3rd Party RM And IA (IA & Third-Party Risk Management)

Organizations are using more third-party services. That means they’re taking on more third-party risks.

When the organization has a dependence on third parties, the organization needs a dedicated approach to third-party risk management (TPRM). TPRM programs manage the risks that can be introduced through third-party relationships, including brand and reputation risks through data leaks, disruptions to customer service, supply chain risks and even financial fraud. When your service provider uses downstream entities for extended service and support, you also need to consider the risks from a fourth party (a subcontractor to your third party).

The realities of third-party risks are important in the board room. The board’s oversight of the risk function is important to making sure all bases of the risk profile are covered. That’s especially true for companies, where risks might be greater due to less regulatory mandated oversight. High-profile examples of third-party data exposure, like we had in recent years, amplify the need for better program governance with continuous review and improvement.

Internal audit (IA) can be involved in responding to this risk environment.

Trends in TPRM

 As the organization launches or improves its TPRM program, it can consider starting with an awareness of market trends. Some of the current trends include:

• Explosive growth of third-party services: As organizations become more technologically dependent, they expand their use of third parties, particularly in the IT area. Software is increasingly cloud-based, and the dwindling number of on-premise services are usually hosted by a third party. As a result, only a shrinking number of services, whether for external users (clients) or internal users (employees), remain operated directly by the organization within its own infrastructure.
• Concerns about third-party data breaches: The days are gone where the organizations just worry about things within the ‘four walls’ of their network. The organizations now need to consider third-party risks as they relate to cybersecurity and data protection. The organizations need to monitor those, and have processes and controls in place to manage the risks when a cybersecurity breach happens in a third party – assess the criticality, the impact to your organization or potentially even to their customers.
  Shift from isolated to cross-functional risk management: In companies that take an enterprise-wide view of risk, the responsibility for risk management is less isolated. That helps all departments (organizational units) work together within a common framework.
• Shift from isolated to cross-functional risk management: In companies that take an enterprise-wide view of risk, the responsibility for risk management is less isolated. That helps all departments (organizational units) work together within a common framework. 
• Compliance with privacy and data protection laws and regulations: As the regulatory environment evolves, organizations must manage their own compliance and include the performance of third-party partners in their compliance evaluations.
• Growing role of Environmental, Social and Governance (ESG) reporting: ESG is becoming increasingly visible in non-financial reporting and public communications. Organizations are accountable for their partners’ performance as well as their own.
• Automated TPRM: TPRM automation is becoming essential, to limit the time spent on administration and repetitive tasks, shifting the focus to value.

Internal Audit (IA) in evaluating TPRM readiness

IA can help the organization provide a TPRM readiness assessment, which typically includes three phases:

1. Planning and initiation: IA can help evaluate the effectiveness of a TPRM program by selecting a framework that provides a comprehensive view of the TPRM program lifecycle and defining the in-scope operating environment.
2. TPRM program assessment: IA can help assess the governance and operating model, including TPRM program lifecycle to evaluate controls to identify process gaps and opportunities for improvement.
3. Reporting: IA can help prioritize any remediation needs with key stakeholders to develop a comprehensive program assessment and compile an executive report for board and executive leadership.

IA can help evaluate and understand the true readiness posture. They can also help with a maturity assessment that uses the leading metrics to evaluate the program level maturity, then applies the right-sized prioritized recommendations that can help strengthen the TPRM program governance.

IA in assessing TPRM frameworks

There are essentially three TPRM program governance models to consider for organization: centralized, federated, and de-centralized. 

• Centralized Model - A single team (often in Risk or Compliance) manages all third-party risk activities across the organization.
• Federated Model - Shared responsibility – central team sets standards and provides tools, while business units execute assessments.
• Decentralized Model - Each business unit manages its own third-party risk independently.

The IA team can help determine which will work best in the structure of your organization, as each model comes with its own unique benefits and challenges to weigh.

Since internal auditors are independent and objective, they are often called upon to wear a consultant hat instead of an auditor hat. Their risk-based perspective can help determine the maturity level of the existing third-party risk management process, and what governance model and operating framework is the most appropriate. Their knowledge can help determine the appropriate controls for each relationship. IA knows the right questions to help ensure your organization gets the information it needs to select, monitor and manage third-party relationships.

