The Savvy Director >> Weekly insights delivered to your inbox on Sunday mornings. Click here
Join Now Blog Courses ChatDPQ Login

Oversight of Third Party Risk

prepare for meetings Jul 09, 2023

Organizations are becoming more and more dependent on third parties to provide the services they need to stay in business – from IT to accounting, from customer service to HR, and more. And the more we rely on third parties, the more important it is to evaluate and manage our exposure to associated risks.

The board of directors plays an important role by ensuring there’s a focus on effective third-party risk management before problems arise from the increased risk exposure.

 

What do we mean by a ‘third party’?

A third party is any company, vendor, supplier, agent, joint venture partner, or distributor that interacts with or on behalf of an organization. They can provide all types of services, from processing payroll to running data centers. Sometimes third-party local country experts, lobbyists, or joint venture partners are used to drive business in new locations.

Here are a few examples of third parties:

  • Software as a Service providers (SaaS)
  • Data centers
  • Computer hardware
  • Consultants
  • Payroll services
  • Office suppliers
  • Janitorial services
  • Marketing and advertising

Using third parties is a natural part of business today. They provide valuable services that would be too difficult or too expensive for organizations to carry out themselves. Proper third-party management helps organizations save money, increase profits, and take their products to market faster. They allow small organizations to offer products and services that they otherwise couldn’t contemplate.

Third parties are specialists who bring talent, experience, and resources that are vital to an organization’s success. Some of the reasons organizations choose to outsource include:

  • Access to technology. Third parties can provide access and updates to the best and latest technology available in the market, especially in the IT industry.
  • Expert opinions. Outsourced professionals are experts with years of experience in their field. They understand the demands, add the knowledge gained from experience, and allow the organization to save money on training and development.
  • Productivity. Outsourcing frees up staff time and resources for other projects.
  • Customer support. Outsourced customer support can provide better service and longer hours than the company could afford to provide otherwise.
  • Staying competitive. By using third parties, small and medium enterprises (SMEs) can have a shot at competing with the big companies.

 

Third and Fourth Party Risks

While third parties provide many benefits, they also bring risks. And third parties often have their own vendors. From your organization’s point of view, these are ‘fourth parties.’ As you continue down the line of your vendors and your vendors’ vendors, it’s difficult to get a handle on all these entities and the risk exposure you truly have as a result.

Third party risks vary according to the type of services your organization uses, and how dependent it is on those outsourced services. Let's look at several of the most common types:

Cybersecurity risk. Cybersecurity is - or should be - top of mind when you contemplate your organization’s third party risk exposure. As organizations become increasingly dependent on and integrated with third party service providers that access, transmit, and store the organization's sensitive data, the threat of third-party breaches grows. Third parties are like a “back door” into your organization’s private networks, elevating the risk of data privacy breaches and cybersecurity incidents.

Compliance or regulatory risk. If your service provider fails to comply with applicable laws, regulations, or guidelines, your organization may find itself subject to monetary penalties or legal action. Examples of compliance risks include violating data privacy laws, anti-money laundering, consumer and employee protection laws, and industry-specific requirements for certain sectors. Your own organization may have the necessary controls in place, but if you add third parties to the mix without due diligence, you could inadvertently breach your own compliance stance.

Reputation risk. A third party's actions or decisions can impact your customers' perception of your organization. Negative publicity and customer complaints can harm a company's good name, and unfavorable perceptions can begin with issues that originate with a third party. Today’s consumers want to understand the practices of the businesses they interact with. Unethical practices of third parties can go viral and turn into a brand crisis for your organization. The reputational impacts may far exceed any financial damage.

Customers don't see that your assembly, your product, your services, your ability to interact with them is supported by third parties. They only see your name, your brand, and your inability to satisfy the commitment you've made to them.

Operational risk. When a third party's product or service is necessary to maintain daily operations, a natural disaster or cross-border trade restriction that disrupts the supply chain can hinder operations, especially if alternative sources aren’t available. And if your organization obtains several critical products or services from the same third party, you can be impacted more severely than if they were provided by a variety of different third parties.

Financial risk. If your organization is highly dependent on external service providers, you need be concerned about their financial health. Increasing costs, decreasing revenues, or losing a major customer can force your third party to discontinue a service that’s crucial to you, or even go out of business entirely.

Strategic risk occurs when your third party's actions and/or decisions fail to help your organization meet its goals and objectives. For example, if your third party uses outdated technology, it may become difficult for your organization to perform normal operations.

Geopolitical risk. Suppliers with operations in countries prone to regime volatility, violent uprisings, or oppression of minorities, require careful and continuous monitoring. Organizations need to thoroughly vet their third and fourth party contractors for connections to governments that engage in nation-state cyber espionage.

