Posted on: July 19, 2021
Solutions Customer Summit Series
In today’s post-pandemic world, we’ve likely all learned a few things about how we conduct business and, at times, the frailties of the world in general. In the span of less than a year, we’ve been challenged to the extremes by two polar opposite forces – a mighty supertanker and a tiny nanovirus.
What does this have to do with fostering collaboration with your third parties? Everything. In both of these cataclysmic events, the business world learned that it relies on third parties more than ever before. In the case of the tanker, it showed perhaps there could have been better planning for alternatives; in the case of COVID, it showed that industries needed to rely on their third parties as they rapidly scrambled to a remote outsourced business model.
Third parties clearly have become an extension of the organization – not just a nice to have, but a need to have, particularly in the past year. Some third parties proved quite reliable; in fact, many did – but others failed to live up to the challenge and showed that their pandemic plans were only words on paper or Sharepoint, not adequately tested or robustly implemented.
Using the past year as a backdrop, it’s an excellent opportunity for a strategic pause of sorts to reflect on what went well and what didn’t. Every business should take the opportunity to analyze or “Monday morning quarterback” the processes of outsourcing so quickly – some have gone so far as to create scorecards on which third parties did well and on what attributes. This isn’t an academic exercise; it’s a real-world analysis – there will be other catastrophes that require industries to fully engage and rely on third parties. Ideally, a business should compare the third party’s incident management plan versus actual performance. If nothing else, the third party’s risk assessment should provide a good baseline for comparison as to how they were expected to perform, what weaknesses were anticipated, and what may need to be addressed going forward.
One keynote at this point – although it’s not an academic exercise, it should be an informed discussion. Where warranted, convene meetings and take minutes to show real involvement and discussion. In keeping with prudent regulatory guidance, involved subject matter experts from around the organization or even reach outside the organization to gain independent evaluation of issues by a credentialed expert. In addition, keep your board and risk committees informed of recommendations and necessary actions. As always, document it carefully in meeting minutes and ensure that recommended steps are assigned with accountability to a specific individual and are carried through to fruition.
As businesses strive to “re-insource” key functions, they must ensure that the same standard of care is applied as though they were terminating the relationship, i.e., the end goal should be to minimize disruption to the business and the customer. People will be moving back into the office. The data must follow. That sounds simple, but it’s not – policies should be in place with the company and its third parties as to how any data that was distributed is properly returned or destroyed. In some cases, particularly where a third party has access to significant amounts of nonpublic information (NPI), additional written agreements may be warranted, including attestations that the data has been returned or destroyed and there is no potential for future or unanticipated re-use of such information (e.g., a well-meaning marketing company having entered it in their database and then cross-selling the customers).
Beyond the third party lies their own third parties – essentially the company’s fourth party. Again, working closely with the third party, a business must understand their own control structure over the fourth party – they should be on par with the originating company’s expectations and vetted appropriately.
Understanding the operating environment is paramount – what role do traditional service providers play and how should they be considered? Information technology providers, in particular, have become the fodder for regulatory scrutiny in recent years – even more so post-pandemic most likely, particularly where lapses become evident. Finally, public policy entities need to be considered and, while a single company may not be able to head off the effect, the failure or lapse of one of these types of companies will create shockwaves through the entire system and maybe even the industry. It is up to each company to determine its own operating environment and how far it extends. Involving the third party in question is typically a great idea – it leads to a more informed discussion, better decision and ensures their commitment to action.
In today’s world, with so many crisis lessons learned and many operational hurdles overcome, third-party risk management is not an optional exercise; it’s an operational necessity. Working closely with a third party got many companies through these challenging times; working together, industries can prepare to be even more resilient for the next time.