For example, if a third party has access to the company’s data, it might be valuable to ask:

• Is there a defined data classification policy? Does the policy clearly define how certain classes of data should be secured?
• Does the third party have privileged access or elevated privileges? If so, does it log and perform reviews of the activities it performs?
• Does the third party always have carte blanche access (unrestricted, unlimited access), or does it use a limited portal or channel?
• Is the third party being monitored by your organization?

IA can also ask important questions in each phase of the TPRM program. For instance, in contracts and negotiation, IA can make sure you include a ‘right to audit’ clause so that the organization can perform its own investigation if necessary. It’s also important to assess how the third party might be able to grow with the organization in the future (e.g., strategic alignment, capacity, innovation and adaptability, compliance, and risk management compatibility).

IA in every phase of TPRM program lifecycle

 A TPRM program lifecycle is designed to maximize the business goals while managing, minimizing the risks that arise from external relationships. The goals of the program should be to increase awareness of third-party management roles and responsibilities; establish coordination of third-party relationships; provide a clear understanding of risk; and deliver standardized risk classification and rating levels. The program lifecycle can be comprised into five phases, and IA can play a role in each one:

1. Planning, Design and Formalized TPRM: IA can evaluate third parties’ management policy or outsourcing to third parties’ policy, strategy, risk assessment, and management, segregation of duties and conflict of interest management, accountability of organizations governing body, senior management and others, assessment and designation of critical third-party service providers, and a register of third parties and outsourcing arrangements.
2. Profiling and selection (due diligence): IA can evaluate the profiling and selection process, along with adoption and consistency. IA can also assess the risk assessment process, including potential conflicts or sub-contractors involvement, and when applicable risk acceptance and exception. The exception process should depend on the risk level of the third party or vendor, require approval from designated authorities and identify compensating controls.
3. Contract negotiation and Contractual Clauses: IA can evaluate the entry criteria before a contract is negotiated, to determine if it was evaluated using appropriate mechanisms. A third party or vendor should only be onboarded after the contractual obligations are met — or for exceptions, after risk mitigation strategies are in place to ensure compensating controls are implemented in a timely manner.  
   IA can also evaluate whether contractual arrangements include such clauses as for example the right to audit, exit plans or functions/services disposal/transfer schemes, security requirements and measures, incident reporting, any sub-outsourcing arrangements and other Service Level Agreement.  
   IA can also evaluate the performance of due diligence, whether the organization has checked third party’s financial stability, certifications, and past performance. In some cases, the regulator must be notified, and feedback may need to be obtained before entering into a significant outsourcing arrangement — Internal Audit may also assess this. 
4. Managing and monitoring: IA can review guiding principles for risk assessment and review frequency, continuous monitoring controls and performance metrics, reporting arrangements and notification based on need and criticality.  These should be based on the nature of service provided and its criticality and the risk exposure that the company faces when contracting with the third party or vendor. IA can also conduct third-party audits as defined and agreed in contracts, review contracts for compliance with terms and conditions, or for example evaluate actual spending against the amounts specified in the contracts.

5. Termination/offboarding and exit strategy: IA can review the process for offboarding and exit strategies to ensure there is a comprehensive checklist, and appropriate controls and communications, including that the organization has a plan B (other third-party service provider or, alternatively, to change to in-house solutions).

Third-party services can often help lower costs, improve efficiency, add skills, boost capacity and offer other benefits, but those benefits come with risks that should be managed.

Depending on the organization’s nature, the role of IA may go beyond the evaluations and areas described above and may include other areas or activities

To ensure effective third-party risk management, it is essential to have a comprehensive and well-designed TPRM program to provide ongoing monitoring and strong controls. IA is a valuable partner in addressing these risks, from evaluating the TPRM program governance model to assessing the process, risks and controls through the TPRM program lifecycle. All of this work plays an important role in managing the risks that arise from third-party relationships.

************************************************************

The article is based on insights from Grant Thornton USA.

You can find the original article here: Internal audit empowers third-party risk management