By Marco Icardi, President, Europe, MetricStream
Organisations have become increasingly interconnected and third-party relations exist within almost every business. This interconnectedness has meant that even before the outbreak of COVID-19, there was a growing need for governance, risk, and compliance (GRC) teams to be resilient and better aware of the risks that are “unknown-unknowns”.
As soon as the current health disaster struck however, the focus on the effectiveness of GRC teams was intensified even further. Many businesses found themselves in a position where they had to pause operations entirely due to a breakdown with suppliers or were exposed to a multitude of new cyberattacks following the move to remote working and a dispersed and isolated workforce.
The impact of coronavirus has been severe and far-reaching and since there is no real end in sight, it is important that organisations take this time to delve into and analyse their third-party risk management process for the future.
Lessons to be learned
Over the years, many businesses have started to outsource more to third parties in various regions. When outsourcing to a third party, GRC teams will often assess the risks involved, including IT risks, corruption risks, operational risks, or business continuity risks. Without following this best practice, organisations could be exposed to multiple third-party data breaches, supplier failures, and other incidents which could affect brand reputation, credibility, and profitability.
While organisations may understand that there is a critical need for initial due diligence, exposure to risk does not end after a third party has been onboarded. In fact, a survey by Deloitte of executives responsible for governance and risk management of the extended enterprise found that one in five respondents had faced a complete third-party failure or an incident with major consequences. If there had been a greater focus on resilience and prevention efforts, the impact of these failures could have been minimised.
It is unsurprising that regulators have been calling for better third-party due diligence, including the Foreign Corrupt Practices Act (FCPA) and Anti-Money Laundering (AML), and have increased their focus on third-party governance and risk management.
This is an area which the pandemic particularly brought to light as many third-party suppliers and business continuity plans were tested with the rapid transition needed in business operations. In times of crisis when organisations strive to be prudent, the need to be on top of these external relationships is even more critical to avoid any punitive measures.
The action plan needed
Moving forwards, it is clear an action plan needs to be in place for businesses to ensure they have better oversight of their third-party relationships and their resilience as certain external suppliers can provide a critical function.
The first step towards achieving better due diligence is for third-party risk management objectives to be aligned with the business objectives, goals, and strategies. Through these integrated goals, organisations can build a more targeted third-party risk management program with specific controls and risk mitigation strategies to protect the organisation. It also becomes easier for GRC teams to have effective conversations around third-party risks with boards and executives.
As many workforces have currently relocated to their homes and are isolated from their colleagues, having a centralised and online repository set up makes it much easier for teams and third parties across the business to access information that they may need in a secure manner.
It is also important that each third party is screened and segmented on the associated risks before entering a contract. A good screening process will be well-defined and automated so that insights into potential risks associated with third parties can be established. During this stage, some information that can typically be collected may include financial health, IT risk, business dependence on third parties, availability of business continuity plans and much more. Within this process, risk segmentation is extremely useful as third parties can be scored based on risk and then categorised into various risk tiers.
This will in turn enable organisations to better define due diligence activities after the onboarding phase. Once this is done, periodic assessments and audits can then be planned to control any risks. To make this process more efficient, businesses can leverage technology to automate various assessments and audit workflows and the findings from these can determine further third-party analyses and remediation of issues in a timely manner.
Going the extra mile
Although regular assessments and audits can provide the business with much-needed data on a third party, organisations could go a step further and validate the information collected against content form reliable sources, such as Dow Jones. These sources offer deep insights into a third party’s profile, financial status, credit rating, regulatory compliance, cybersecurity risks, sustainability ratings, as well as any other data which can be used to strengthen third-party due diligence. It can also help to identify any risk areas that may have been missed.
Issue management may be the final stage in the third-party risk management process, but it is by no means the least important. It is a regulatory requirement to have an effective process in place for third-party issue identification, investigation, escalation, and reporting. Hence, it is crucial for an issue management framework to be established. Organisations should be able to track issues throughout the third-party life cycle, prioritise them based on their criticality to the business and resolve them in a timely manner by collaborating with internal departments, as well as third parties.
Through following the third-party risk management steps outlined above and by learning from the weaknesses that crises like the current pandemic expose, organisations will indeed be better prepared to prevent, detect and respond to third-party risks and disruptions moving forwards and avoid reputational and financial losses.