Part III of a IV part series
In part II of the four part blog series, Regulators Expectations for Third Party Risk Management, I focused on governance and oversight structures for each phase of the third party relationship lifecycle. Today, I am going to take a deeper dive into managing fourth party and subcontracting risks along with how external assurance strategies can be leveraged to minimize the complexities in implementing effective third party risk management programs.
I would be remiss if I did not start with the obvious confusion in naming convention terms. Much like the timeless “Who’s on First” baseball comedy routine from Abbott and Costello, figuring out the players in third & fourth party risk can be just as confusing.
If Company A contracts to Company B, then Company B is considered to be a “third party”— I guess in contractual relationships at least the first party must be the user of Company A’s services, but starting in 3rd person in the game of vendor oversight, always seemed odd. However, today the game has changed, since oversight concerns regarding security, data breaches, and compliance, are bringing fourth party risk front and center. Right to audit expectations extend from third party to the fourth, fifth, and downstream based on how deep in the supply chain providers have access to, the processing of, transmission of, or retention of the company’s data.
Cookie Crumbs on the Right to Audit Trail
Vendor and third party relationships are pervasive in today’s economy and with today’s changing technologies. The starting point is to focus on what assets you are trying to protect when determining your approach to right to audit for your third parties and their usage of suppliers, vendors, or outsourced functions.
A fundamental driver for a financial institution to demand a right to audit for fourth parties is to mitigate data breach risk considerations should their primary third party experience a data breach. In the absence of a contractual provision for recourse, the financial institution may still experience the customer risk. What may sound simple on the paper of the negotiated contract is much more nuanced to operationalize.
A common misperception or reaction to recent guidance on managing fourth party risks is that financial institutions must apply the exact same due diligence to all of their own third parties and each and every subcontractor or vendor their primary service provider utilizes. In contrast, the intent is that the financial institution has established a risk-based program; implemented appropriate governance and oversight programs for third party risk; and has demonstrated to its regulator or examiner how they have developed sufficient approaches to assess and manage fourth party risk.
What aspects of the relationship you need to assess depends on the depth of the type of assurance your organization needs to manage third party risk for information protection, service continuity, or regulatory compliance. This process will be dynamic, with ongoing changes based on all phases of your third party lifecycle and the lifecycle of the relevant critical subcontractors or outsourced providers.
Semantics in Subcontracting
Defining and implementing fourth party controls requires viewpoints on traditional due diligence processes to be adapted to ensure focus on the material risks being addressed. Chasing every potential vendor, application provider or commercial software company is not feasible, nor does it address the critical path to managing risk.
When building your expectations for fourth party considerations into your contract and due diligence process, consider your demands in the context of what services are being considered for the contract. Your service providers may leverage vendors or third parties to provider work ranging from staff augmentation, facility management functions, mailing services, application support, call center support, technology outsourcing, to direct subcontracting of manufactured work. Create a set of definitions for the types of subcontracting, outsourcing, or fourth party relationships that are applicable to the services under review:
Trust but Verify Oversight Approach
Adequate due diligence requires more than getting compliance information from a third party service provider. For key controls that your organization has deemed important in managing your risk, financial institution’s need to request evidence of the implementation of those controls and effectiveness of implementation. Evidence or artifacts can take many forms, and may or may not be distributed externally. However, most service providers will have a process to provide artifacts in on-site visits, or by using online tools for information sharing via web meetings to show confidential documentation or artifacts. While confidentiality provisions and contractual relationships allow information sharing, service providers may need to ‘redact’ or sanitize certain compliance documents to either protect other party’s confidential information, or to mitigate risks to the organization for data leakage.
Utilizing External Assurance for effective monitoring
Sufficient and regular due diligence is just one aspect of third and fourth party risk management. Many organizations lack the internal resources, or capacity to conduct manual audits or inspections for third parties. External assurance options have evolved past the focus on Sarbanes Oxley (SOX) controls. Even the new Payment Card Industry (PCI) standards are developing a focus on third party risk. Independent assessments or engagements provide a level of independence and objectivity to the due diligence or third party risk assessment process.
With the heightened focus on third and fourth party risk, it is critical to structure and determine senior management involvement in program oversight. Formalized reporting, risk reporting, issue management, and maturity of the third party risk program are all important elements required to ensure that risk management is being addressed at the right levels, with the right information. Third party risk management is not just an event driven at the signing of a contract – that’s when the process only just begins.
The last area of focus in this blog series will be on the evolution of contract compliance given today’s regulatory landscape, provided by Sybill McDowell, Risk & Compliance Operations Manager at Deluxe.
Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs