june 2017 40 Internal audItor
a smarter approach to third-party risk
of the third parties they rely on. And of
course, these risks extended to industries
far beyond financial services. High-profile data breaches at well-known corporations brought additional attention
to the role third parties play and the
impact they can have on a company’s
clients and employees.
Today, organizations across industries continue to look for ways to
lower costs and increase efficiencies by
outsourcing services to third parties.
The trend has led companies to expand
or optimize their third-party risk
programs. Many programs, especially
within regulated industries, are evolving to meet business performance goals
and regulatory expectations, requiring
the right balance between managing
risks and stifling the business, without
costing too much. Organizations have
invested significant capital toward hiring qualified staff, implementing an
effective governance and organizational
structure, and procuring the right technology to run third-party risk programs.
But as these programs have developed, are they truly efficient and sustainable? For many, the answer is no.
Organizations are finding they lack risk
management efficiencies to adequately
support business objectives. Business
units find themselves unable to contract
with third parties as quickly as they have
in the past, delaying the launch of new
products and services. The experience
has left business leaders frustrated, often
pitting procurement and risk management functions at odds over how much
risk management overhead is enough.
So what are forward-thinking
companies doing? First, they focus
with laser precision on the third parties
and services that represent the biggest
risks and they efficiently implement
strategies to manage them. Second,
they realize the value of pooling
resources and sharing risk intelligence
with their peers. This two-pronged
approach yields more robust and efficient management of third-party risk,
with internal audit playing a key role
in the process.
IdentIfy the Greatest rIsks
Organizations need to develop plans to
mitigate and monitor those threats that
create the biggest impact on business
operations. Resources and skills should
center on what matters most to the
business, which requires careful planning and a true understanding of the
third-party risk profile.
Organizations focused on high-impact risks take a smarter approach
by creating risk profiles at the service
and third-party levels. They understand
the inherent risk of the services they
procure and the specific due diligence
required to evaluate the third party’s
control environment. This knowledge
limits the need to repeatedly ask questions of the business each time they
require services. This approach enables
the organization to shift focus to exceptions that don’t meet the standard
risk profile for the outsourced service.
Other attributes of forward-looking
companies with a desire to work
» Maintaining an accurate and
ongoing inventory of third
parties and their services with
a map to the specific risks to
be assessed and monitored
(e.g., those third parties that
have access to personally
identifiable information for
employees or clients).
» Evaluating and managing
preferred suppliers for each
expenditure category, eliminating those that don’t fit the
Resources and skills should center on
risks most impactful to the business.