Many large companies work with thousands of third-party suppliers, distributors and other entities. Members of the Audit Committee Leadership Network gathered in New York on Oct. 31, 2017 to discuss the inherent risks that come along with all these relationships and how their organizations and boards are approaching the management and oversight of third-party risks. The following is a summary of that conversation.
Third parties and related risks
Third parties include traditional vendors such as suppliers and distributors as well as outsourced functions such as human resources or information technology. These entities often have access to a company’s data and its internal systems. In some cases these entities serve as the front door or face of the company. This raises concerns and possible serious risks related to fraud and corruption, cybersecurity, a company’s reputation and its operations to name a few.
Varying approaches for managing third-party risks
Companies manage these risks in different ways. Some have a decentralized approach with management of these risks dwelling within each business unit. Other companies – particularly those in the financial services industry – have more centralized third-party risk management programs. Still others have adopted a hybrid approach. No matter the approach, members discussed the importance of ongoing monitoring of existing third parties and how to minimize risks of doing business with new entities. This includes proper due diligence, a strong contract that protects the company, finding ways to consistently evaluate each third party, and having a full picture of every partner and the potential risks they bring.
Board attention of third-party risks
For their part, boards have taken a variety of approaches to overseeing third-party risk. Most members reported reviewing these risks as a full board as part of enterprise risk management (ERM). Beyond ERM, some make it part of the audit committee agenda while others, particularly those in financial services, have a dedicated risk committee to oversee its various risks, including those related to third-party entities. Regardless of how they do it, directors must be familiar with the risks the company faces from third-party involvement and the steps management is taking to manage those risks.
Read more in the full report available for download at the top of this page.