For many organizations, third-party risk became a serious topic of conversation in late 2013 when the U.S. Office of the Comptroller of the Currency (OCC) released its 2013-29 bulletin, Third-party Relationships: Risk Management Guidance, replacing its more basic principles from 2001. Although some businesses had previously begun addressing third-party data security concerns, most were not evaluating controls across the full spectrum of third-party risks before this new guidance was issued.
The near implosion of the global financial system several years ago played a large part in the increased focus on third-party risk management. It placed a direct light on critical banking operations that had been outsourced to third parties. Financial institutions, starting with national banks, were now being held responsible not only for their own risk management practices but for those of the third parties they rely on. And of course, these risks extended to industries far beyond financial services. High-profile data breaches at well-known corporations brought additional attention to the role third parties play and the impact they can have on a company's clients and employees.
Today, organizations across industries continue to look for ways to lower costs and increase efficiencies by outsourcing services to third parties. The trend has led companies to expand or optimize their third-party risk programs. Many programs, especially within regulated industries, are evolving to meet business performance goals and regulatory expectations, requiring the right balance between managing risks and stifling the business, without costing too much. Organizations have invested significant capital toward hiring qualified staff, implementing an effective governance and organizational structure, and procuring the right technology to run third-party risk programs.
But as these programs have developed, are they truly efficient and sustainable? For many, the answer is no. Organizations are finding they lack risk management efficiencies to adequately support business objectives. Business units find themselves unable to contract with third parties as quickly as they have in the past, delaying the launch of new products and services. The experience has left business leaders frustrated, often pitting procurement and risk management functions at odds over how much risk management overhead is enough.
So what are forward-thinking companies doing? First, they focus with laser precision on the third parties and services that represent the biggest risks and they efficiently implement strategies to manage them. Second, they realize the value of pooling resources and sharing risk intelligence with their peers. This two-pronged approach yields more robust and efficient management of third-party risk, with internal audit playing a key role in the process.
Identify the Greatest Risks
Organizations need to develop plans to mitigate and monitor those threats that create the biggest impact on business operations. Resources and skills should center on what matters most to the business, which requires careful planning and a true understanding of the third-party risk profile.
Organizations focused on high-impact risks take a smarter approach by creating risk profiles at the service and third-party levels. They understand the inherent risk of the services they procure and the specific due diligence required to evaluate the third party's control environment. This knowledge limits the need to repeatedly ask questions of the business each time they require services. This approach enables the organization to shift focus to exceptions that don't meet the standard risk profile for the outsourced service. Other attributes of forward-looking companies with a desire to work smarter include:
- Maintaining an accurate and ongoing inventory of third parties and their services with a map to the specific risks to be assessed and monitored (e.g., those third parties that have access to personally identifiable information for employees or clients).
- Evaluating and managing preferred suppliers for each expenditure category, eliminating those that don't fit the organization's defined criteria (including risk profiles).
- Defining inherent risk rating by service type and managing to those exceptions as described earlier.
- Communicating third-party risk in business terms using advanced data analytics.
- Developing key risk and key performance indicators that help identify areas where third-party risk levels may
- be increasing.
- Actively monitoring third-party networks for signs of security incidents and malicious activity using threat intelligence feeds such as BitSight, RiskRecon, or SecurityScorecard.
- Managing reputation and compliance risks, such as negative news and new regulations, with continuous monitoring tools.
- Understanding and monitoring geopolitical risk for outsourced services.
- Lowering program costs by implementing integrated third-party risk technology solutions.
Internal audit should help ensure that the business is managing these processes effectively. Moreover, it should make sure the third-party risk management team's program is updated as new risks are identified and evaluate the overall governance and risk management program each year to determine whether the greatest effort is focused on the highest risks.
Optimize Due Diligence
A company's third-party risk programs can raise hundreds of due diligence questions. Targeted areas commonly include information security, business continuity/disaster recovery, legal and compliance, technology systems, and financial, to name just a few. Due diligence is often performed manually across these areas, and the process can be time consuming. Third-party risk leaders first need to understand the outsourced service to determine risk exposure and appetite and then send the right questionnaires to the third party, hoping they're completed and returned on time. Leaders must then review the responses, followed by issuance of risk recommendations — all before the business can sign a contract.
