Managing 3rd Party Assessment and Governance

Data provides no value if it doesn’t lead to decisive action to forward business goals or address customer problems successfully.  So, gathering endless amounts of it, as well as compiling or calculating limitless measures offers no guarantee of improved business results. In fact, it can often lead to confusion and clouded views of the key drivers of processes critical to operating success.

The first question I asked clients when engaging in some new data collection or reporting project is this: “As a result of knowing that metric, measure, or other bit of information, what specific action will you take?”  All too often I was met with blank stares, and some mumbling about “needing to know everything”. It’s a weak and misleading reply.  If you are driving a car, you do not need to know the compression ratios to 6 decimal places in each cylinder of the engine to operate it safely and arrive at your chosen destination.  You do need to know traffic conditions, weather, fuel levels, speed, relative engine temperature, maybe tire pressure, to do so.

“Who can you trust?” 

The big question with regard to 3rd party management is this: “Who can you trust?”!  Upon careful review, it’s clear this is not so simple a question.  Is 3rd party trust about their ability to produce promised services or products?  Costs and prices? Is it about respecting regulatory obligations? Security? Financial governance? Some of these? All of these? What factors are most important to your organization? What information do you collect? How do you organize and present it to efficiently and thoughtfully answer this question for your company?  Let’s look at the processes necessary to answer this question and build a viable process for managing 3rd parties’ contributions to your business.

Step 1: Finding A Partner

The search begins with a need of some kind you’d rather not or cannot satisfy internally.  That likely generates a wish list of requirements—attributes you will use to begin your search for a viable partner. A key here is the determination of how critical this relationship will be to your company’s success. Other requirements will include some consideration of their ability to satisfy the need you have, as well as specifics about financial stability, reputation, security, ability to meet any regulatory obligations (particularly ones of your firm’s impacted by this 3rd party relationship), insurance, location(s), to name a few. Interestingly, if not recursively, some 3rd party databases may offer such data in a form that could help you automate this important start to your process.  Often, identifying and sourcing 3rd party candidates is one of the most challenging aspects of the process that has defied serious automation relief to date. But artificial intelligence (AI) advances and evolving database technologies promise more assistance in the near term.

Step 2: Determining Risk

This is pretty straightforward, and has been covered many times and places, including other articles in this series. Any 3rd party relationship offers some degree of legal, reputational, regulatory, operational, cyber security and financial risk. The determination of the service’s criticality sets the meter on the tolerance or appetite scale for risk in any of these categories. From there, this step proceeds into data collection; whether through questionnaires, interviews, document gathering or other means of investigation. Included in this mix would be the findings and recommendations of subject matter experts (SME’s) who have reviewed the content gathered in this step.  This process is likely to assemble a cache of data rich in variety, including financial reports, SOC 2’s questionnaire scoring, narrative commentary by SME’s and more.  You get the picture.  While this cache may not be difficult to create it is a challenge to organize and present actionable findings and recommendations to support decisions. For that, you need some thoughtful technological assistance.

Step 3: Presenting Findings and Recommendations

Think of all the material gathered in the risk phase as an assessment. One logical outcome could be a scorecard tuned to the criticality of the service being offered through the 3rd party. By tuning, I mean setting an acceptable point along a risk scale that defines the risk appetite you have for this vendor in each risk category. This offers two useful attributes; it identifies an acceptable threshold for risk scores, and it makes review of scorecard findings and evaluation of recommendations easier for decision makers and stakeholders. The process of distilling the data gathered and its evaluation by SME’s into a scorecard is something often found in quality GRC tools with strong data representation features. Scorecards organize and distill concise results from complex data analysis processes.  A corollary of these “data synthesis” processes is content that can be easily shared and digested by enterprise resource software (ERM) systems, to form an overall 3rd party risk component, and they structure the detail needed to manage the periodic re-evaluation of vendors sound governance of 3rd party management requires.

Step 4: Remediation

Risk assessment findings, as well as other discoveries from step 3 may lead to remediation recommendations in specific areas to assure a 3rd party will perform at an acceptable risk level in alignment with your company’s associated risk appetite. Monitoring, tracking progress, and reporting on the status of remediation efforts can be an important aspect of your overall governance over the management process for 3rd party risk. Scorecards can be designed to incorporate remediation recommendations and include the progress of efforts towards achieving improvements in areas found deficient at last inspection.

Step 5: Process Management and Governance

Company performance is subject to many variables, challenges, and changing market conditions, which can affect variability in the risk resulting through any 3rd party relationship. Periodic re-examination, or “re-review” is an important governance process attribute, and essential for those relationships critical to your business’ operation. Having a scorecard that arrays the important results of discovery, risk assessment, and remediation results is like having a well instrumented dashboard in your car, one you can customize to suit your journey and your driving style. It helps you make decisions! It answers the business question of “who can you trust?”

A well designed re-review process will identify when prior content gathered, or evidence, may have expired or should have been replaced by newer material.  It can also help you determine and schedule optimum re-review to capture the most current state of your 3rd party vendor in a scheduled “snapshot” or vendor to-do list without going back to the vendor multiple times each year to refresh content.  Sharing this with your vendor allows them to proactively participate in managing the relationship. As such, establishing a vendor accessible portal into their scorecard and to-do lists or schedules would make the program more transparent and supportive of their active role in maintaining their evaluated status year-over-year. It also helps partner stakeholders within your organization, such as Finance and Legal to have clear visibility of upcoming demands upon their resources. This optimized scheduling helps you effectively balance and manage the internal resources required to oversee this process without sacrificing its reliability, diligence, or quality.

The process of re-review can be directed using the past results in your scorecard to focus areas where risk may have changed due to a variety of adjustments in service mix, regulations, past weaknesses, and company strategy. If the 3rd party has become more important to your operation than in prior years it may also indicate a new, greater need for a designated backup source of equal quality. That alone helps address concerns of continuity and service reliability to your own clients and customers, potentially impacting your reputation, brand, and revenue opportunities.

Leveraging Value From 3rd Party Governance

Knowing what key information drives your business is vital to directing the information gathering process. This is particularly true regarding informed 3rd party governance. It includes an understanding of what answers to which questions must be readily available to give you clear visibility to performance, challenges, and opportunities. From there, it’s up to your business resources to understand which data, gathered how, and how often, organized and combined in what ways and presented in what meaningful context will provide the answers you need to achieve success.

Use of 3rd party services is often a global process in today’s connected business environment.  It has become a key strategic component of many companies’ efforts to focus upon core competencies. As such, it has necessarily become a needed core competency on its own.  Managing the risk associated with this practice, and incorporating it into your overall enterprise risk management processes will give your firm a strategic advantage through increased confidence in the quality, effectiveness, and security offered by your 3rd parties through your governance and risk management program.

About the Author:

Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

Leave a Reply


DoubleCheck ERM One™

An out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 associated, pre-populated risks to be used as a starting point.