 

Third-Party Risk Management

In response to their increased exposure to third party risks, many large organizations are putting in place a third-party management program (TPRM). Smaller organizations may not have a formal program, yet still find it prudent to have in place some of the critical elements of an effective TPRM, such as the following:

  •  The right leader. This could be the chief risk officer, the head of supply chain, or some other operational function. What’s important is that the leader has the ability to break down silos between functions.
  • The ability to access resources. Assessing risk appropriately usually requires resources from some or all of the following functional areas: IT, compliance, legal, HR, finance, cybersecurity and privacy, procurement, internal audit, and business units.
  • A tailored approach. The level of diligence required to assess risk differs according to the exposure. If an organization shares only limited data with its third parties, then it needs a less rigorous  process than if large amounts of sensitive data are shared.
  • An ongoing monitoring program. Effective monitoring of third parties requires periodic assessments – either internal or independent.
  • Technology. Technology to automate the program can support the onboarding and reporting processes by expediting the assessment process and allowing for more impactful and clearer reporting.

 

The Board’s Role

The sheer number of third-party relationships (not to mention fourth parties and beyond) makes it difficult to oversee the risks involved. Having an efficient and effective TPRM — including oversight from the board of directors — is critical for large organizations. Even smaller organizations will benefit from an increased focus on these risks.

TPRM is management’s job of course. But the board of directors has a role to play in overseeing it – making sure that third party risk is on the radar, that the right resources are provided and focused on addressing it, and that appropriate mitigation is in place. Some ways the board can do this include:

  • Delegating oversight to a committee. It’s common to delegate regular oversight to a board committee – the risk committee if there is one, otherwise the audit committee would normally be tasked with it. The full board still needs to understand how management is addressing third party risk.
  • Understanding the third party risk landscape. The board needs to understand how the organization leverages third parties, which service providers are integral to its operations and strategy, what processes and controls are in place, and how third-party relationships are managed.
  • Seeking assurance as to third party controls and processes. Boards can look for assurances about the controls and processes in place at the third parties. They may ask about the role of internal audit in reviewing those key controls or may look to a periodic independent assessment.
  • Reviewing regular third party risk updates. The board should seek regular updates from management about changes in the third-party risk landscape and how the organization is addressing them on an ongoing basis.

 

Advice for the Savvy Director

The best way for individual board directors to take part in third party risk oversight is by asking relevant questions, whether in committee or at the full board. Here are some useful questions for savvy directors to ask:

  • Who are our significant third party providers?
  • What are the key risks the organization faces from third parties?
  • What are the key risks from more extended suppliers, such as fourth parties or beyond?
  • Who is responsible for third party risk management in our organization?
  • What approach does management take to due diligence on our third parties?
  • What tools does management use to measure and manage third party risk?
  • How can TPRM be more broadly integrated to overcome functional silos?
  • How could we improve our approach to TPRM and better integrate it?
  • Is a risk assessment made periodically or only at the beginning of a third party relationship?
  • How does management ensure that vendor contracts include appropriate language about cybersecurity, regulatory, and compliance risk?
  • How does management offboard vendor relationships to ensure destruction of sensitive data?
  • How does management monitor fourth party risk and beyond?
  • How are third-party risks escalated and is that effective?
  • How is internal audit involved in assessing the TPRM?
  • How, if at all, do we receive and review independent assurance reports on third party risks?
  • Where does oversight responsibility for third-party risk reside within the board and its committees?
  • What information does the board receive about third-party risk? How can that information be improved?
  • What skill sets does the board have to advise management on third-party risk and opportunity?

 

Your takeaways:

  • A third party is any company, vendor, supplier, agent, joint venture partner, or distributor that interacts with or on behalf of an organization.
  • The more organizations rely on third parties, the more important it is to evaluate and manage the exposure to associated risks.
  • Third parties can expose an organization to increased risks in the areas of cybersecurity, data privacy, compliance, reputation, operations, and finances.
  • An effective third party risk management program allows management and the board to assess, monitor, measure, and oversee risks.
  • The board of directors can ensure a focus on effective third party risk management, and individual directors can play their part by asking related questions.

 

Resources:

 

Thank you.

Scott

Scott Baldwin is a certified corporate director (ICD.D) and co-founder of DirectorPrep.com – an online hub with hundreds of guideline questions and resources to help directors prepare for their board role.

 

We Value Your Feedback: Share your suggestions for future Savvy Director topics.

 

Comment

Filter by Topic

All Topics

ask great questions

build governance skills

collaborate with others

demonstrate courage

prepare for meetings

think independently

your governance journey

Recent posts

Do You Need a Governance Professional?
Boardroom Influence - Part 2
Cultivating Your Influence in the Boardroom

Scott Baldwin, ICD.D

Co-founder | Director

Scott has served on boards and provided governance advisory services to boards since 2001. Private company, nonprofit and government agency boards have been his focus. He is now leveraging that expertise with his own director work while helping directors prepare for their board role so they can collaborate, contribute and influence decisions.

Close

Welcome to the Savvy Director Blog

Stay connected with our weekly posts about what it takes to be a savvy board director