Whether it is referred to as third-party risk, vendor management, supply chain management, or something else, organizations must recognize the risk implications of operating as an extended enterprise. Today’s interconnected business models enable companies to leverage partnerships to manage costs and increase competitive advantage. In the extended enterprise, company data and, in many cases, its client or associate data are shared, transferred, processed, or stored by external entities. Very often, this data is among the organization’s key information assets. The risk to the entity unknowingly increases when management has not assessed or addressed the potential threats being posed to key assets in this sharing process. These risks may include security protections and associated breach risk, availability standards and associated operational risk, ownership rights and associated strategic risk, and other key risk points across financial, operational, reputational, and legal areas. Considering these risks and evolving business operations — alongside an increasingly complex regulatory landscape — third-party governance and oversight models are a must-have for organizations.
Gone are the days when an organization’s simple inquiry into a new vendor’s policies, data security practices, and control structure during the vendor procurement process was considered sufficient. Over time, simple inquiry evolved into a brief, often narrowly focused, evidence or documentation gathering exercise with limited actual review or scrutiny. Fast forward to today when organizations are expected, by stakeholders and regulators, alike, to know, assess, and actively monitor external providers’ adherence to defined practices. Internal audit — and its first and second line counterparts — must determine whether appropriate measures are in place to address third-party risk. This process begins by identifying and understanding two key data points: 1) Who are the organization’s vendors and external partners (and their subcontractors or providers)? and 2) What information is being shared with them? Once the landscape and risk profiles are understood, appropriate governance and monitoring also can be established.
Identifying key vendors is the initial step — keeping in mind individual relationships and vendor services structures must be fully understood. Does the organization use an external data center provider? Are there software as a service (SaaS)-based applications used within the organization? Is application development performed by an external provider? Where do external business partners exist within key operational business processes? What external entities do the finance, human resources, legal, security, and other corporate teams use to support their functions?
Certain functional areas and systems within the organization can assist in beginning the identification process. Procurement and legal are two functions that should have an understanding of the external partners and associated contracts in place. Review of payables data and vendor master data also can help identify external entities providing services. Discussion with divisional or functional management teams will help validate understanding of the entire third-party landscape, including process dependencies and integration points, as well as the scope of services the vendors provide.
During the identification process a “follow the data” approach should be applied. Internal data governance processes often aid in identifying data components and associated risk. This is the foundation for understanding which data elements to follow in this process. Data that is identified in categories such as “high risk” or with specific regulatory requirements must be traced through its life cycle to all sources. This includes anyone in the vendor process who may handle the data.
During the data tracing process, the consideration of “fourth-party providers” also must be included. Fourth parties (or fifth or beyond) are vendors or subservice providers used by an organization’s direct vendors — extending the risk and governance requirements even further into the supply chain. These can be identified through review of vendor contracts (as they often will specifically state whether services can be subcontracted), but in many cases only are identified during inquiry and discussion with the vendor directly. They all must be assessed as any exposure to risk must be identified and appropriately mitigated.
Along with developing a comprehensive inventory of the vendors providing services across the organization, organizations are well-served by establishing a standard rating or assessment criteria structure to consistently assign a risk classification or other rating to each external business partner. Internal audit can help build or enhance this classification framework based on its understanding of risk assessment principles, as well as its knowledge of business operations and key risk points.
Often, the vendor risk rating or classification structure will include assessment of data being shared, vendor operations, potential customer impact, regulatory considerations, and level of dependency on the vendor for ongoing operations (e.g., system availability or other operational requirements). These categories should be assigned quantifiable metrics where possible, based on risk thresholds established by the organization. Leveraging this standard classification structure, critical vendors can be identified and the assessment process structured in a prioritized fashion, aligning risk with associated review frequency and depth.
While this article focuses specifically on recommendations to be included in the vendor assessment process, a full vendor management program includes the entire life-cycle process for managing vendor relationships — from planning and selection to ongoing monitoring. Specific design of the vendor assessment process and approach must be aligned with organizational requirements; however, certain focus areas are appropriate for most companies. Common elements may include:
- Information Security — technical configurations, security architecture, access management, monitoring, and incident response.
- Physical Security — facility access, security monitoring, and document control measures.
- Policies and Programs — program and governance models, policies and standards, and reporting structures.
- Human Resources — background checks/verifications and associate training programs.
- Availability — system maintenance and monitoring process, support and operational oversight, and system change processes.
- Business Continuity — disaster recovery and business resumption plans.
- Regulatory Compliance — key requirements may apply to specific data types or industries; the Health Insurance Portability and Accountability Act and General Data Protection Regulation are examples of regulations including specific requirements in regard to third parties.
- Vendor Management — extension of requirements to subservice providers and associated monitoring.
During the vendor review process, it is likely that gaps will be noted between expectations or obligations and actual practices. Effective risk management for third parties also includes ongoing monitoring of vendor response to concerns to ensure they are appropriately addressed.
Implementation and operation of a third-party risk management program is not a small undertaking. However, when considering the business risk associated with vendors and operating with an extended enterprise model, the opportunity for reducing risk and potentially better leveraging vendor partnerships clearly demonstrates the necessity and value of the effort. A measured and phased approach will address the most significant risks as the program matures over time.