By Mick Kless, CEO CRVPM ll, © 2017 Compliance Education Institute LLC
Leadership that fully understands the multiple dependencies, complexities and risks presented by the depth of the 3rd party supply chain is better able to leverage the value that effective risk management and mitigation strategies provide. With the implementation of effective risk management practices, compliance with regulations for 3rd party oversight is a natural bi-product rather than being the ultimate goal of the program.
In order to fully realize the value and benefits of an effective 3rd party risk management program, it must be embraced by the institution as the strategy that helps protect its long-term reputation and guards against the financial and operational impact that 3rd party engagements represent when not executed to the institution’s standards. Rather than being perceived as a money pit, an adequately funded program should be looked upon as an investment in the tools, staff, supporting systems and processes required to evaluate and manage the risks presented by 3rd party relationships and the 3rd party risk management supply chain inclusive of significant 4th parties, 5th parties and so on. The end result of the investment in such a program is the business value driven from the following key components which executive management must ensure are in place and operating effectively:
- A formal 3rd party risk management program structure that is implemented, understood and embraced throughout the institution
- A supporting Governance, Risk, Compliance (GRC) Framework
- A defined 3rd party lifecycle
3rd party oversight has grown exponentially in terms of its importance and as a subject of regulatory focus. In fact, the service provider supply chain is now scrutinized by regulatory agencies through all of the significant touchpoints, including 4th parties, 5th parties and so on. The responsibility for protection of data and systems still rests squarely on the shoulders of the institution despite a function being outsourced to a service provider. And accountability for an effective 3rd Party Risk Management program being in place falls squarely on the shoulders of the institution’s Board of Directors and Executive Management.
In many institutions, “vendor management” is still looked upon as a part time job that focuses on a handful of significant service providers without concern for the hundreds or thousands of others that the institution engages either contractually, non-contractually or even via revenue/non-revenue generating referral relationships that expose it to multiple dimensions of risks. The depth and complexity of the entire 3rd party risk management process, inclusive of policy, procedure and people, is rarely fully understood nor is it appreciated for the risk mitigation and value that it affords the institution.
The perception of a Governance, Risk and Compliance framework is that it requires expensive enterprise software and involves a lengthy implementation time, often requiring customized interfaces to numerous disparate systems. Not so when it comes to adapting the concepts to 3rd party risk management. Not to over simplify it but applying a GRC framework requires a well thought-out organizational structure that requires the following in order to be effective:
- Executive Sponsorship at the senior-most levels of the institution
- Policy and Standards to identify , measure, monitor and control the risks associated with outsourcing
- Adequate staff (number of staff and skillsets) with defined roles and responsibilities
- Technology and tools for the staff to be effective and efficient
- Internal checks and balances (Lines of Defense) to ensure that everyone is doing their job
- Timely reporting so that obstacles to achieving strategic goals (risk events) can be addressed quickly and managed effectively
In doing so, the institution achieves the business value of GRC as show below:
- Enables business performance by integrating people, process and technology to achieve greater efficiency through structured roles and responsibilities
- Provides support for strategic priorities
- Identifies risk early in the process
- Transforms silos into collaborative, integrated components that mitigate risk throughout the 3rd Party Lifecycle and promotes better decision-making
There is additional value to be derived from each of the five stages of the 3rd Party Risk Management Lifecycle including 1) Outsource Planning, 2) Selection/Due Diligence, 3) Contract Structuring, 4) Monitoring/Review, and 5) Exit Strategy.