Imperatives
With increasing complexity in the global business environment, Third-party risk management has become a subject of ever-increasing importance across an array of business stakeholders. Some of the imperatives are.
- Business models have adopted more reliance on external parties specifically for all non-core activities
- The new age business models are increasingly shifting towards collaborations, a network of business partners, aggregation, multi nodal distribution, inter-connected supply chain, cross-sectoral activities, and technology driven enablement, which is making Third party as one of the key sources of external risks.
- Regulators have become more focused on how companies are managing outsourcing activities and related third-party risks.
Dimensions of Third-party risk assessment
Financial: Close examination of investors, funding, financial statements, banking relationships, credit rating, and review of business solvency indicators.
Legal and regulatory: Understanding the governing regulatory regime and processes and the ability of third parties to comply with it is a key consideration. The third party’s framework shall also be aligned with the organization’s system/processes and especially facilitate seamless and comprehensive regulatory reporting requirements.
Operational: Assessment of the Third party’s operating model, service delivery capabilities, M&A activities prospects, further reliance on fourth party or sub-contracting, executive management credentials and turnover, and their own business continuity planning process are critical considerations to evaluate the Third party’s operational capabilities to meet contractual obligations.
Reputational: This includes an assessment of their business landscape, personal and institutional goodwill, record of fines/ penalties, adverse media exposure, defaults or losses, and instances of business disruptions.
Data Privacy: This is critical not only for an organization’s proprietary information/data but also for confidential customer data and accountability towards data privacy. Hence, assessment of the Third party’s data protection mechanism, and ability to identify, prevent, mitigate, and report any breaches is important.
Cyber Security: Clear understanding and evaluation of the Third party’s technology architecture, vulnerabilities & threat mgmt., information security controls, ongoing monitoring, and remediation capabilities are a must to ascertain no undue exposure generated from the third party.
Best Practices
Step 1: Stakeholder mapping
- Prepare comprehensive internal/external stakeholder listing and map each third party being used in any part of the overall value chain.
- Apply risk-based segmentation to determine the level of control required.
Step 2: Build Framework
- This includes a definition of ownership, controls and governance process, clear articulation of risk appetite that will lead to alignment among internal stakeholders, process of ongoing assessment, monitoring, and reporting.
Step 3: Onboarding and offboarding
- Must devise KYT (Know Your Third party) protocols in onboarding any new Third party which includes comprehensive vetting and selection and suitability of data/system/people access.
- Also, in the event of any discontinuation of the relationship, thorough diligence shall be conducted to ensure no residual exposure remains with the Third part which may result in liability with the organization.
Step 4: Contractual standards
- While each organization will have a standard contract template, it is important to customize it to include specific nuances of each relationship.
- It shall comprehensively cover roles and responsibilities, services scope and SLAs, liabilities, commercial elements, review/monitoring/reporting obligations, approvals and escalation matrix, and dispute resolution mechanism.
Step 5: Third party audits
- The internal audit process is an integral part of a robust Third-party risk management framework. The provisions shall be incorporated in the organization’s overall internal audit plan and the outcome shall be reported to the laid down governance mechanism.
- In addition, the review of Third parties shall also be incorporated in the scope of each external certification audit to ensure that necessary controls are implemented and working well at the third-party level.
Step 6: Baseline and Benchmarking with industry standards
- Organization’s Third-party risk management program must be baselined against industry-accepted standards and protocols and then it shall be benchmarked against standards from time to time
- This can be done through a peer review mechanism or with the help of external specialized firms to give independent assurance to key stakeholders on the efficacy and improvement of the program.
Step 7: Leverage Technology
- Build suitable investment in technology-enabled end-to-end Third-party lifecycle management tools
- These tools shall be used for predictive analysis for proactive identification and mitigation of all third-party related risks and also well integrated with mainstream ERM tools deployed.
ESG considerations for Third party risk management
With ESG norms becoming an integral part of the company’s ethos, business, and governance practices, it is important to extend the norms to extended supply chain constituents mainly all Third parties to ensure a real and meaningful positive impact.
The organization’s ESG mode must be enhanced to the Third-party for the following considerations to make Third-party risk management holistic and also value additive from an ESG perspective.
1. Assess:
- Perform thorough assessment of the impact of regulatory, policy, and reporting standards
2. Create:
- Create a compliance plan that integrates all baseline practices with the entire extended third-party ecosystem
3. Communicate and Train:
- Proactively and consistently communicate the plan, and requirements to all third parties including all relevant internal stakeholders.
- Impart periodic refresher training on incremental changes in any additional requirements
4. Monitor and Report:
- Establish ongoing monitoring and reporting requirements to track compliance levels and progress.
- Ensure that the monitoring and reporting mechanism is well integrated with the organization’s mainstream system and processes and does not work in isolation.
5. Remediation:
- Track to ensure effective implementation of action plans.
- This shall also ensure an effective feedback loop to continuously improve baseline practice.
6. Collaborate:
- Collaborate at the Industry level along with Third-party industry-level bodies for acceleration of ESG norms and practices.
- In essence, robust Third-party Risk Management is key for effective Enterprise Risk Management and elevates the Organisation’s prospects of meeting business objectives and developing sustainable business practices with robust governance.
Blog Author: Harshit Baxi