Risk Management by Scott Bolderson Director at Protiviti

Tech modelsCompanies are increasingly reliant on outsourced service providers managing or storing their corporate data and supporting business services.  Although there is a strong business case for outsourcing, one aspect that cannot be fully outsourced is the risk associated with the loss of data, detrimental impact on corporate branding, breaches in confidentiality and failure to comply with legal and regulatory requirements.  As responsibility cannot be outsourced, companies will ultimately bear the brunt of any lapse in the service which subsequently impacts their operations. The only way to mitigate this is by exercising better control over third party service models.

Here are some insights into key components of an effective third party risk management model:

Risk Management versus blanket control adherence

Many organisations spend too much effort prescribing a set of standardised controls that need to be met by their vendors without evaluating whether these are truly aligned to the risks for the service being provided. This is equally reflected in the assessment process, where organisations are disproportionately focused on receiving completed control questionnaires or completing all aspects of an onsite work programme, and do not spend enough time evaluating whether responses and / or evidence provided adequately address the underlying risk. In our experience, we have seen more value derived from understanding and evaluating suppliers on their approach to risk mitigation, for the set of risks relevant to the service they provide.

Pre-contractual due diligence

Too often third party assessments are point-in-time and are performed on an irregular basis over the lifetime of the contract. Organisations need to assess the risk associated with potential third party services at the pre-contract stage. We have found that this provides management with relevant information for use during negotiations, and enables them to assess whether any poorly controlled risk falls within risk appetite. If the supplier is subsequently contracted, gaining an upfront understanding of the risks posed by the service enables the development of a better tailored assessment approach and work plan for future assessments.

Risk tracking and reporting

Companies fail to track critical actions in remediation plans agreed with their suppliers. Companies also struggle to effectively consolidate and report on third party risk exposure across the organisation.  An effective third party risk management and reporting framework for your organisations should consider leveraging proprietary technology available in the market that enable risks to be assessed, categorised, logged, tracked and reported on.

Risk acceptance not risk avoidance

A common pitfall with accepting the risks associated with control issues rather than remediating them is that risks are often not revisited by management following an initial acceptance. Factors such as changes in regulations or a potential expansion or change in a vendor service causes risk profiles and priorities to alter over time. An effective approach sees risk acceptance and monitoring as a continuous process, and this is factored into the framework methodology.