Third Parties: do we know what’s happening

Good practices to consider…

Ask for a picture – or map – of the significant third party relationships, prioritised in terms of your business’s dependence on them. If there are a lot, which is usually the case, you might need to start with a categorised picture, rather than at the level of individual relationships. (Dependency on trade suppliers is also a big issue but is best dealt with separately from the third-party risks that we’re looking at here.)

Things to avoid…

Taking a narrow approach. These relationships take many forms as well as the obvious outsourcing contracts: partnerships, JVs, extensive use of in-house contract staff… And don’t settle for being given lists of contracts. The Board needs to start by understanding the risks and dependencies, not the nuts and bolts.

Good practices to consider…

Put it in the strategic context. What are these relationships enabling us to do to meet our strategic goals? How do they fit into our operating model? How important are they and how dependent have we become?

Things to avoid…

Seeing these relationships as contractual matters that simply need to be managed as part of business-as-usual processes. Process discipline might be what’s needed in terms of delivery, but at board level it’s important not to lose sight of the overall dependencies and scale.

Good practices to consider…

Review the risk assessment on the major dependencies. Check that it’s up to date and that there’s clear ownership

Things to avoid…

Focusing only on the “big name” contracts. Of course they matter. But even small ones can represent critical dependencies. Or a number of smaller contracts might fit together to make a big exposure that is dependent on its weakest link.

Good practices to consider…

Understand the basis for the risk assessment and the process, including asking for reassurance (or even assurance) over the consistency and quality of assessment.

Things to avoid…

Assuming that the risk-based analysis and prioritisation has been approached consistently. If some managers have given different weight to different risks (or even overlooked some altogether) would you know? Would you be able to judge how much it mattered?

Good practices to consider…

Third party relationships work on the basis of electronic information exchange which means their systems are gateways to yours. So put cyber risk up front and centre, in all its various forms: insertion of fraudulent transactions, personal data protection, preventing hacking, trying to stop the myriad forms of attack that every organisation is having to manage constantly… Get a clear answer – and some assurance – over how management stay on top of all this.

Things to avoid…

Focusing on our own internal IT controls and risk management.  Our defences can’t just stop at our own frontier: when third parties are integrated into our business model, we’re only as strong as their walls and risk mitigation. Do our contracts enable us to get assurance over third parties’ controls and mitigation strategies, and are we using our contractual rights to the extent we need?

Good practices to consider…

Look at the third-party risk management framework. What are our processes for managing these relationships? Are they formalised and checked? Do we have the policies and standards that we need? How is technology used to make sure we can rely on reporting, performance monitoring, standards compliance…and all the other things management need to be on top of?

Things to avoid…

Assuming that all this will get picked up in operating manuals, risk registers and audit plans. And indeed it might. But there can be a tendency in some parts of a business to focus on the internal, rather than seeing third parties as an integral part of operations. The audit committee has an important role in making sure that the necessary processes, systems and controls are in place and that adequate assurance is obtained.

Good practices to consider…

Understand how we look at the culture and behaviours of our contractors. Management need to be able to explain how they make sure that third parties work in line with our expected standards. And how they know that real-world practice is the same as the theory in the operating manual.

Things to avoid…

Just leaving it all to management, or relying on vague assurances about procurement processes. Of course, a board can’t get into all the detail (although maybe it should on some sample cases, just to understand better what’s being done). But it can ask what management does that enables it to know what’s going on. The risk of reputational damage gets higher all the time, which means making sure we ask ourselves and our third parties the right questions. That should start with leadership from the Board.

Good practices to consider…

Think about the reporting risks. What are we telling people – shareholders, regulators, employees, others – about the extent of our reliance, the risks and the approach we take to checking on culture and ethics? And does it stack up with the description of our business continuity risks and mitigations

Things to avoid…

Neglecting to see third-party dependencies and risks as part of the risk profile that needs to be communicated. Given the extent of outsourcing and use of contractors, it’s surprising how infrequently this risk appears on principal risk lists.

Good practices to consider…

Ask for an assessment of resilience set alongside our risk appetite – taking into account the sort of factors we’ve set out above. Does our updated understanding of the risks we are taking around these dependencies align with the level of risk we want to take? What would it cost to skate on thicker ice?

Things to avoid…

Looking at individual risks outside of the overall risk context. There are trade-offs involved in everything, and there will be a necessary (and acceptable) level of operational, financial or reputational risk associated with the third-party elements of our operating model. But are we actually looking at it in this way? Is our overall risk position monitored as the external and internal risk environments and our risk appetites change? In short, is our actual risk exposure to third parties a conscious decision or has it just sort of happened?

Good practices to consider…

Test the logic. Each risk should have meaning. And it should lead to development of a risk management response, with actionable steps that can be monitored. Or if the risk response is “there’s nothing we can do so we’ll keep our fingers crossed and hope for the best”, this should be made explicit so it’s a position that is taken knowingly rather than accidentally.

Things to avoid…

Making statements of the obvious or introducing tautologies. For example, if the purpose of the principal risk discussion is to assess threats to achieving the business plan, it is not helpful if the so-called risks are “targets will be missed” and “we fail to implement the business plan” . (Sadly, both are real examples.) Such “risks” can be restated as “we fail to manage the business” – which invites a rather obvious sort of response.

Good practices to consider…

Make the principal risk discussion part of regular boardroom debate. And encourage the executives to tie the issues and proposals they bring to the Board into the principal risks. If the risks are that important, directors will want to know how a major initiative or development might impact them, and if it might cause new risks to make it onto the list.

Things to avoid…

Positioning the discussion as a separate self-contained item on the board agenda. Yes, some longer-term emerging risks might wait until the annual strategy review. But some, due to their immediacy or significantly changing profile, would be better considered as part of the regular CEO Report. And if the principal risks are part of the regular risk report to a committee, make sure their strategic nature does not become subsumed as part of a process for reviewing the risk register.