Are your Third-Party Service Providers doing the Right Things Right?
The disruptive events experienced in 2020 has brought about significant change in the way we way we work. What we have witnessed offers first-hand reference to the impact on business, its people and their communities, but has also demonstrated an innate resilience to rise up and navigate through the disruption. Financial and operational leadership have been surprised and pleased how quickly adjusting to the disruption has introduced significant operational efficiencies and cost savings.
This natural human resilience demonstrates that we are quick to do the right thing albeit at the expense of doing things right. It is in hindsight that we turn and reflect on how governance, risk and compliance have been set aside. It is only now that some normality is returning to strategic thinking that organisations are reviewing how dealing with disruptions without preparation and without a tested Business Continuity Plan (BCP) have exposed themselves to financial risks that have a direct impact on the longer term business sustainability.
With so many recent disruptive and tragic events receiving our attention, the topic of new ways of work, key stakeholders now expect their board and senior management to look to protect them with investment in a robust BCP.
A successful third-party risk management (TPRM) program extends beyond just the vendor onboarding and offboarding process. Organisations need to be invested in the maintenance and continuous validation (testing) of the end to end TPRM lifecycle.
A huge amount of time and effort typically goes into an initial vendor assessment and onboarding. But third party service providers that manage business critical functions or who are part of the supply chain need continuous validation and management to avoid the consequence of not being ready for disruption, either that facing their clients or their own business continuity capability. There is a higher likelihood of a data breach or compliance failure by the third party vendor.
Organisations share confidential and sensitive information with approximately 583 third parties on average—that adds up to a lot of additional risk. And only 34% of organisations in the study reported keeping a comprehensive inventory of these third parties, while just 35% rated their TPRM program as highly effective *
Managing third party risk can be overwhelming. Also, the cost of mitigating the risk through a comprehensive and continuous program can be daunting to the point that the importance of such a program is often ignored….yes ignored, and we all know what we expose ourselves to when we ignore issues of regulatory compliance and corporate importance.
A sensible approach will determine a high-level view of priorities and more affordable approaches that can be managed with credible external partners, such as:
- Free or affordable resources for guiding internal audit and business continuity teams
- Affordable access to an expert support desk which can be extended to monitor business critical systems for potential data and process breaches that can be avoided through responsive interventions
- Full partnership with expert business continuity and third-party vendor management service providers
- Employ the right technology to ensure standardisation of vendor risk management, and thereby reducing the cost significantly
Here are nine areas where improved processes using appropriate technology and an experienced audit partner can help.
- Have a documented business continuity program
That includes frequent impact analysis which includes functions and supply chains that are dependant on third party vendors
- Create a standardized, automated onboarding process
Manage the third party vendor as an extension of your internal teams and processes – this will ensure that any risks they might face outside your business are identified quickly and changes to your own plans can be approved to protect your own exposure to risk and disruption
- Create a vendor profile
Creating a risk profile for each vendor will help you define your relationship and understand the products/services they’ll provide—and how essential they are to your organization. It will also define what type of physical, systems, and data access to give the vendor.
- Use risk & controls assessments
Once you understand the risk a vendor presents, you’ll need to check that the proper controls are in place to manage that risk, and that they’re operating effectively. Those controls can be part of a larger framework
- Do not reinvent the wheel
There are many best-practice industry control frameworks you can use. Partner with a credible vendor management and audit party who can provide these resources, often for free
- Have a remediation management plan
Contract a vendor management specialist to assist you with your own program. Monitor continuously and test frequently
- Regularly review contracts for legal and commercial exposure
You will want to consider how well your vendors are performing against their Service Level Agreement (SLA). Ensure terms and SLAs remain current to changing technology and processes. Frequent contract reviews can mitigate legal liability, operational risk, and also ensure improved commercial terms reflect efficiencies that are constantly realised.
- Mandate ongoing vendor monitoring
ensure yEur BCP includes alternative source of service and remedy that will support your own resilience to disruption.
- Define a vendor offboarding process
You’ll need an offboarding strategy that includes finalizing payments, disabling vendor access to data, and more.
Regulatory requirements, stakeholder expectations, and organisational goals and risks will shift over time. By following the TPRM lifecycle and having an experience audit partner who can help you quickly adapt to changes, you can make the entire TPRM process easier on everyone. Software is an important tool to assist you build trust and confidence in your TPRM program. It is of course worth noting that when you run critical functions such as TPRM and payroll on Cloud platforms – your technology partners are themselves a third party vendor, and giving up control of your data introduces significant risk in its own right.
*source: Third annual Ponemon Institute Data Risk in the Third-Party Ecosystem 2018 study