The Current Risk Environment
Evolving business trends, such as increased regulation, outsourcing, offshoring, and cost pressures, are motivating executives to look outside of their primary business operations to see if external parties are more capable of delivering key services. Engaging external parties to conduct business processes or services on behalf of an organization introduces new risks to be managed. Unfortunately, many organizations fail to remain vigilant in their risk assessment and risk management evaluations once the decision to engage a third-party is made, thereby exposing the organization to potentially significant risks. This recently published Crowe Horwath thought paper addresses these issues and offers guidance to help executives proactively manage risks that arise from third-parties.
The paper, which is authored by Gregg Anderson, R. Michael Varney, Patrick D. Warren, Jill M. Czerwinski, and Eric G. Andolina, categorizes third-parties into the following four types of entities:
- Service providers-accounting, IT, legal, internal audit, and collections
- Supply-side partners-R & D, suppliers, vendors, and production outsourcing
- Demand-side partners-distributors, resellers, customers, and franchisees
- Other relationships-alliances and joint ventures
Relationships with these types of partners introduce risks that may not be typical of those when services are performed internally. Events such as the earthquake that devastated the Japanese coast highlighted risks that can arise far from an organization’s core business that can have a detrimental impact when key external parties are exposed to those events that are far from the geographic location of the organization itself. Risks that may not be relevant to the organization may be significant, and at times catastrophic, for third-parties that are located in other parts of the world. So, the nature and extent of risks likely to affect a third-party may be quite different than the risks executives think about for their organizations.
There are many more examples of recent, adverse events that were either caused by third-parties or exposed the risky nature of relationships with them. When key services are delegated to external parties, the risk spectrum can expand forcing managers to strategically think more broadly about extended relationship risks than ever before. Unfortunately, some companies fail to invest adequate resources and thinking to combat risk associated with third-party entities.
Discrepancies in Management’s Mindset of Third-Party Risk
Unfortunately, some companies fail to adequately think through risks associated with engaging third parties assuming that the third-party expert is fully engaged in its own risk oversight. A recent survey by ChainLink Research found that 70% of organizations surveyed allege that they have no standards to assess the riskiness of outside party service providers. The study found that almost 50% of the same companies also claimed that assessing risk is a “’critical and mandatory’ role” in the selection process of service providers. Thus, there appears to be a gap in what they desire and what they do in regards to external party risk assessment leaving the organization potentially exposed to significant risks.
Complications That Arise in Assessing External Relationships
The risk associated with external relationships is so broad that companies fail to set clear objectives of assessing the third-party in question. These issues will continue to be problematic until organizations can dissect where the challenges are coming from: internally or externally. For example, problems can arise from within an organization. Some organizations fail to clearly establish who has ownership of the third-party relationship risks. Without clear ownership, risk oversight is likely to be lacking. (i.e. the amount of control they have over a certain issue). Challenges also arise due to the fact that many third-party relationships are spread around the globe making it difficult for organizations to gain assess to remote locations to be in a position to adequately assess risks that may exist.
A Proactive Solution to External Relationship Implementation
This thought paper outlines three key steps necessary to effectively implement an external relationship risk program:
1) Establish ownership and buy-in of external party risks. This may require cross-functional coordination to assess the variety of risks that may arise from a third-party relationship.
2) Evaluate risks using a risk landscape model to identify the highest risks. The paper suggests that using a framework of risk types can help to identify a comprehensive list of risks.
3) Audit, monitor, and assess the risk landscape using benchmarks of performance and incidents trends. To be in a position to effectively monitor key risks, part of the relationship negotiation may require commitments for the vendor to provide key data on an ongoing basis that keeps the organization abreast of key risks.
By using the risk landscape framework, the steps in implementing an effective risk program, and a proactive approach, companies will see results in the form of the mitigation of risks from third-party relationships.