As more and more companies are engaging with third party vendors, there is a greater need to understand what makes the external business relationship a success.
Outsourcing, insourcing, co-sourcing… the way that companies choose to leverage external business relationships to produce results continues to expand into more components of their organizational structure. Organizations are incorporating external business relationships to lower operational and labor costs and leverage external core competencies, scale, and capacity that may be outside of the company’s in-house capabilities. Organizations are also looking to increase revenue through licensing, franchising, partnerships and other channel arrangements.
Unfortunately, studies show an increasing number of organizations do not track information on some or all of their third parties. Given the nature of these relationships, organizations face potential risks related to brand, reliability, business continuity, security, privacy, processing integrity, confidentiality and financial dependence. In many scenarios, organizational compliance extends to third parties. Examples of regulations or requirements in which third parties could put compliance at risk include:
• Sarbanes-Oxley Act (SOX)
• Consumer Financial Protection Bureau (CFPB) Bulletin 2012-03
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry (PCI) Data Security Standard
• Foreign Corrupt Practices Act (FCPA)
• Experian Independent Third Party Assessment (EI3PA)
• The Office of the Comptroller of the Currency (OCC) Bulletin 2013-29
• Gramm-Leach-Bliley Act (GLBA)
Establishing and maintaining an enterprise-wide, third party governance program is critical for today’s organizations to mitigate the associated risk, reduce potential data loss, misuse and audit findings and provide trust and confidence to stakeholders and customers.
Organizations should consider responses to the following 10 questions to evaluate the current state of their third party relationships governance program:
- Have we inventoried the third party relationships that exist in our organization today?
- How are we identifying and tracking new or changing relationships?
- Have we assessed and prioritized the risks related to those relationships?
- When evaluating new relationships, do our selection criteria address risks to the organization?
- Where applicable, do our agreements and contracts include adequate terms and conditions to require third-parties to provide independent assurance to mitigate potential risks, convey trust and confidence, and demonstrate compliance with laws and regulations?
- Are responsibilities to manage these risks clearly defined individually for each third-party and as a whole?
- Are we monitoring the various risks and contract requirements associated with each existing relationship and at what interval?
- Are these relationships dependent on subservice organizations?
- How do we gain comfort that information provided by third-parties is valid, accurate, and complete?
- Does our risk assessment process identify potential negative events resulting from third party relationships and include procedures in place to respond?
The use of third parties to improve performance is a business strategy that is here to stay and broaden into additional areas within an organization. The key to managing risk effectively is to ask the right questions and consider risk management throughout the entire spectrum of your providers, whether in-house or external.
Have concerns about third-party relationships? The next blog in this series will discuss addressing the evaluation of third-party organizations through the use of Service Organization Control (SOC) reports.
About the Blogger
Brandon Sherman is a Senior Manager in Frazier & Deeter’s Process, Risk & Governance Practice. He focuses on providing advisory services to identify, assess and manage clients’ strategic, operational, financial, IT and compliance risk. His primary responsibilities include internal control, business process improvement, data analytics and IT assessments, as well as service organization control (SOC) reporting and Sarbanes-Oxley 404 (SOX) engagements.