by Nikolay Filipets Risk managers commonly rely on independent entities to assess, verify, and test operational soundness of third party providers. But, what happens when an organization considers outsourcing all or parts of its TPRM functions to an outside service provider beyond an independent audit or an assessment? Let’s explore. Looking at the TPRM functions from standard supplier lifecycle perspective there are several phases: Planning, Due Diligence, Business Management, and Termination. During each of these phases there are distinct activities that can be outsourced while others should remain in house; more specifically lets explore what CAN and CANNOT be outsourced from your TPRM Program (not exhaustive):
Planning - during this stage, organizations spend time to understand general risks associated with potential third party engagement and determine if a decision to outsource aligns with the company’s strategy.
CAN: Outsource information gathering about third parties, about industry best practices on what can be outsources; competition research.
CANNOT: The strategic decision itself to outsource and whether the decision will align with overall risk appetite.
Due Diligence - this phase includes a lot of tactical activities to determine inherent and residual risks as well as selecting the supplier.
CAN: Supplier research and identification, questionnaire completion, documentation verification, and on site/virtual assessments.
CANNOT: Inherent and Residual risk determination should be given a more thorough consideration for outsourcing as well as the rationale of what constitutes critical and non critical suppliers; decision about final supplier selection. (contract negotiations may not be an ideal activity to outsource either).
Business Management - During this stage risk managers rely on first line of defense to provide ongoing management of Third Parties with a lot of ongoing tactical activities.
CAN: Manage and document issues/incidents to resolution, completion of re-assessment questionnaires and audits, re-assessments of third party controls.
CANNOT: Refresh of supplier risk ratings, determination if outsourced service provider still fits within organizational strategy and overall risk appetite.
Termination - Conclusion of relationship with a third party.
CAN: high level activities such as confirmation that termination was completed in accordance with contract terms, potential audit
CANNOT: Intellectual property retrieval, destruction of sensitive data.
In risk management, we rely on independent entities such as auditors to provide unbiased insight into third parties control structure, however auditors aren’t always risk managers, and always lack full visibility to inner-organizational workings. As risk managers, we cannot fully outsource TPRM program management to an outside entity. Whatever risk management work is performed by an outside entity should factor into the overall risk management methodology, not replace it. Otherwise your TPRM program will become “check-in-the-box” activity, instead of risk management activity.
If you have any ideas or thoughts about this topic i will be happy to hear you out; contact me at filipets888@gmail.com
Comments