The third-party risk management lifecycle is a common term used to describe the stages of risk you need to manage with your third parties throughout the length of your relationship with them. Third-parties come with a variety of risks that include reputational, operational, information security and compliance risks, among others. All of these risks need to be assessed and managed.
Establishing effective third-party risk management is not meant to be a deterrent from working with the vendors, suppliers, agents or other businesses that help make your company run. It’s actually the opposite. Effective risk management allows you to work with those third parties that provide the best results (and the least risk) to your organization’s success.
That’s why it’s so important to understand and mitigate risks throughout the third-party risk management lifecycle, which consists of three natural points in the relationship:
- Pre-Contract – before you enter a formal relationship.
- Contracting – when you negotiate key terms and provisions, and determine how you will share risk between the parties.
- Post-Contract – after you enter into the relationship all of the way through termination.
Let’s go a little deeper into each of these three stages.
Stage 1: Pre-Contract Risk Management
The first stage in the third-party risk management lifecycle comes before the relationship even starts; that is, before you enter into a contractual agreement. There are two critical activities that happen here.
The first activity is the third-party risk assessment, the purpose of which is to identify and understand risks that are naturally inherent in the relationship. This is done by completing an inherent risk questionnaire that helps to tease-out things like:
- How critical are the services being proposed by the third party?
- Will the third-party have access to your sensitive information?
- Will the third-party have access to your offices or direct interaction with your customers?
- Will they be using any subcontractors of their own to provide services to you (i.e. your ‘fourth parties’)?
Identifying these inherent third-party risks is critical, as you use this information to conduct risk-based due diligence on them. This, again, is a crucial step to the risk management process as it allows you to dive deeper into the third party’s policies, systems and controls to understand whether any ‘residual risks’ remain that you need to address. If the answer is yes, you then have a decision to make:
- Are the residual risks too significant to enter into this relationship, or
- Can the residual risks be mitigated?
If they can be mitigated, then it’s time to move to the second stage of the process.
Stage 2: Contracting
Developing sound contracting principles and provisions is a key component of third-party risk management. It’s important to understand which risks are being assumed/shared by the parties to the relationship, and strike the right balance in how those risks are distributed. Here are nine provisions that help mitigate third-party risk in your contracts.
- Business Continuity and Disaster Recovery – Covers what happens in the event of a service interruption. Should include the right to test a vendor’s business continuity plans.
- Data Ownership and Transfer – Identifies who owns the data that is collected and/or stored, and the process to be followed in getting that data back when you want it.
- Indemnity and Liability – Allows for relief in the event a vendor does something wrong or fails to perform, and sets the limits around losses incurred as a result of a vendor failure.
- Information Security and Privacy – Different from data ownership, it restricts the use of the data by permitting the vendor to use data only as required to perform the services.
- Right to Audit – Provides the ability for you to audit the vendor’s operations and records to ensure they are meeting contractual requirements, industry standards and/or compliance with laws and regulations.
- Scope of Services – Defines the nature of the services/products, timing, delivery methods and location. You’d be surprised how often these are too vague to hold anyone actually accountable.
- Service Level Agreements – Establishes agreed upon expectations for service levels the vendor must meet. These are common in technology and outsourcing contracts, and should address expectations for non-performance or breach, and penalties for both.
- Subcontractor Relationships – Requires the identification of 4th parties the vendor may use, and how the vendor is going to monitor their compliance with applicable contractual agreements.
- Termination Events – Defines what triggers termination, and the transition activities that must occur to affect an orderly transition.
Business Owners have a tendency to want to rush through contracting. After all, they need the third party’s goods/services to do their work. Be careful not to rush through contracting just to meet a business need. A strong contract is a critical component for managing third-party risk.
Stage 3: Post-Contract Monitoring
The last stage in the third-party risk management lifecycle – the monitoring stage – starts after the contract is signed. It’s where the real risk begins. Unfortunately, though, it’s oftentimes the one that gets the least amount of focus and attention.
As discussed in my previous blog on 7 Pillars of an Effective Vendor Monitoring Process, COVID-19 has put a spotlight on post-contract risk monitoring as a result of vendors, contractors and other suppliers having to:
- Reduce or eliminate services due to the need to shift to new lines of business
- Address new financial pressures resulting from new competitors, permanent loss of market share or difficulty obtaining working capital
- Address operational issues caused by some of their own key suppliers (your 4th parties) or, in the worst cases, replace them altogether
This is why effective risk monitoring is so important to third-party risk management. There are four, important activities that should be integrated into the post-contract monitoring process.
Continuous Monitoring: Used to provide ongoing visibility into the risk posture of key third parties primarily through data collected through business intelligence tools. Continuous monitoring enables you to maintain a current view into risks with your third-parties that may come from changes to their credit ratings, new lawsuits, major layoffs or other events that may impact their overall health.
Point-In-Time Monitoring: These activities allow you to perform a deep dive into risks on a periodic basis through questionnaires and examination of evidentiary documents such as information security policies, SOC reports and financial statements.
Risk Re-assessments: Risks can change as third-party relationships grow and evolve. You must reassess risk on a periodic basis to evaluate what, if anything, has changed and determine whether additional diligence is required or if contractual changes are needed.
Structured Third-Party Offboarding: Used to ensure third-party contracts and relationships are ‘de-risked’ through a formal offboarding process. This includes things like return/destruction of data, removing access to systems and confirming completeness and accuracy of all deliverables, to name a few.
Putting it All Together
Of course, creating an effective approach to the third-party risk management lifecycle requires adopting a proper framework that you can follow. This ensures you put the necessary fundamentals in place such as policies, procedures and systems to provide quality and consistency to the risk management function.
In summary, the third-party risk management lifecycle starts before a contract is signed and continues all the way through the termination and offboarding of the relationship. It’s critical that you create the right systems and controls throughout the lifecycle to effectively identify and mitigate your risks with third parties.