Part III of a IV part series
In part II of the four part blog series, Regulators Expectations for Third Party Risk Management, I focused on governance and oversight structures for each phase of the third party relationship lifecycle. Today, I am going to take a deeper dive into managing fourth party and subcontracting risks along with how external assurance strategies can be leveraged to minimize the complexities in implementing effective third party risk management programs.
I would be remiss if I did not start with the obvious confusion in naming convention terms. Much like the timeless “Who’s on First” baseball comedy routine from Abbott and Costello, figuring out the players in third & fourth party risk can be just as confusing.
If Company A contracts to Company B, then Company B is considered to be a “third party”— I guess in contractual relationships at least the first party must be the user of Company A’s services, but starting in 3rd person in the game of vendor oversight, always seemed odd. However, today the game has changed, since oversight concerns regarding security, data breaches, and compliance, are bringing fourth party risk front and center. Right to audit expectations extend from third party to the fourth, fifth, and downstream based on how deep in the supply chain providers have access to, the processing of, transmission of, or retention of the company’s data.
Cookie Crumbs on the Right to Audit Trail
Vendor and third party relationships are pervasive in today’s economy and with today’s changing technologies. The starting point is to focus on what assets you are trying to protect when determining your approach to right to audit for your third parties and their usage of suppliers, vendors, or outsourced functions.
A fundamental driver for a financial institution to demand a right to audit for fourth parties is to mitigate data breach risk considerations should their primary third party experience a data breach. In the absence of a contractual provision for recourse, the financial institution may still experience the customer risk. What may sound simple on the paper of the negotiated contract is much more nuanced to operationalize.
A common misperception or reaction to recent guidance on managing fourth party risks is that financial institutions must apply the exact same due diligence to all of their own third parties and each and every subcontractor or vendor their primary service provider utilizes. In contrast, the intent is that the financial institution has established a risk-based program; implemented appropriate governance and oversight programs for third party risk; and has demonstrated to its regulator or examiner how they have developed sufficient approaches to assess and manage fourth party risk.
What aspects of the relationship you need to assess depends on the depth of the type of assurance your organization needs to manage third party risk for information protection, service continuity, or regulatory compliance. This process will be dynamic, with ongoing changes based on all phases of your third party lifecycle and the lifecycle of the relevant critical subcontractors or outsourced providers.
Semantics in Subcontracting
Defining and implementing fourth party controls requires viewpoints on traditional due diligence processes to be adapted to ensure focus on the material risks being addressed. Chasing every potential vendor, application provider or commercial software company is not feasible, nor does it address the critical path to managing risk.
When building your expectations for fourth party considerations into your contract and due diligence process, consider your demands in the context of what services are being considered for the contract. Your service providers may leverage vendors or third parties to provider work ranging from staff augmentation, facility management functions, mailing services, application support, call center support, technology outsourcing, to direct subcontracting of manufactured work. Create a set of definitions for the types of subcontracting, outsourcing, or fourth party relationships that are applicable to the services under review:
- Services vs. services debate: A common contractual trap in subcontracting is the legal debate over services with a capital “S” vs. a small case “s”. Capitalized Services need to be contextually defined in the contract; and based on the contract structure may be more appropriately called out in statements of work. Literal compliance can create a burden of contract administration that was not the intent of the language. Partner with your service provider on what types of fourth party relationship trigger “risk” or “compliance” requirements within your Third Party Oversight Program and define and execute a process for information sharing that aligns with both organization’s expectations
- Notice and approval provisions: Keep the focus on oversight of your service provider and due diligence for material third party relationships that affect your critical operations. Demanding an approval provision but not defining processes for granting permission puts your third party in a stalemate situation. Set expectations for the type of notification that is reasonable based on the service and hold your service provider accountable to provide sufficient due diligence efforts to meet regulatory expectations.
