The non-core activities of your firm can get in the way of serving your customers. Third parties, including outsourcers, can provide some relief from that distraction, but the administrative load does not completely dissolve. Some smart monitoring and evaluation will go a long way toward protecting your firm’s interests.
Who Brings the Donuts?
All third-party relationships are, or should be, governed by contracts. Can you access all of your third-party contracts? If your answer includes a reference to central storage, you have installed a cornerstone of third-party management. Of course, central storage of the signed physical contracts does not equate to immediate or remote access. Hence, electronic storage of these contracts improves access and adds the benefit of redundancy: the physical storage and the electronic storage are backups for each other.
Another enhancement is a database of key terms and renewal dates. The term “database” does not have to be onerous. A spreadsheet with sensible controls and automatic backup can serve as the database. What are the key terms? Certainly, any obligation to your firm whether it be a payment or a performance activity. Other key terms could include insurance coverages required of your firm or the third party. The rule of thumb: a term that creates a risk or an obligation or that transfers a risk or an obligation is key.
Of course, storing the terms and renewal dates only improves access. The real benefit to be had is through a regular review of the key terms and renewal dates. The reviews may be delegated to appropriate departments, but the database should reflect whether or not every record received a review.
Pardon, Your Data Slip Is Showing
Data privacy and data security regulations are promulgated from time to time. For any new regulation, you may have a contract that needs to be amended or a contract that already has language that automatically creates a new obligation for either your firm or the third party upon the issuance of the regulation. New privacy or security regulations should prompt a review of your contracts and amendment of the ones that need it. Here is where a database of key terms can be of great use. Key terms should capture privacy and security responsibilities imposed on both parties.
Nowadays, third-party relationships almost always include a sharing of electronic data. If that sharing entails connections between IT systems of your firm and the third party, there are obvious risks to be addressed. Just as with contracts, there is a need to centrally catalogue the IT connections your firm has with all of its third parties. You cannot afford to have one escape review and control. Then, these IT connections have to be regularly reviewed for (1) appropriate access (IDs, passwords, permissions, prompt termination of user access when required) and (2) vulnerability.
Who Was That I Saw You With on the Net Last Night?
The websites of your firm and your third parties may be legitimately and necessarily linked. Even if your firm has avoided creating social media for itself — a Facebook page, a LinkedIn profile, etc. — you may find that your firm has a social media presence to manage. Again, as with contracts and IT connections, social media links with third parties have to be centrally catalogued to facilitate review and then regularly reviewed for appropriate content.
Treat or Transfer?
The considerations above suggest several risks that a third party can give rise to: non-performance, data breach and reputational risk.
The good news is that all three of the above risks can be treated and transferred. They can be treated through mitigation. For example, a contingency plan can mitigate the impact of a third party’s nonperformance. What is left over — the residual risk — can be transferred via insurance.
Today’s businesses face increasingly difficult challenges both from within and outside the organization. With a solid Enterprise Risk Management (“ERM”) program in place, you can improve the quality of both internal and external customer service, protect your financial and human capital resources, and safeguard your organization’s valuable reputation.
But first, you have to know what is at risk. As independent risk management consultants, we build a dynamic, ERM framework that is customized to each business’ unique requirements, combined with our proprietary ERM methodology within each engagement structure. Our ERM expertise allows your organization to effectively prioritize your risk exposures, react swiftly to daily operational and emerging risks, as well as seize opportunities as they arise.
Contact us if you need help structuring your organization’s ERM program.