Shahran Sayyed is a geology graduate, who changed his career by pursuing a risk management course. Shahran a risk management career after completing the post-graduate diploma in risk management (PGDRM) course from GRMI. In the article below he writes about the ‘Third-Party Risk Management Becoming a Priority”. Shahram is currently working with Grant Thornton, in his opinion PGDRM is one of India’s best job-oriented courses.
How is Third-Party Risk Management becoming a priority?
A third party is generally a vendor or a supplier. Organizations are depending on third party vendors to have faster production outcomes, to meet timelines related to delivery, and to reduce costs. Most companies get exposed to unforeseen risks while expanding their operational ecosystem through third-party vendors. These risks can be huge as it involves various stakeholders from different functions with access to different systems and processes. Organizations are not only responsible for risk and compliance related to their operations but also responsible for the actions taken by the third-parties linked to them.
The process of analyzing, controlling, and monitoring the risks to an organization from a third-party vendor is known as third party risk management. Assessment of third parties needs to be done and continuously monitored with respect to risk tolerance and regulatory compliance. By doing this the organization can make sure that they don’t pose any kind of risk to the organization. Companies are now taking steps to make sure that their third parties not only comply with regulations but also protect confidential data, avoid unethical practices, keeping up a healthy work environment, ensure supply chain security and sustain good performance levels with high quality.
The key trends which are increasing the focus on TPM are:
- Globalization – Companies with global third-party vendors are faced with a number of rules, standards, and regulations which require a robust TPM program.
- Virtualization – With the introduction of cloud and virtual data centers, many companies are using third-party vendors to process their important business information making their data transfer outside their firewalls. Data breaches can come up with virtualization.
- Regulatory focus – Changes in regulations such as GDPR, HIPAA, and outsourcing requirements have led to an increase in third-party risk management.
- Diversity of third-party landscape – Third-party vendors also connects with different contractors, distributors, and fourth parties. These parties carry different risk profiles making it difficult to analyze and monitor information.
Best practices to enhance the third-party risk management program are:
- Manage and access third-party risks – Risks need to be identified with each third-party vendor. These risks are extended across suppliers, contractors, distributors, and other parties, and these parties can have an impact on the organization’s product lines and business units. Organizations need to identify third-party risks such as contract risks, legal and non-compliance risks, and risks related to data breaches. It is important to form policies and implement proper controls to mitigate third-party risks. Risk mitigating controls will only work as expected when proper monitoring and testing processes are done.
- Conduct third-party due diligence – An organization can select the best firm to work with after an effective third-party screening and due diligence. Third-party screening and due diligence are taken as a risk-based approach by many leading organizations. An effective Third-party program requires a proper onboarding process for vendors. Assessments related to onboarding can help in determining the level of risk monitoring required for each vendor.
- Focus on IT Vendor Risk – Due to the increase in third parties accessing regulated company information, IT security incidents like data breaches are on the rise. Therefore, IT vendor risk needs to be focussed on a third-party risk management program. Vendors should be categorized based on their risk profile and an appropriate monitoring mechanism should be followed. Standard Information Gathering (SIG) questionnaires can be used to obtain information related to the vendor’s IT, privacy, and data controls.
In today’s outsourced environment it is important to increase TPM initiatives to protect the reputation and revenue of the organization. A proactive approach is required to manage risks related to the third-party ecosystem. Continuous evaluation of third parties should be done based on regulatory compliance and performance. The third-party ecosystem should be managed effectively to create a culture of transparency and accountability.
By Shahran Sayyed (PGDRM Jan’20-21)