woman smiling at her colleagues in office

Article

New Approaches to Third-Party Risk

Risky behavior carries dire consequences, with no evidence more compelling than recent financial news. In particular, some Tier 1 international bank execs have paid a personal price — in the form of forced transitions and unprecedented liability — for failing to oversee adequate controls. If large banks, typically bastions of thorough risk mitigation practices, can be caught flat-footed by post-COVID-19 market and regulatory forces, small and medium-sized businesses with fewer resources need to be extra vigilant.

In an uncertain market, risk and compliance has become harder — and more critical. An Aerotek executive shares details on how to shore up third-party risk evaluation.

New Practices in Vendor Vetting

What’s the most urgent risk management need right now? Reevaluating your exposure to third-party vendor risk, according to Karl Kimball, a longtime banking executive who serves as an advisor for Aston Carter’s Risk & Compliance services. Organizational vendor vetting processes might need a few tweaks to adequately assess the current state of third-party risk.

This starts with diversifying sourcing for vital information. “Verify independently, so you’re not just taking your vendor’s word for it,” says Kimball.

For example, businesses may need to spend more time gathering publicly available information on potential vendors, such as financials and bond value fluctuations, significant leadership turnover or headlines around reputational issues. This approach may strain current resources, but it can reduce vendor fatigue and improve onboarding efficiency while also giving a clearer picture of risk potential.

There are also opportunities to use external customer or internal employee resources as a quick gut check on incoming vendors. “Few people send questionnaires to the people who actually consume the resulting services,” says Kimball.

You can combine new vetting methods with an updated risk-based approach to your current practices. This isn’t just about adding additional requirements to vendor questionnaires to evaluate emerging key risk indicators such as sustainability, sourcing, diversity, financial health, geopolitical risk, climate risk and concentration risk. A risk-based approach can also streamline the process, for instance, by eliminating unnecessary data security thresholds for non-data vendors.

Additionally, a cursory evaluation of fourth-party risk — looking into your vendors’ main suppliers to more completely define exposure to concentration risk — is now a prudent vetting practice.

Remediating Existing Contracts

In addition to vetting incoming vendors more broadly, the current state of the market demands greater attention to risk thresholds for existing contracts. Your goal should be to move from a reactive state to a proactive one.

“Contract modernization should be a constant process,” says Kimball, “with evaluative mechanisms for iteration and improvements as you continue to learn about your vendor population.”

As service-level agreement and statement of work processes move to a risk-based approach, businesses will also want to evaluate contracts against performance benchmarks. Sometimes slippage in key performance indicators, turnaround or delivery quality will be the first whiff of smoke to indicate greater danger.

Companies on a one- or two-year cycle of remediation will want to increase their frequency to account for greater market uncertainty, add some clauses and remediate the service-level remits.

Kimball suggests paying particular attention to broadened liability protection language. “For example, a standard contract might include a notification clause if the vendor’s data is breached, but these days it’s good to require notification in case your vendor compromises somebody else’s data.”

Borrowing Knowledge Capital

Even though some big bank and financial services firms have shown vulnerability recently, their resources and infrastructure generally put them way ahead of the pack on third-party risk evaluation.

“There’s a lot we can learn from big banks,” says Kimball. “They spend the most money and they’re the most exposed, since regulators tend to go after large companies first.”

Large firms design systems and processes to manage massive vendor populations, with clear, repeatable guidance for conducting research on an ongoing basis. Much of the resulting knowledge is transferable, and while exact policy and protocol might not scale down perfectly to fit every business, you can find every potential solution somewhere in the big bank playbook.

Accessing that knowledge capital isn’t cheap, and it may not be fast either.

“There’s a bottleneck now,” says Kimball. “If you call a Big 4 or large consulting firm, you could end up on a waitlist for an expensive solution.”

Most smaller companies will gladly hire risk and compliance talent with big bank experience, but tapping into that knowledge base through managed service contracts may be a less challenging proposition.

As companies shore up their third-party risk evaluation capabilities in response to far-ranging uncertainty, you’ll find these tactical efforts more effective if you pair them with a broader risk-based strategy.

For more information about the current state of risk and compliance, check out a previous article on the subject: Risk and Compliance in the Age of COVID-19

If your company is in need of third-party remediation execution resources such as team leads, experienced investigators or thought leaders, reach out to Aston Carter for guidance.