Although the use of third parties can bring cost efficiency and operational flexibility, it can also introduce potential vulnerabilities. So how do you manage it? Through a robust third party risk management programme that identifies, prioritises, and monitors these risks.
Ben Langford, Director at Grant Thornton UK, shares common challenges businesses face when managing third party risk so you can prepare. Plus, find out how The Institute of Internal Auditors recently issued Topical Requirement on Third Parties can help you.
Third-party risks — what’s really at stake?
Third-party relationships can expose your organisation to risks that go far beyond operational hiccups. These risks can impact compliance, reputation, and even business continuity. Here are some of the most critical areas to watch:
- Operational resilience
- Ethical and regulatory compliance (such as bribery & corruption, trade sanctions & export controls, fraud)
- Performance and delivery, such as quality, reliability, training.
- Financial, such as failure of third-party.
- Cybersecurity and data privacy, such as system vulnerabilities and GDPR compliance.
- Climate and sustainability
- Social and Human Rights including Modern Slavery
Don’t just spot risks — manage them
Identifying risks is only half the battle. To truly protect your organisation, you need to embed risk management throughout the entire third-party lifecycle. Here’s what that looks like:
- Requirement specification and supplier selection, includes processes to determine the need for a third party, the plan for its use, and the criteria for selection.
- Due diligence and contracting, includes due diligence with the third party and implementing a legal agreement
- Onboarding and mobilisation, begins when the contract is signed to start the relationship and establishes a foundation for third parties to meet the terms of the contract or agreement
- Contract delivery, includes processes for “in-life” management and ongoing monitoring of the third party after the contract has been established and approved. The approach is usually systematic and risk-based and should consider continuous improvement. This includes managing contract variations and scope changes.
- Offboarding, includes processes for ending contracts and agreements, maintaining an exit strategy for third parties that have been prioritized based on risk, and terminating relationships when necessary. The processes typically use a risk-based approach and may involve a formal exit plan
At a governance level, it’s important to define an approach supported by clear policies and procedures. Roles and responsibilities for working with third parties should be well-defined, along with clarity on who the key stakeholders are across the business. These may include the board, senior management, operations, risk management, HR, IT, finance, legal & compliance, and procurement. Ensuring third parties align with your company’s values and ethics is equally critical.
Risk management processes around third parties should be sufficient to identify, prioritise, mitigate and monitor risk across the third party life cycle and the full risk universe.
Simple questions to better understand your third party landscape
A strong risk management framework starts with asking the right questions. Use these prompts to uncover gaps and prioritise actions:
| Theme |
Key questions to ask |
|
Who are your critical third parties?
|
- Where is your greatest exposure? If third party failed tomorrow, what would break?
- Do you have a consistent and commonly understood prioritisation process?
|
|
Governance Gaps – who is in charge?
|
- Who, if anyone, has oversight across all third party risk?
- Is it clear who owns specific third party relationships and / or contracts, and do they have a clear view of risk?
|
|
The Document Deficit – good record keeping is essential
|
- Is there a single source of truth?
- Are key third party and contractual documents readily accessible?
|
|
Due Diligence – not just at onboarding
|
- Is due diligence sufficiently robust, done at the right time and covers key risks?
- Are actions arising from due diligence monitored and tracked to completion?
- Do you have ongoing pr periodic monitoring processes?
|
|
Performance monitoring – required for all critical vendors
|
- Is there a regular cadence of meetings, with actions agreed and tracked?
- Are KPIs / SLAs defined and reported?
|
|
Hidden risk in your legal agreements
|
- Do you have clarity on key clauses and their implications?
- Are contracts refreshed for scope changes and reflect current relationship?
- Which contracts are subject to the third party’s T&Cs?
|
Sub-outsourcing – the hidden risk
|
- Do you have visibility of fourth and fifth parties (“nth parties”)?
- Have you applied your risk assessments and performance monitoring beyond direct third parties across the full value chain?
|
|
Exit planning – for planned and stressed scenarios
|
- Do business continuity plans include third-party dependencies where relevant?
- Are there documented exit strategies for critical suppliers? And do these align with business continuity plans and contractual agreements?
|
|
The procurement disconnect
|
- Are there documented policies across the third party lifecycle?
- Are these in line with actual practice and consistently used across the business?
- Are policies bypassed by senior management or ignored by staff with no consequence?
|
What’s next?
- Map your third-party landscape and prioritise critical relationships.
- Benchmark your processes against IIA’s Topical Requirement on Third Parties.
Build a governance framework that enforces accountability and transparency.
If you’d like to have an exploratory conversation or find out more information, contact Ben Langford.