- Offshore outsourcing: Usage of offshore resources or firms in information technology outsourcing (ITO) or business process outsourcing (BPO) introduces different risks based on geography and modifications to the due diligence approach. Focus in your assurance efforts on the information protection and service continuity controls in place to protect your organization from additional risk. Focus on location risk, and any cross-border data access or transfers. Most traditional ITO and BPO relationships in financial services are structured where the customer data resides in the U.S. and outsource workers access sanitized or masked data, from workstations that enable controls to limit data from residing offshore. Require that your service provider conduct sufficient oversight which may include risk management reporting, site visits, inspections, and issue management. Ensure that they have processes to monitor evolving geopolitical risk and have adequate business continuity management plans in place.
Trust but Verify Oversight Approach
Adequate due diligence requires more than getting compliance information from a third party service provider. For key controls that your organization has deemed important in managing your risk, financial institution’s need to request evidence of the implementation of those controls and effectiveness of implementation. Evidence or artifacts can take many forms, and may or may not be distributed externally. However, most service providers will have a process to provide artifacts in on-site visits, or by using online tools for information sharing via web meetings to show confidential documentation or artifacts. While confidentiality provisions and contractual relationships allow information sharing, service providers may need to ‘redact’ or sanitize certain compliance documents to either protect other party’s confidential information, or to mitigate risks to the organization for data leakage.
- Due Diligence Protocols: Conducting due diligence for fourth party risk requires adjusted processes as there is not a direct contractual relationship with the fourth party or subcontractor. The due diligence approach is typically less focused on the third party itself, but more an inspection of how your 3rd party has structured its program for oversight of their providers. Risk management controls, methodology, type of data location.
- Inspecting Third Party Service Provider Programs: Service providers that focus on outsourcing within financial services should have a documented policy and procedures to manage and assess risk of their own third party subcontractors. The program should encompass risk assessment, onboarding, termination and periodic assessments of the third party.
Assess Maturity of Program Processes: Structuring a third party service provider program and evaluating specific components is dynamic and changes as the organization changes. Organizations can use a self-assessment process to identify areas of continuous improvement to strengthen the maturity of third and fourth party oversight processes.
Utilizing External Assurance for effective monitoring
Sufficient and regular due diligence is just one aspect of third and fourth party risk management. Many organizations lack the internal resources, or capacity to conduct manual audits or inspections for third parties. External assurance options have evolved past the focus on Sarbanes Oxley (SOX) controls. Even the new Payment Card Industry (PCI) standards are developing a focus on third party risk. Independent assessments or engagements provide a level of independence and objectivity to the due diligence or third party risk assessment process.
- SSAE 16 Engagements: AICPA structured engagements can be tiered based on the needs of the organization in demonstrating adequacy of control objections. The SOC 1, SOC 2, SOC 3 options provide the ability to not only assess the controls, but including the testing of the controls by an independent point of view. Service Provider organizations need to define the controls to be included in the scope of the external audit, but also which applications are included in the testing process.
- Agreed Upon Procedures(AUP) Engagements: The Shared Assessments Program has created a tool called the AUP, which can be used in two ways within third party risk management programs. Organizations that use the tools from Shared Assessments can use the tool to structure the agenda and control testing for conducting an on-site assessment of a third party. Organizations should scope however, which risk domains within the AUP are applicable to the services provided by the third party. The tool provides structure to the testing to achieve the objectives of the “Trust but Verify” approach to due diligence. Service Providers can use the AUP by directly contracting with an outside assessment firm to conduct an AUP engagement. Once completed, an AUP report can be provided that the service provider can distribute to clients as an independent assurance report, and minimize the need for multiple on-site assessments.
With the heightened focus on third and fourth party risk, it is critical to structure and determine senior management involvement in program oversight. Formalized reporting, risk reporting, issue management, and maturity of the third party risk program are all important elements required to ensure that risk management is being addressed at the right levels, with the right information. Third party risk management is not just an event driven at the signing of a contract – that’s when the process only just begins.
The last area of focus in this blog series will be on the evolution of contract compliance given today’s regulatory landscape, provided by Sybill McDowell, Risk & Compliance Operations Manager at Deluxe.
Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs