Heightened third-party risk requires board involvement and communication
Deloitte’s 2016 Third Party Governance & Risk Management survey polled 170 UK senior managers, including CFOs, chief risk officers, heads of internal audit and those leading compliance and IT risk functions, across a variety of industries.
‘Third-party risk has been evolving as an overarching strategic issue for many organizations. There’s a growing reliance on third parties,’ says Krissy Davis, Deloitte Advisory partner and leader of Deloitte & Touche’s finance and operations practice. ‘Five years ago, third parties were used for non-critical functions but that’s evolved and more organizations are now using third parties.’
Outsourcing to third parties creates regulatory and reputational risk and this should be a priority for the C-suite, Davis says. ‘Social media plays a role and the free flowing of information contributes to reputational risk and brand damage from third-party risk,’ she explains. Third-party risk failures affect millions of consumers and can cause a company’s reputation to suffer. ‘Consumers don’t differentiate a company from its suppliers, so when there’s a problem, it’s the organization – not third-party suppliers – that makes the news,’ Davis adds.
The board or C-suite should be responsible for creating a third-party governance and risk-management strategy. Senior managers need to ‘take a proactive and holistic approach to third-party risk management,’ Davis says, and consider the operational, financial and regulatory risks in outsourcing. ‘Managers should be proactive, which means not just managing when bad things happening, but also recognizing opportunities to manage risk,’ she notes.
Senior managers also need to continually update the board about third-party risk, because communication and the flow of information is crucial in mitigating third-party risk, which should be a regular item on the board’s agenda. Directors should ask the following of the organization’s management:
- Is there a comprehensive third-party risk assessment?
- What are the primary risks facing the organization?
- What is being done to manage risk?
- Who has responsibility for managing third-party risks in the organization?