corporate team working together in a meeting rooom

Understanding third-party risk management

January 05, 2023

Understanding third-party risk management

Synopsis
7 Minute Read

Organizations are utilizing third parties to deliver core services now more than ever before. However, recent events such as supply chain disruptions driven by the COVID-19 pandemic and international conflicts, in addition to a volatile talent market have increased the need to better manage the risk exposure of relying on third parties.

By Phil Racco, Senior Manager, and Deepak Jaswal, LLB, CTPRP, Senior Manager.

In recent years, more organizations have had to rely on third parties to meet their operational needs. As the global business landscape continues to evolve and demands for uniquely qualified talent increase, the need for organizations to onboard third parties (vendors, service providers, contractors, and other external parties) also continues to grow. In their pursuit of efficiency, productivity, and profitability, organizations are looking to increase their use of third parties which increases their susceptibility to additional risk exposures. Driven by a combination of factors such as the supply chain disruption, geo-political conflicts and increasing expectations of corporate responsibility, the need to better manage the risk exposures introduced through the use of third parties has heightened.

Third-party risks are potential threats to an organization derived from placing reliance on vendors, affiliates, partners, and other external parties in delivering on the organization’s business objectives. These third-party risks include exposure to cyber attacks and/or data breaches, lawsuits, reputational damage, etc. stemming from errors, vulnerabilities, or mismanagement by the third party and can result in legal, financial, strategic, security, reputational and operational damages for an organization.

What can your organization do?

As a first party (the entity delegating a function to another entity), by placing reliance on a third party, you are absolutely going to be exposed to risk, but the question becomes ‘how do you respond to that risk exposure?’. While some may consider the option of avoiding or minimizing risk exposures by reducing their reliance on third parties, this in turn creates its own inherent and residual risks, as well as potentially missing out on the benefits received from relying on a third party (i.e., enhanced efficiency, productivity, and profitability). Because your need for third parties is inevitable, your organization would benefit from designing a fit for purpose third-party risk management framework that can reflect your broader approach to risk management.

Third-party risk management focuses on identifying, evaluating, reducing, and compensating for potential threats associated with your organization’s use of third parties. In many cases, the relationship and associated risks also extend to fourth parties (subcontractors) which are entities independent of but working on behalf of the third party to deliver services to you.

With a fit for purpose third-party risk management framework that takes a holistic and cost-effective approach to managing your vendors and suppliers, your organization gains a better understanding of the third parties you use, the value you derive from them, the cost of services provided, and very importantly, the mutually agreed terms of service.

In the absence of a unified and integrated framework, each department across your organization will build and maintain siloed relationships with third parties leading to uncoordinated and duplicative risk management practices. This lack of coordination, in turn, leads to an ineffective use of resources, increased risk exposures, and process inefficiencies as each silo may only have a limited understanding of the value and potential threats posed by a third-party. In many organizations, the procurement, IT, legal and human resource teams are those most likely to engage third parties and a framework makes it possible to harmonize their activities into a single and effective process.

The third-party risk management lifecycle

Throughout your third-party relationship, risk exposures and the corresponding risk management activities vary according to the stage of the relationship and managing them begins well before a contract is signed and they continue to the contract’s expiration.

The third-party risk management lifestyle can be broken down into the following stages:

Identification and Due Diligence

This is the pre-contract stage where you identify and attempt to understand the third party you’re looking to engage, and the potential risks associated with using them. In this stage, you define requirements and conduct research on the entity and its capability to deliver the services you require. Your research will include a materiality assessment of the third party,which will help to determine the criticality and level of risk exposure posed by the relationship with your organization. Considerations for this assessment will cover the internal and external aspects of the contract.

On the internal side, you will review the nature and scope of the business activity you are seeking third party support for, the terms on which the relationship will be managed, the business case for using the third party (including both the benefits and potential risk exposures), amongst others.

Externally, you will consider the entity’s experience and technical competence, financial stability, reputation, Environment Social and Governance (“ESG”) practices, internal controls environment, business resumption and contingency measures, and possible links to unlawful acts such as financial crimes and corruption. For entities engaging in competitive procurement, your purchasing process should involve your vendors sharing information on each of these attributes, as well as how they would manage the potential risk exposures you’ve identified in the development of the business case. This will allow you to evaluate their adequacy as part of award decision.

Contracting and Onboarding

This is a crucial stage in your organization’s third-party management where you will establish the parameters for the relationship’s success. Both parties will agree on the risks to be managed and how they will be distributed, the terms for data ownership and transfer, the scope of services to be delivered and delivery methods, Service Level Agreements, penalties for non-performance, subcontracting rules and limitations, the right to audit and offboarding process, among many others.

Contracting Provisions
Data ownership and transfer
Scope of services
Delivery methods
Service Level Agreements
Penalties for non-performance
Subcontracting rules and limitations
Right to audit
Offboarding process

As this is a key stage in the process, you and your team must pay attention to all the details and handle the contract with care and precision.

Performance monitoring

Now that you have a contract, the real work lies in the ongoing visibility into the activities of your third party. Organisations often take a backseat in monitoring contractual arrangements after the contract has been signed thus exposing themselves to risks and undesirable consequences.

In this stage, you monitor third parties by tracking agreed upon service levels and supporting key performance indicators to help ensure service delivery meets or surpasses agreed to expectations. There is also an opportunity to conduct periodic risks examinations by reviewing assurance reports, financial statements, and other documents.

Keeping in mind that your relationship with third parties will continue to evolve, it is also important that you regularly review the terms of the contract considering possible changes in circumstances or the need for additional diligence.

Evaluation and Offboarding/Renewal

This is a determining stage where you will make decisions on the effectiveness of the relationship after considering costs, regulatory changes, the quality of services you received, and the overall relationship with the third-party.

Your next move will depend on what your management team decides. Will you create a renewal or transition plan? Will you update or terminate the contract? Will it be necessary to blacklist certain third parties and update your vendor database?

How can you get ahead?

Setting up a third-party risk management framework for your organization is a tough but necessary task. With the right guidance, you can better manage exposures created through the use of third parties.

Contact us

MNP’s Enterprise Risk team can help you identify and address threats across all parts of your organization, including those caused by third-party reliance. To discuss your risk protection strategy, contact Mariesa Carbone CPA, CA, ABCP, CRMA, National Enterprise Risk Services Leader.

Insights

  • Progress

    February 03, 2023

    The role of organizational culture in change management

    Your workplace culture will ultimately make or break your efforts to transform your organization and effectively manage change.

  • Performance

    February 03, 2023

    What residential property owners need to know about Canada’s new anti-flipping rules

    The Federal Government has introduced a new anti-flipping tax measure that will impact individuals looking to sell their home or residential rental properties. This new law will apply to property sold on or after January 1, 2023.

  • Confidence

    February 01, 2023

    Non-profit organizations: how remote work impacts your financial processes and controls

    A clear and documented set of financial policies, with the accompanying procedures and internal controls, will help your non-profit organization operate confidently and efficiently in an era where remote work is increasingly the norm.