Vendors are a common element in today’s business environment. Outsourcing services and processes to vendors provides flexibility, convenience and cost savings. However, these outsourcing arrangements don’t come without increased risk. Data breaches stemming from third parties have been increasing year over year. When identities are stolen or sensitive information is made public, your customers won’t care that is was the vendor’s fault. Regulators and examiners alike are also taking note, and it can be seen in recent legislation and guidance related to managing third parties. According to the Federal Deposit and Insurance Corporation’s (FDIC) Guidance For Managing Third-Party Risk, “An institution's board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.” While services can be outsourced, the risk cannot.
Why is this important? Many organizations continue to outsource critical activities and fail to recognize the risks that arise from those relationships. Whether it is outsourcing certain information technology operations, sensitive data processing and storage, or simple marketing, legal or HR services, sensitive/proprietary information is often shared with third parties without first assessing the security controls within that organization. To that end, third-party risk management is critical when it comes to managing risk across the enterprise. To achieve assurance over activities performed by third parties, organizations should implement sound third-party risk management practices.
When it comes to guidance, there are plenty of great options available. There are many compliance-based guides that may be applicable based on the industry you are in. For example, with our clients in the banking world, the FDIC guidance mentioned earlier comes to mind. At Schneider Downs we are a member firm of the Shared Assessments Program, which provides widely adopted vendor risk management tools and resources for enterprise organizations to evaluate and measure vendor risk. These tools are industry agnostic and provide third-party risk management best practices regardless of the industry you may be in.
No matter what framework or guidance you plan to adopt, some of the key recommendations remain.
Key Recommendations for Third-Party Risk Management
Planning - Develop a plan to manage third-party risk to determine the risk scope, outsourced services, and data in use to control the risks. Inventory your vendors and the type of data that they hold.
Due diligence and third-party selection - Conduct reviews of third parties prior to signing contracts, and annually thereafter. To assist with this review, obtain and review independent reports, such as SOC 1 and SOC 2 reports, to ensure that third parties are complying with industry standards. In absence of these reports, use an industry-adopted best practice such as the Standard Information Gathering (SIG) questionnaire.
Contract negotiation - Develop contracts with third parties that clearly outline the responsibilities of each party. Contracts should be reviewed regularly, as part of the contract, to ensure that they address current third-party risks. Contracts should also include a “right to audit” clause.
Ongoing monitoring - Perform IT and operational assessments of third parties’ internal controls on a regular basis to ensure that third parties have appropriate controls in place for protecting sensitive/proprietary information. Continuous review is necessary to understand the most current level of risk for each vendor.
Termination - Develop contingency plans for transferring activities to another third-party, bringing the activity in-house, or eliminating the activity (and associated data) altogether.
In addition to the aforementioned activities, organizations should assign responsibilities for third-party management to appropriate members of the organization with sufficient knowledge of the enterprise risk management process and nature of third-party relationships. Standardized documentation and reporting procedures should be implemented to ensure that third-party management activities are appropriately being performed and reported on. Lastly, organizations should perform independent reviews of their third-party management programs to ensure that third-party risk management activities are appropriately aligned with their enterprise-wide risk program, that they meet industry recommended best practices and that they effectively manage the risk posed by third parties.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.