Many organizations seeking a better approach are beginning to value the concept of group intelligence and consortiums as a means of sharing third-party due diligence data. They've discovered that third-party risk is not an area one company should solve on its own. When it comes to critical services, nearly every organization —regardless of industry — will most likely be sharing a third party with competitors or industry peers. Why should an organization develop its own set of risk domains and due diligence questions when others are compiling the same information?
Third-party companies receive numerous risk questionnaires from their other customers and most likely do not maintain consistency across all their responses. More importantly, when an incident occurs with a third party, it can affect multiple clients. Having the ability to collaborate quickly with industry partners to respond to risk and potential fraud provides a consistent and more efficient way to address the impact.
As an example, four global investment banking and wealth management companies, along with a leading data aggregator, collaborated to build a third-party risk consortium designed to solve the inefficiencies created by their individual third-party risk programs. They developed a centralized data utility that enables firms to standardize and simplify their third-party risk management programs — specifically, due diligence and ongoing monitoring processes. The utility simplifies these processes considerably by aggregating third-party data in a centralized, multilateral model. Members can download third-party due diligence responses on demand as opposed to sending out individual questionnaires. They can also receive proactive notification of negative news and relevant events (e.g., mergers/divestitures) as well as monitor information security threats and financial viability measures in one centralized utility. Moreover, members who share the same third parties have the opportunity to collaborate over on-site visits and data verification exercises, aimed at lowering costs and improving data consistency. The consortium is designed to adjust over time as the threat landscape changes and improvements are made.
Consortium models are not new and have proven successful in certain circumstances. Many forward-looking companies are now evaluating risk consortiums as they seek broader views on how risks are managed across their own industries, in light of pressure to reduce costs and the need to increase efficiency. Internal audit has an important role with regard to consortiums. Auditors can examine the integrity of the consortium technology, access and security control, permissions, and data integration into company systems. The integrity of the data used by members of the consortium is critical, and it constitutes an area of high risk and priority. Auditors may also want to determine whether the consortium has been reviewed by Legal to ensure the arrangement does not run afoul of anti-trust regulations.
Additional Areas of Focus for Internal Audit
Because third-party risk can affect the whole business, internal audit is in a unique position to assist by performing monitoring activities and reporting on its organizationwide findings. As the third line of defense, internal audit provides assurance on the effectiveness of governance, risk management, and internal controls. The third-party risk management team is normally organized as part of the second line of defense, with the business forming its first line. To collaborate effectively, internal audit must understand the working relationship between the business and the third-party risk management team. This process starts with understanding the organization's risk culture, typically defined as the beliefs, values, attitudes, and behaviors related to risk awareness, risk taking, and risk management. How are the business and third-party risk teams interacting? Do they meet regularly to assess their most critical third parties? Do they agree on the priority of third-party risk?
Internal auditors should examine meeting minutes and other communications between key business leaders and the third-party risk team, as they will provide insight as to the strength of processes and controls around third-party risk. Some additional leading risk management practices for internal audit include:
- Naming a central point of contact within the audit function to liaise with the third-party risk management team, similar to other enterprise risk functions.
- If operating in a regulated environment, understanding the guidelines organizational business and risk leaders must follow in addition to any available exam procedures (e.g., OCC's 2017-7, Third-party Relationships: Supplemental Examination Procedures).
- Determining whether the third-party risk program is focusing its efforts on areas that pose the greatest risk. If so, is the risk management team consistent with this approach? Has it outlined the methodology used to segment risk profiles by severity? Is the team working smart or just working hard?
- Reviewing the program governance and risk escalation process. Is it disciplined? Is the vendor due diligence robust? Does it include a sufficient approval process?
- Evaluating the process for handling unplanned terminations for a critical third party. Has the program adequately defined a workaround while the service is either brought in house or replaced by another third party?
- Determining what documentation is maintained and whether it provides an adequate audit trail to easily determine what risks and related controls are operating as designed.
Keeping Risk in Check
Without a doubt, companies need to enhance their third-party risk programs as third parties continue to drive the execution of organizational processes and help optimize performance. The value of managing risks associated with outsourcing a critical business service to a third party is shared across the organization, and it represents a vital component of protecting shareholder value. Internal auditors should keep in mind that their role in this process is critical to providing assurance that third-party risk management performs optimally.
Forward-thinking organizations focus their skills and talents on core business processes and look for creative ways to outsource noncore processes. Although more and more organizations are moving in this direction, they must still make sure their vendors are providing consistent, efficient services and that risks associated with using third-party vendors are minimized.