By Philip S. Renaud II, MSc, CPCU, Executive Director, The Risk Institute
Recent surveys by The Risk Institute at The Ohio State University have confirmed that more organizations are looking to outsource some or all of their Risk Management functions to third parties. This action aligns with overall business trends to extend wider relationships to third-party business transactions.
When we think of what the third-party or Nth-party (when a third party retains an additional support organization) risk is to a business entity, we should focus on how organizations are turning to specialized firms to transact both critical and non-critical services, as well as key business components. The act of transacting with a third party to support key business processes, by definition, creates risk to an organization that will require an extended compliance or audit function effort. Examples of third-party risk areas include tiered suppliers, cloud service support, finished goods, accounts payable service, IT support or emerging technology development. Each of these examples require that the organization extends additional compliance efforts so the primary/hiring firm has assurance that the goods and services supplied meet the requirements set forth in the service agreement. As such, best practice should include a strategic set of processes that, at the very least, include:
- Robust Risk Assessment: Does a sufficient need exist to justify the retention of a third party? Compliance processes should exist to assure that the risk assessment is extended beyond the initial term.
- Risk Monitoring: A regular and continuous risk assessment process is critical. Is the third party acting in accordance with the agreement? Are services, products or other exposure areas aligned with intent?
- Auditing and Training: Third-party relationships are subject to compliance and audit reviews. Have internal/external audit guidelines been developed and implemented? Are key elements including FCPA (Foreign Corrupt Practices Act) or UK Bribery Act considerations being put in place to assure compliance? Consistent training and monitoring of the agreement, relationship and deliverables are key to an effective program.
- Formal Record Keeping: All work toward compliance must be recorded and monitored. Consideration should be given to a formal KPI (Key Performance Indicator) report at Board level to assure visibility and awareness to a third-party risk mitigation strategy.
Depending upon the industry, regulatory oversight will be a function of the underlying program structure. Within the financial services community, for example, guidance issued by the Office of the Comptroller outlined expectations for third-party relationships. Statements have been issued to hold financial institutions’ leadership to the same standard even if transferred to a third party. This raises the question of who should have oversight of third-party risk within the firm. Certainly, with risk that could impact a firm in several key strategic, operational and financial areas, the ultimate responsibility will rest with the Board. A significant part of the CRO (Chief Risk Officer) responsibility should be devoted to the oversight and compliance of third-party risk. If a firm has made a conscious decision to outsource some or all of the Risk Management function to a third party, the same level of diligence should apply. In that example, one could argue that an even higher level of diligence by key leadership should be applied and monitored to the extent that a critical management layer has been either reduced or eliminated.
For businesses that are within the industrial sector, the evaluation of third-party risk relationships is just as critical. As has been reported within the press for several months, Boeing recently decided to outsource the software design and development for key components of the 737 Max aircraft. This is a classic example of third-party risk. In this case, the organization, in a cost containment effort, implemented the transition to third parties while at the same time laying off experienced engineers. The third parties engaged were, in some instances, from firms that may have lacked the experience and knowledge of the Boeing engineers. We are aware of the downstream impact of decisions related to this particular aircraft and the extended impact on the reputation, brand and public trust of the organization. While not all third-party related risk decisions may rise to the level identified within this example, it is important to understand that a challenged third-party risk could easily extend to the brand and reputation of the sponsor organization.
Several risk assessments have outsourced critical business components to third-party entities. In most instances, the transferring party has not thought through the downstream impact of service failure or disruption. It is incumbent upon an organization to consider the impact of failure to deliver on the third-party obligation. Has a resilient strategy been implemented? Do we need to consider alternative suppliers? Should you have alternative plans to build supply chain solutions that may be from a different region? All are critical to understanding the dynamics of third-party risk. Proper risk management strategy would dictate that consideration be given to providing for the exposure within the underlying service level agreement.
Third-party risk in the 21st Century will continue to evolve. As globalization increasingly impacts our business world, the need to engage specialized services will also continue to evolve and grow. Economic stress could extend the need for third-party involvement as we saw during the Great Recession of the late 2000’s. This is not necessarily negative for businesses, but it is an area that will require a different – and evolved – set of skills to manage.