Guide

Third party risk – time for an outsourcing standard?

Outsourcing has become a staple for organisations across the UK. It can be cost effective and may improve efficiencies across the business. But it comes at a price. As supply chains become increasingly complex, operational risk is amplified and your firms must put measures in place to protect the business.

Who counts as a third party?

Third parties may include cloud service providers, utilities (such as Software, Platforms, etc) as a Service (XaaS) providers, shared service centres, website management or recovery services, or payments, payroll or other business process service providers – to name a few. It may also refer to other group entities, which is a growing trend in the banking sector following recent requirements around ring fencing and operational continuity.

Some activities carry a higher risk and may be more prone to attack or fraud than others and it’s important that you think about those most relevant to your business.

There’s always a weak link

Your third parties aren’t perfect and they have a risk profile of their own. If those risks aren’t mitigated and controlled effectively, it could result in business failure, data breaches or discontinuation of services. The knock on effect on your business can be catastrophic and result in fines, regulatory censure or loss of consumer confidence.

The regulator doesn’t care whose fault it is

All outsourced activities remain your responsibility, from both an operational and regulatory standpoint. So when something goes wrong, it doesn’t matter if the issue lies within your organisation or with a third party – you are still liable.

This has major implications for key regulations such as the GDPR, where firms can be fined up to 4% of their annual global turnover for breaches of personal information. Similarly, under the SM&CR, senior managers are personally accountable for each area under their jurisdiction, even if the activity is outsourced.

Protecting your business

With such high stakes, you need to take third party risk seriously. There isn’t a gold standard to follow, and as such, the way third party risk is measured and mitigated varies hugely from firm to firm. But you should still have your own criteria in place, which relates to your specific risk profile and risk management framework.

To achieve this, firms should:

  • undertake an operational risk review to understand the current, and emerging, risk profile
  • build on this by establishing an effective third party risk management framework
  • assess the IT security risks to identify the potential for, and possible impact of, information loss through third party vendors
  • establish effective business continuity plans for the worst case scenario
  • obtain a service auditor report (such as SOC, AAF, ISAE, SSAE or bespoke reports) for your third party organisations to check their controls are operating effectively.

Independent review or assurance at each stage of the above can help to mitigate risk and improve transparency between you and your third parties. For further information on how we can support you in this area, please contact Ravi Joshi.

Download our guide to third party risk management