By Evan Tsamas
There are a number of benefits to outsourcing to third-party providers, but do business leaders truly understand the full scope of the holistic risks to their organization when deciding to hire an external provider?
A few of the many benefits include:
- Leveraging third-party expertise
- Saving money, i.e., in full-time employees, systems, and infrastructure
- Meeting short term immediate business needs
From a purely economic perspective, engaging a third party often makes sense. It’s when the third-party activity is complex that economics shouldn’t be the only consideration. For example, is the activity that the third party will provide part of a core organizational process? Will the organization need to share company or client data with the third-party provider? Will the third party have direct interactions with the company’s clients?
What Do Regulators Expect?
Regulators expect organizations to manage the activities performed by third parties as if they were performed by company employees. Their view is, you (as a company) can outsource the activity, but you can’t outsource the risk. This requires the establishment of policies, procedures, processes, and an infrastructure to manage the activities performed by third parties.
What Are the Challenges to Managing Third-Party Risk?
The risks associated with hiring a third party are driven by the activity you are hiring them to perform. Think of it this way ̶ are you hiring a mechanic to fix your car’s brakes or are you hiring a landscaper to cut your grass? These are both activities for which people commonly hire specialists; however, the risks of these activities to our well-being are vastly different. Greater risks require stronger controls.
Let’s take look at some common risks involved when a company hires a third-party provider. Here are some questions to consider.
- Have you built performance standards into the third-party contract?
- Have you built language into the contract that details what happens when the third party doesn’t meet your performance standards?
- Do you have employees with the expertise to manage the performance of the third party?
- Do you have an exit strategy to disengage with the third party if needed? For example, you read in the news that one of your third-party providers is filing for bankruptcy or has been hacked or is being sued.
- What processes do you have in place to safely exchange data with the third party?
- How will you monitor and test the data exchange process to ensure it is working effectively?
- How will those processes evolve to ensure data safety as technology evolves?
- What is the impact to your business/your customers if one of your third parties’ systems goes down?
- Have you included recovery time standards in your contract?
- How will you test your third-party provider’s recovery time?
Client Facing Third Parties
- How will you monitor the performance of third parties interacting with your clients?
- Have you set up processes that allow your clients to give you feedback on client-facing third party providers?
These are just a few of the areas, aside from economics, that business leaders should consider when deciding to hire a third-party provider.
Communicating Your Third-Party Risk Management Program throughout Your Firm
Ensuring that you have all the necessary controls in place from inception through completion of a third-party engagement is critical. Communicating these controls and processes throughout the organization is an integral part of a highly effective Third-Party Risk Management (TPRM) Program.
Here is an example of an effective and successful TPRM Curriculum and Communication Plan that is adaptable and flexible enough to support TPRM program changes in a dynamic, heavily regulated environment:
- Document policies, procedures, processes, and key controls from the enterprise level down to the functional level, as applicable;
- Develop comprehensive mandatory company-wide training with supporting job aids that is role based and takes participants step-by-step through the lifecycle of a third-party engagement;
- Create procedures to ensure that TPRM-related changes have been approved by stakeholders and effectively communicated throughout the organization as needed;
- Store all your critical TPRM documents, policies and procedures, processes, controls, job aids, training, and communications in a readily accessible tool, such as SharePoint;
- Facilitate regular training sessions to provide employees with updates on changes to TPRM program requirements, in conjunction with complementary communications;
- Provide Internal Audit and external regulators with TPRM documentation, training, and communications materials, and
- Partner with contacts in all three “lines of defense” on documentation, training, and communication activities. (The first line of defense is the line of business responsible for hiring the third party; the second line of defense is the Risk Management function, and the third is Internal Audit.)
Evan Tsamas is a learning leader who has worked in financial services for over 30 years. He has extensive experience developing and implementing learning and communication strategies to support large-scale global organizational transformations. His experience includes implementing an extensive Third-Party Risk Management program for a global financial services firm.