The Tribune

Based on the past 15 months, corporate leaders must adopt a new approach to third-party risk management in response to growing business, information technology (IT) and security concerns, which have continued to shift in unpredictable ways. No matter the company’s size or industry, managing third-party risk is important. If you factor in existing or pending regulations in certain industries, the potential cost of inaction becomes very high. Today’s complex enterprises, resource constraints and a fear of the unknown are no longer valid reasons to delay taking an integrated approach to managing third-party risks.

Directors and management must consider the following questions at a minimum:

1. Is our governance framework taking the intelligent risks that are aligned with our institutional goals and strategy?

2. Are our employees’ skill-sets effectively aligned with their roles and responsibilities?

3. Are our processes siloed or integrated across the business?

4. Is our technology used in making business decisions?

5. What services can our business not afford to lose?

EY in its publication, Third party risk management (TPRM): COVID-19 impact on third party resilience, said: “The interconnected landscape of today’s business environment poses a serious risk of disruption that can result in significant loss of revenue.

“Organisations need to evaluate the ability of their critical offshore presence and third-parties to continuously support critical functions such as IT, human resources, payroll, financial reporting, cyber security and others.”

Given the above, and to ensure the establishment of a resilient third-party management framework, I would like to offer the following suggestions to assist your business.

Internal identification of third-party risks

To begin organising your risks, you need to document what data is at risk as well as what data is shared with your third-party vendors. Additionally, cyber security risk, compliance risk, reputational risk, financial risk and operational risk must all be at the forefront for strategic consideration. Business assets should be itemised based on value and assessed accordingly. Also, you should implement a third-party assessment during the onboarding and monitoring process in order to understand business vulnerabilities.

External identification of third-party risks

You should evaluate the scope of the potential impact of risks from third parties, and define what needs to be covered in contractual obligations. Using data directly collected from third parties, businesses can examine third party policies and procedures with respect to their control environment, including policy, process and capability. It is imperative that all stakeholders take time to assess what is at stake and the importance of the data.

Monitoring and annual reviews

By analysing various internal and external data sources, and generating dashboards and metrics, a business can identify new and emerging issues within its third-party portfolio and help mitigate risks. Third-party portfolio risk assessment should be executed at least annually.

Conclusion

In short, establishing, implementing and embedding a comprehensive third-party risk management framework is crucial to managing and mitigating risks involved with third parties. The key to brand resilience is to ensure a consistent and holistic approach is deployed that considers all third-party relationships and the accompanying risk considerations. If your third-party vendor is compromised, it is very likely that your business will suffer negative exposure.

NB: Derek Smith Jr is a compliance officer at a leading law firm in The Bahamas, and a former assistant vice-president, compliance and money laundering reporting officer (MLRO), at a local private bank. His professional career started at a ‘Big Four’ accounting firm and has spanned more than 15 years, including business risk management, compliance, internal audit, external audit and other accounting services. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS).