Identifying critical third parties and ensuring compliance with contract set
Tausif Khan, Associate Director, Third Party Risk, DTCC
Below is an insight into what can be expected from Tausif’s session at Vendor & Third Party Risk USA 2023.
The views and opinions expressed in this article are those of he thought leader as an individual, and are not attributed to CeFPro or any particular organization.
How can we ensure terms and conditions set by the contract owner are monitored? How can we audit this?
Terms and conditions are a vital step in making sure critical third parties are monitored effectively. One of the major requirements for a robust risk management framework is to ensure that contract terms and conditions are aligned to the service expectations from critical third parties. When developing contract terms and conditions, contract owners should ensure a few important steps take place, including but not limited to:
1) Define scope of contracts
2) Set standard contractual terms
3) Address due diligence requirements
4) Ensure Legal review
5) Establish requirements for periodic renewals.
While these are important steps to ensure critical third party contracts cover important terms and conditions, effective monitoring requires involvement from the business that is utilizing the services of a critical third party. Monitoring differs from organization to organization depending on how critical third parties are defined but generally monitoring can take place through the following:
1) Service Level Agreements (SLA) and Uptime monitoring
2) Periodic performance surveys
3) Meetings with critical third parties
4) Contract renewals
To ensure these monitoring steps are followed and audited, organizations can put policies and procedures in place that requires a second- or third-line function to perform periodic testing to ensure adherence to contract requirements and monitoring. The level of detail for these testing and/or audits will differ depending on organization resource requirements however organizations should ensure policies and procedures are in-place to monitor the terms and conditions in contracts.
Why is it important to prioritize compliance with terms and conditions, particularly in critical third parties?
Critical third parties are defined as those service providers that an organization relies upon to provide its core products and services. Failure of these third parties will pose significant and material risk to the organization’s ability to meet its obligations. Therefore, it is crucial to ensure that the compliance with terms and conditions for critical third parties are prioritized. This will enable effective due diligence and assist in creating a robust risk management framework.
It is important to ensure that these contract terms and conditions are prioritized as these third parties pose severe inherent risks and are vital to ongoing operations of the organization. Failure to prioritize compliance with these terms and conditions will pose risk down the line in terms of due diligence, open remediation items that require action, performance concerns, and if not addressed, incidents. Organizations have a few options to prioritize compliance. As mentioned above, compliance can be monitored through periodic testing to ensure adherence to contract requirements and monitoring. Organizations can also establish policies and procedures for the legal team to review contracts as part of the onboarding process to ensure all terms and conditions are included or on a periodic basis for existing contracts to propose necessary amendments and add modifications. Following these steps will ensure prioritization with compliance to terms and conditions for critical third parties.
A critical third party is in financial distress – what can this mean for your institution and what would an exit plan begin to look like?
Well-functioning critical third parties are important to ensure organizations meet their obligations to its clients and customers. When a critical third party is in financial distress, the probability that the third party will no longer be in business increases and such outcome will cause significant disruption to the organization and potentially to its clients. Part of having an effective third party risk management framework includes processes for exit/termination in the event of disruptions. Exit Strategies are important for critical third parties as they help maintain operational resiliency in the event of disruption, such as a financial distress. An exit plan during financial distress will either consist of transitioning to a back-up/alternate third party or to an in-house option. Organizations should consider several factors when exit plans are required which includes but is not limited to:
- Alternate providers
- Timeline to transition
- Stakeholder and resource involvement
- Process to transition
- System dependencies
- Data destruction
- Contractual clauses
Exit plan can be effectively demonstrated by transitioning to an alternate provider or in-house by following steps mentioned above and showing minimal impact to business operations during times of distress.
How do we define criticality within vendors?
Criticality within vendors can differ from firm to firm depending on the risk exposure and appetite of different organizations but as mentioned, critical third parties are defined as those service providers that an organization relies upon to provide its core products and services. Failure of these third parties will pose significant and material risk to the organization’s ability to meet its obligations. Different factors are considered across different industries to define ‘criticality’ however as a rule of thumb, factors such as data access, service type, availability, impact to clients/customers, regulatory requirements, and operational resiliency are often used to define criticality within vendors. Taking these factors into account on top of understanding the mission and vision of your organization will assist in defining ‘criticality’ within vendors. It is important to define ‘criticality’ within vendors accurately based on your organizations requirements, having an accurate list of critical third parties will drive enhanced due diligence, monitoring, and oversight requirements for these third parties.