Third-party relationships can be complex, beneficial and potentially treacherous, but risks can be mitigated with the help of an actionable lifecycle management model and an appropriate governance framework.
Friday, September 20, 2019
By Linda Tuck Chapman
Implementing a sustainable, risk-centric third-party risk management (3PRM) program starts with being methodical about translating high-level frameworks and legal and regulatory requirements into sound methodologies, tools and processes. The objective is to identify, assess, manage and control risk consistently, throughout the lifecycle of critical third-party relationships.
3PRM is a “team sport” that must smoothly integrate the responsibilities of contract owners in the first line of defense with procurement and other risk domain experts in the second line of defense. An effective program not only embeds important activities and controls but also serves as an excellent communication tool.
The easiest place to start is to first define key activities that must be undertaken during the lifetime of any third-party relationship. You'll serve your company well if you design a lifecycle management model (LMM) - a visual illustration of the sequential 3PRM steps, from identifying a business segment need for a third-party product to evaluating a third-party renewal and all the way through to eventual termination of the relationship.
Figure 1: 3PRM Lifecycle Model
The above diagram is an example of a “universal,” third-party LMM that has proven successful, irrespective of industry, sector or geography.
When designing the LMM, the path of least resistance is to start with your vendor third-party relationships. This is where you are most likely to find mature procurement processes and some risk management practices that can be leveraged for an integrated LMM.
If you are going to market for a new third-party relationship, expanding an existing one, or simply exploring the possibilities, your model must start with the business need. You'll need to determine the importance of the third-party relationship in the context of criticality of the activity, product or service for which the third party will be contracted.
Challenges of Inherent Risks
One potential problem is that it isn't always possible to nail down inherent risks. Inherent third-party risk is the risk that your company is exposed to by choosing to contract with a third party (to deliver the in-scope products or services), regardless of which third party you select and in the absence of controls.
To address this situation appropriately, you should build a step into your lifecycle model to identify “preliminary” inherent risks. This step often involves the use of an inherent risk filter - typically, a series of questions with multiple-choice responses. Predetermining the relative risk of multiple-choice response options bring consistency to inherent risk ratings.
Exposure to inherent risk should be moderated according to how critical the third party's products or services are to the company and the business line. In this context, criticality means reliance.
Having solid information about the criticality of the activity, product or services, as well as your exposure to inherent risk, ensures you risk-adjust your work effort and controls and allows your company to assign the right resources to complete this work. For example, you should commit fewer or more junior resources to a low-criticality, low-inherent-risk relationship than to relationships with higher criticality and exposure to inherent risk.
Separating criticality from inherent risk strengthens the logic in risk rating methodologies and improves the quality of communication with business leaders, governance and oversight executives, senior management and your board. This can be achieved by “tiering” third-party relationships by criticality and reporting exposure to inherent or residual risk as a separate dimension, expressed as (very) high, moderate or low risk.
More Than Just Vendors
Vendors are not the only type of third-party relationships. Depending on the nature of your business and your industry, there are many other third parties that are essential to your operations. Some examples include third parties that conduct research or testing, resellers, agents, administrators and joint venture and brand partners.
Regardless of the type of “non-vendor” third party, the methodologies, tools and processes found in the vendor LMM are adaptable - and may be suitable for use across a broad spectrum of third-party relationships. The fundamentals are consistent across geographies, industries and types of relationships. The primary differences lie in the drivers of third-party risk, which are dependent on exposure to inherent risks (that may be unique to a specific business segment) and on the tools used to monitor risk.
For vendor third-party relationships, a consistent approach to management and monitoring is usually possible. For non-vendor third-party relationships, the best course of action may be to assign responsibility for design and documentation to the business segment, with the help of a knowledgeable 3PRM expert. From that point, it is a matter of actionable reporting.
Underlying every successful, risk-centric 3PRM program is a risk-informed governance framework. This framework should define the methodologies, controls and oversight hierarchy that are an essential part of the program - a step that many organizations overlook. For more information on governance frameworks, have a look at the COSO Internal Control Integrated Framework (page 6).
Figure 2: 3PRM Governance Framework
The diagram above provides an example of a “universal,” third-party governance framework that covers all the bases, irrespective of industry, sector or geography. There are three key elements in this third-party governance model:
Criticality. This is the underlying methodology that segments third-party relationships according to the importance of the product or service to your company. It is an internal view, intended to bring consistency in risk reporting and to risk-adjust work effort. Mature programs typically have five tiers: mission or enterprise-critical (tier 1); high criticality (tier 2); moderate criticality (tier 3); low criticality (tier 4); and non-critical - e.g., outside of the scope for active 3PRM lifecycle management (tier 5).
Risk Ratings. These are rankings for inherent and residual risk. Inherent risk is exposure to risk in the absence of the third party's controls. Residual risk is the remaining exposure to risk after evaluating the strength of the third party's controls.
Independent Challenge. This entails the right and responsibility of risk domain experts in the second line of defense to challenge and escalate actions or decisions that may cause the company to exceed its risk appetite
A thoughtful and risk-informed approach to 3PRM will drive enterprise value from the outset and enable your program to evolve smoothly over time.
Linda Tuck Chapman is the president of Ontala Performance Solutions Ltd. and Ontala Education Solutions Ltd. She is the author of Third Party Risk Management: Driving Enterprise Value and the creator/faculty for the “Certified Third Party Risk Management Professional” (C3PRMP) program.