One of the more complicated parts of third-party risk management: contract management should not be overlooked. In this area of risk, individual assignment of accountability is paramount.
#Third party oversight process series#
In many cases, it’s a series of ongoing reports of activity in others, it may be reports of consumer complaints or notification guidelines in the event of certain activities occurring (e.g., breach, management departures, etc.). Many of these are dictated in the service level agreement of the third-party contract as to what types of items will be required. Once signed, there are continuing obligations to watch that third party. The assessment process will inform all other areas of TPRM and also dictate the need for follow-up actions and frequency of review. The risk assessment process should look at both business impact risks as well as regulatory considerations. Careful review and input from subject matter experts around the organization should inform the process. Perhaps the core component of all of third-party risk management: the information risk management process should be thorough and, again, tailored/risk-based to match the product or service being outsourced. Anything not gathered in the initial due diligence process should be written into the contract to be certain it can be obtained post-contract approval. For others, the additional due diligence steps will be dictated by the type of product or service being outsourced – for a core processing company, perhaps things like the SOC2 report and evidence of network penetration testing.
For all companies, certain elements (often Tax ID, legal name, address, business license, articles of incorporation) should always be obtained. This is the art and science of gathering the appropriate artifacts of the company’s structure, history, and ownership.
The scope of what types of third parties are in or out (e.g., many exclude utility companies and the postal service) should be outlined as well. Learning of a new third party only when a problem occurs is definitely a good warning indicator that it is time to review the selection process and instill greater control. Ideally, this should be outlined in the company’s third-party risk management policy and program. There should be carefully and clearly defined steps on how a new third party is chosen, vetted, and – ultimately – approved. While this isn’t an exhaustive list, certain industries may need to bolster it with things like supplier diversity or PCI (payment card industry compliance), but for the purposes of getting the basics right, below are the key elements of third-party risk management. There are several key agreed upon best practice steps – agnostic of industry – that should be considered. What does that mean? Through the consideration of services delivered, for example, it’s important to focus time where it’s most warranted, i.e., high risk or critical third parties (those are ones that, if unmitigated, could cause significant harm to the company or impact the customer). Done well, third-party risk management can help to shield the company against data breaches, eliminate costly mistakes, avoid consumer harm, and generally increase the resilience of the company against unwanted actions.Īt its heart, third-party risk management must be risk-based. There is a lot wrapped up in the definition – no longer is it simply a vendor to consider, but any company involved in the delivery of products or services. In the classic sense, across industries, third-party risk management is the consideration and control over outsourcing a function that typically is done within the organization to an external party for the purpose of delivery of a product or service to the consumer or a service provided to the company. Let’s examine what third-party risk management means. In today’s world, where we have seen massive supply chain disruptions, data breaches, enforcement actions, and a stunning series of customer failures, the world of third-party risk management (TPRM) has never been under more scrutiny.
0 kommentar(er)
