In today’s world, where we have seen massive supply chain disruptions, data breaches, enforcement actions, and a stunning series of customer failures, the world of third-party risk management (TPRM) has never been under more scrutiny.
Let’s examine what third-party risk management means. In the classic sense, across industries, third-party risk management is the consideration and control over outsourcing a function that typically is done within the organization to an external party for the purpose of delivery of a product or service to the consumer or a service provided to the company.
There is a lot wrapped up in the definition – no longer is it simply a vendor to consider, but any company involved in the delivery of products or services. Done well, third-party risk management can help to shield the company against data breaches, eliminate costly mistakes, avoid consumer harm, and generally increase the resilience of the company against unwanted actions.
At its heart, third-party risk management must be risk-based. What does that mean? Through the consideration of services delivered, for example, it’s important to focus time where it’s most warranted, i.e., high risk or critical third parties (those are ones that, if unmitigated, could cause significant harm to the company or impact the customer).
There are several key agreed upon best practice steps – agnostic of industry – that should be considered. While this isn’t an exhaustive list, certain industries may need to bolster it with things like supplier diversity or PCI (payment card industry compliance), but for the purposes of getting the basics right, below are the key elements of third-party risk management.
Selecting a New Third Party
There should be carefully and clearly defined steps on how a new third party is chosen, vetted, and – ultimately – approved. Ideally, this should be outlined in the company’s third-party risk management policy and program. Learning of a new third party only when a problem occurs is definitely a good warning indicator that it is time to review the selection process and instill greater control. The scope of what types of third parties are in or out (e.g., many exclude utility companies and the postal service) should be outlined as well.
Conducting Appropriate Due Diligence
This is the art and science of gathering the appropriate artifacts of the company’s structure, history, and ownership. For all companies, certain elements (often Tax ID, legal name, address, business license, articles of incorporation) should always be obtained. For others, the additional due diligence steps will be dictated by the type of product or service being outsourced – for a core processing company, perhaps things like the SOC2 report and evidence of network penetration testing. Anything not gathered in the initial due diligence process should be written into the contract to be certain it can be obtained post-contract approval.
Perhaps the core component of all of third-party risk management: the information risk management process should be thorough and, again, tailored/risk-based to match the product or service being outsourced. Careful review and input from subject matter experts around the organization should inform the process. The risk assessment process should look at both business impact risks as well as regulatory considerations. The assessment process will inform all other areas of TPRM and also dictate the need for follow-up actions and frequency of review.
Once signed, there are continuing obligations to watch that third party. Many of these are dictated in the service level agreement of the third-party contract as to what types of items will be required. In many cases, it’s a series of ongoing reports of activity; in others, it may be reports of consumer complaints or notification guidelines in the event of certain activities occurring (e.g., breach, management departures, etc.). In this area of risk, individual assignment of accountability is paramount.
One of the more complicated parts of third-party risk management: contract management should not be overlooked. The basics of the contractual expectations should be documented in the policy and program, determining standard language over such items as the protection of data, the rights and obligations of both parties, and the ongoing expectations of supplying key information or allowing other items such as the right to audit the third party. Tracking these items in an organized fashion is critical to the effectiveness of the contract management process.
Documentation is required and evidence of the involvement of the board and senior management team is equally important, showing their active participation, direction setting, and key leadership decisions around the third party. A best practice is to set a standard set of agreed upon reports delivered in a particular manner and cadence, evidenced in meeting minutes, but also with the flexibility to drill down on any item needing further consideration.
Exit Strategy and Termination
No one goes into a relationship thinking about the end, but it must be given careful consideration. Exit strategies, designed to minimize disruption to the customer and the business, should be carefully crafted, codified, and tested on a regular basis. Termination steps, particularly items like notification guidelines and the return of non-public information, should be contractually committed to by both parties and carefully tracked.
In addition to all of the above, certain companies and industries may employ addition steps and safeguards. The end goal, of course, is to protect the consumer, company, data, and industry. Done well, third-party risk management is a true strategic advantage by ensuring quality and reliability, cost savings, and regulatory compliance.
Download Fusion’s 7 Key Elements of Third-Party Risk Management infographic to read about the important elements that make your program more resilient.
Additional Industry Guidance and Resources