Codee Woo, Third Party Risk Management Lead, Legal & General
Laura Faure, Third Party Risk Manager, Legal & General

Below is an insight into what can be expected from Codee’s session at Vendor & Third Party Risk Europe.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

At what points in the Third-Party Lifecycle are supplier due diligence and assurance required, and why?

Suppliers should be vetted and assessed at pre-contract stage to ensure firms only engage suppliers that can perform the required service within their risk appetite.

Once onboarded, suppliers should be regularly re-assessed. The frequency and depth of review should be commensurate to the level of risk presented by the service. Cyclical re-assessments enable firms to identify, assess and manage emerging risks whilst validating that they remain within the firms’ risk appetite. In addition, material changes to services and significant incidents or breaches should trigger a re-assessment. This supports firms to make an informed decision to either continue or terminate supplier contracts.

What types of due diligence and assurance should firms be performing on their suppliers?

Due diligence and assurance activities should test the design and operating effectiveness of:

• The suppliers’ operational risk domains policy and procedures including Information Security, Operational Resilience, Data Protection, 4^th Party Management, etc.
• The supplier’s service performance monitoring controls. Supplier should demonstrate that they have adequate and functioning controls in place to ensure that service performance is maintained, and potential issues are identified, managed, and remediated.

Design effectiveness testing verifies whether suppliers have relevant policies and procedures in place that meet best practices standards in line the firm’s risk appetite.

Operational effectiveness testing involves inspecting evidence that controls exist and occur to implement policies and procedures in practice.

Firms should regularly reassess their own due diligence and assurance policies and procedures to make sure they account for emerging systemic risks and new regulations.

What is the link between performance of due diligence and ongoing performance monitoring for the suppliers?

The outputs from due diligence and assurance and the ongoing monitoring of the supplier’s performance are interconnected. Heightened performance oversight is required for the firm’s most critical suppliers. Consequently, they will also require the highest level of due diligence and assurance.

Any risks and issues detected by due diligence and assurance should also be factored into performance monitoring activities as crystallised risks are likely to impact service continuity.

What kind of skillset is required to perform due diligence and assurance? Is it worth using a Third Party assessor?

Due diligence and assurance assessors should have appropriate training/ certification, SME knowledge of risk domains and relevant experience in operating the controls in scope. Retaining due diligence and assurance in-house may be beneficial as assessors should have a better understanding of the supplier service within the context of the firm’s business activities. It may also be more cost effective, although there is less flexibility for scalability.

A Third-Party assessor can be beneficial where a firm does not have a capability or capacity to perform reviews in-house. An independent assessor will provide its unbiased views and recommendations on risks and issues identified. This provides an opportunity to challenge the status quo and to access best practices.

Can pooled audits be used for efficiencies?

Pros:

• Pooled audits can provide a level of assurance on suppliers that would not otherwise directly engage with its customer to complete a full assurance review.
• Pooled audits can be a useful tool in the firm due diligence strategy and a cost-effective way to cover a wide base of controls and support the identification of potential areas for concern. A firm might decide to use pooled audits for medium to high-risk suppliers; and concentrate resources on critical suppliers.
• Via industry collaboration, pooled audit providers may offer customers the ability to influence product over time.

Cons:

• Pooled audits can be more focussed on design-effectiveness rather than operational-effectiveness testing.
• The scope is also not tailored to specific services or industries, leaving gaps for the firm to assess. Parts of the pooled audit might not even be relevant to the firm.