5 Considerations for Your Third-Party Risk Management Program
The overarching principle in Third Party Risk Management is to realize that third party management is a relationship with a defined life cycle. Increased regulation and growing risk i.e. cybersecurity, fraud, operational resilience, business disaster, means that organizations must conduct vigorous, structured and regular due diligence on third-party intermediaries and the ecosystem that supports and sustains the third party’s operations. Moreover, with third parties accessing company information, the likelihood and impact of IT security incidents are on the rise and with it a vicarious liability for censure and financial penalties.
Regulators are looking for the methodology, the approach and the sustainability of programs designed to capture and mitigate these risks, evidence and alignment within an organization’s risk culture and risk appetite.
A robust, structured program devised and developed by the CFO to mitigate these risks can protect corporate reputation and shield executives, board members and other management from personal and professional liability. At its core, such a program incorporates a risk-based approach, which is a methodical and systematic process of knowing the company’s business, identifying its risks, and implementing measures that mitigate those risks.
The diagram below highlights the key items for you to consider when implementing your Third-Party Risk Management Program.
Each third-party relationship brings with its multidimensional risks that extend across suppliers, vendors, contractors, service providers and other parties.
The CFO must realize at the outset, that their firm cannot manage the operations of its third parties. Good governance of critical third parties involves defined responsibilities and expectations, clear communication channels, a control culture, and an understanding of life cycle management practices. The CFO must understand the firm’s risk appetite for third party risk and develop a risk framework which can be operationalized with a trust and verify mentality underpinning a sustainable relationship. The risk framework is developed with a coherent and consistent set of policies and procedures which involve a risk assessment model, outlining the inherent risk /residual risk , acceptable control environment, whilst addressing the need to comply with existing and proposed laws and regulations.
The risk framework needs to be developed with other key internal stakeholders with a description of the implementation, resources, acceptable mitigants, roles and responsibilities. The CFO also must ensure that the business owner within their firm accepts the risk and that the CFO ‘s role here is that of a facilitator in providing an acceptable framework in which the business owner can sustain the relationship with the third party.
In order to gain an insight into the third party, the CFO should conduct their own research using references that enable the CFO to better understand the scope and limitation of services offered. Armed with this information the CFO can better profile the third party and apply a more focused risk-based approach to third-party screening and due diligence. This risk based approach involves categorizing third parties into various risk categories High, Medium, Low based on the product or service, as well as the third-party’s location, countries of operation and key contributions. This approach will help you understand the criticality and impact of the risk they pose. An important part of the process will be to mitigate an over-reliance on key third parties
Standardized contracts are a must, outlining the rights and responsibilities of all parties, with suitable metrics in place to sustain the relationship. Given the importance of supply chains today, the contract should identify any subcontracting to a fourth party. The key is to contractually bind third parties to inform and get approvals on any fourth-party involvement and ensure that fourth parties are in the scope of screening and risk management processes. Understanding the business continuity process and the compliance requirements of the third party are also important considerations in the selection process.
Monitoring is essential as it will ensure that performance standards set by the program are being implemented and followed with the imposition of well-defined metrics to measure the effectiveness of the program. Continuous third-party monitoring and screening is the key to helping companies make informed decisions about their third parties, with screening against global sanctions lists, law enforcement, watchlists and adverse media reports.
The termination process is often overlooked, but it’s so crucial in the negotiation. It should take what-if scenarios into account, with various trigger points that allow your organization to extricate itself from the relationship in an orderly and timely fashion.
A controlled exit should specify termination provisions/notifications, costs, controls and the remediation of information assets.
Third Party risk management should be aligned with the Enterprise Risk Management of the firm and involve all key internal stakeholders. The CFO should act as the architect and help design a sustainable and operational third party risk framework which captures the needs of the firm within an acceptable controlled environ
Not a member-scholar yet? Join our financial community here!
Identify your path to CFO success by taking our CFO Readiness Assessmentᵀᴹ.
For the most up to date and relevant accounting, finance, treasury and leadership headlines all in one place subscribe to The Balanced Digest.