In light of increased outsourcing and third-party involvement in day-to-day business operations, financial management functions in all organizations play an important role in third-party risk management programs. A thoughtful approach to better risk management can facilitate reduced costs, a continued focus on core capabilities, and increased growth and innovation, while also managing the exposures associated with third-party relationships.
Recent trends in third-party risk management represent a noticeable shift toward balancing regulatory requirements and senior management and board expectations for risk acceptance against a company’s business model. By asking themselves the following three questions related to third-party risk exposure, financial officers can gain meaningful insight into their company’s third-party risk management efforts that can help them to better manage risk and improve financial management decisions.
- Does our company have a full inventory of its contracts and agreements?
- While most companies have some type of contract management system, many typically use low-tech storage facilities — like databases containing scanned copies, or even hard copies in file cabinets — from which data can’t be extracted. Such storage facilities rarely contains complete records of all executed contracts, and even simple data like contract renewal notification and expiration dates are not tagged or automated.
- Storage facilities typically house multiple documents related to vendors and services, including master service agreements (MSAs), nondisclosure agreements (NDAs), statements of work (SOWs), amendments, and purchase orders (POs). These documents often are not stored in an easily accessible fashion, and the database they are stored in often is not relational.
- MSAs frequently are evergreen, which in the past was a workload reduction tactic because they were not thought of as risk management tools.
- Contract terms and conditions don’t keep pace with changes to regulations and the business environment.
- Financial reporting and accounting concepts such as unrecorded liabilities, contingencies, and financial commitments exist but are not understood or monitored.
- Companies should do a complete inventory of critical relationships to ensure that they have a complete inventory of current contracts. The contracts should be assessed to determine if they meet current regulatory and business requirements, that the associated documents are relational, and that data within the contracts is meta-tagged.
- Companies should establish standard, required contract terms and use technology to track compliance. Increasingly, contracts are moved into third-party risk management systems for a “single-book-of-record” view and improved risk management beyond basic compliance.
- How do we know that our relationships comply with the agreements in place?
- Processes focused on post-contract management and monitoring requirements may be immature. Financial and invoice reviews often are delegated to staff-level resources who lack experience, and the more complex the relationship the harder it is to tie invoice charges back to negotiated contracts and pricing.
- Monitoring the degree of performance under service-level agreements (SLAs) and other performance metrics most often has been connected to IT-related contracts. In today’s competitive global marketplace, however, vendors and other third parties are more inclined to offer an array of SLAs that are attractive and meaningful to their customers. Ensuring that the company is realizing the benefits of SLAs is an important component of third-party risk management that can often have an impact on the bottom-line.
- Forward-looking financial management functions help increase consistency and reduce workload for internal resources by establishing standard key performance indicators for critical relationships and using technology and portals via which third parties provide performance data.
- An experienced professional should analyze significant contracts that have been in force for some time to identify those that pose a higher risk for billing-related discrepancies. Processes and controls should be established and enforced to manage these risks going forward.
- Examine contingency engagements to identify billing variances and cost-reduction opportunities, particularly for services such as IT and telecommunications.
- SLAs are important to many types of relationships, and third-party risk management technology can be used to track and report on deteriorating performance in critical relationships.
- Information technology risks should be the responsibility of the line of business (first line of defense and relationship owner) and information technology or security subject-matter experts (second line of defense and risk expert) within a company. In addition, it is very important for risk committees to report on emerging risks and serious incidents and to ensure that these events are being remedied in a manner that aligns with the company’s overall strategy.
- How do we identify all relevant third parties and manage the overall effort?
- The potential universe of third parties within an organization can seem endless — from global companies to intercompany affiliates to mom-and-pop providers.
- The potential universe of third parties is never constant. Companies constantly are on-boarding and terminating third parties and expanding or reducing third-party services.
- While it is important to build data and artifacts (certificates of insurance, documentation of financial viability, or SOC reports, for example) that support your risk assessment at the third-party relationship level, it is easy to lose sight of the plan to address the entire population of third-party relationships. That population includes not only vendors but perhaps also (depending on how the company defines “third party”) franchisees, commissionable external salespeople, or debt holders, among others. This is one area of risk management where completeness counts.
- Create a strategy and roadmap to systematically identify third parties using an inclusive definition.
- Invest in the initial data-gathering phase and involve others across the enterprise. Effective sources of relevant information include surveys conducted by the various lines of business, contract facilities and databases, accounts payable systems, and legal counsel. The process needs to be sustainable or the population soon will become invalid.
- Perform an initial review of third-party relationships by identifying categories and potential risk factors to assist with prioritizing the evaluation. The project strategy and roadmap should start with the third parties that pose a higher risk.
- The project roadmap should include necessary activities and the timing and resource needs related to existing and future third-party due diligence and assessments. Realistically, when a company does an initial assessment of all third-party relationships, resources may need to be increased temporarily until the backlog of assessing existing third parties is completed and a sustainable cadence is in place for new third-party relationships.
As organizations work to effectively manage the risks associated with third-party relationships, their financial functions are applying a more thoughtful approach to better risk management. Working through the three important questions discussed here can help financial officers reduce costs, manage risks, focus on core capabilities, and potentially increase growth and innovation.
Michele Sullivan is a partner with Crowe Horwath. She can be reached at [email protected]