Find Your Specialist


Contact Us

    Go Back

    10 Questions to Ask About External Business (Third Party) Relationships

    As more and more companies are engaging with third party vendors, there is a greater need to understand what makes the external business relationship a success.

    Outsourcing, insourcing, co-sourcing… the way that companies choose to leverage external business relationships to produce results continues to expand into more components of their organizational structure. Organizations are incorporating external business relationships to lower operational and labor costs and leverage external core competencies, scale, and capacity that may be outside of the company’s in-house capabilities. Organizations are also looking to increase revenue through licensing, franchising, partnerships and other channel arrangements.

    Unfortunately, studies show an increasing number of organizations do not track information on some or all of their third parties. Given the nature of these relationships, organizations face potential risks related to brand, reliability, business continuity, security, privacy, processing integrity, confidentiality and financial dependence. In many scenarios, organizational compliance extends to third parties. Examples of regulations or requirements in which third parties could put compliance at risk include:

    • Sarbanes-Oxley Act (SOX)
    • Consumer Financial Protection Bureau (CFPB) Bulletin 2012-03
    • Health Insurance Portability and Accountability Act (HIPAA)
    • Payment Card Industry (PCI) Data Security Standard
    • Foreign Corrupt Practices Act (FCPA)
    • Experian Independent Third Party Assessment (EI3PA)
    • The Office of the Comptroller of the Currency (OCC) Bulletin 2013-29
    • Gramm-Leach-Bliley Act (GLBA)

    Establishing and maintaining an enterprise-wide, third party governance program is critical for today’s organizations to mitigate the associated risk, reduce potential data loss, misuse and audit findings and provide trust and confidence to stakeholders and customers.

    Organizations should consider responses to the following 10 questions to evaluate the current state of their third party relationships governance program:

    1. Have we inventoried the third party relationships that exist in our organization today?
    2. How are we identifying and tracking new or changing relationships?
    3. Have we assessed and prioritized the risks related to those relationships?
    4. When evaluating new relationships, do our selection criteria address risks to the organization?
    5. Where applicable, do our agreements and contracts include adequate terms and conditions to require third-parties to provide independent assurance to mitigate potential risks, convey trust and confidence, and demonstrate compliance with laws and regulations?
    6. Are responsibilities to manage these risks clearly defined individually for each third-party and as a whole?
    7. Are we monitoring the various risks and contract requirements associated with each existing relationship and at what interval?
    8. Are these relationships dependent on subservice organizations?
    9. How do we gain comfort that information provided by third-parties is valid, accurate, and complete?
    10. Does our risk assessment process identify potential negative events resulting from third party relationships and include procedures in place to respond?

    The use of third parties to improve performance is a business strategy that is here to stay and broaden into additional areas within an organization. The key to managing risk effectively is to ask the right questions and consider risk management throughout the entire spectrum of your providers, whether in-house or external.

    Have concerns about third-party relationships? The next blog in this series will discuss addressing the evaluation of third-party organizations through the use of Service Organization Control (SOC) reports.

    About the Blogger

    Brandon Sherman is a Senior Manager in Frazier & Deeter’s Process, Risk & Governance Practice. He focuses on providing advisory services to identify, assess and manage clients’ strategic, operational, financial, IT and compliance risk. His primary responsibilities include internal control, business process improvement, data analytics and IT assessments, as well as service organization control (SOC) reporting and Sarbanes-Oxley 404 (SOX) engagements.

    Related Articles

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled

    Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.

    Functionality cookies are cookies that support features of the Site, such as remembering your preferences.

    These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.

    From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.