should be conducted for all relationships, but it also needs to be efficient and straightforward to implement. While every third-party relationship is unique, the risk management process should be fairly standard and should always include the following six steps:
- Stage One: Request a risk assessment. The request phase should be embedded in any procurement process.
- Stage Two: Risk-tiering. Organizations must know the potential risk a third party could pose before starting the risk assessment, and “tier” them by that risk potential.
- Stage Three: A risk-adjusted questionnaire. Develop a risk-adjusted questionnaire based on the potential inherent risk in working with the new third-party provider. There’s no point questioning the service provider about their information security controls if they won’t be accessing or processing your organization’s data.
- Stage Four: Collect collaborative evidence. Collect responses to questions and collate evidence needed to verify the integrity of these responses if appropriate. For example, in situations of high or even moderate risk, the organization may need to interview key third-party personnel to ensure they understand and follow good standards. It may sound like an abundance of caution, but when there’s a risk to the organization, it’s better to be safe than sorry.
- Stage Five: Compilation and analysis of information. By stage five, the organization should have enough information to present to decision-makers.
- Stage Six: Log and register any identified risk control deficiencies. Determine any additional requirements that may be necessary to mitigate the risk to the organization.
While the accountable risk manager is the primary line of defense, a good technology platform can help facilitate the entire process, from initiation through third-party selection. A combination of automation and humans can create processes that do not let small details slip. The platform should provide:
- Configurable third-party risk management workflows and dashboards,
- Access to third parties who will be active participants in the process,
- Tools that enable process workflow,
- The collation of evidence and questionnaire responses and
- Risk logging and tracking of remediation.
Whenever organizations commit to working with a third party, they are choosing to introduce an additional risk factor into the business. Bigger, more complex provider ecosystems can be unwieldy to manage. Organizations need a clearly defined process to manage third-party relationships throughout their entire life cycle, to track compliance obligations and to do everything possible to protect their information.
The COVID-19 pandemic has exposed the fact that many companies lack visibility into their third-party supplier relationships. A thorough third-party risk management process can ensure that all stakeholders with access to the business and its operations and data are adhering to the highest standards.