 | |
| The Role of Procurement in Third-Party Risk Management |
For more information regarding third-party risk management (TPRM), please refer to Beginner’s Guide to Vendor, Supplier and Third-Party Risk Management under Training Guides,Template and Checklists.
Within third-party risk management (TPRM), it is essential that procurement plays a role in protecting the organization from risks associated with utilizing third-parties. Third-party risk is the probability or likelihood of financial and reputational losses due to outsourcing business functions and processes to external entities (i.e. vendors or suppliers). As a key stakeholder within the third-party life cycle, procurement should protect the organization from third-party risk by negotiating contractual agreements that protect the strategic objectives of the organization and prevent legal risk.
Download Also:
Legal risk represents the probability or likelihood of loss due to third-parties such as vendors or suppliers not meeting their contractual obligations. To prevent legal risk, procurement should incorporate into the contract the following legal language pertaining to third-party risk as listed below.
Third-Party Risks
Information Security: The contract should require the third-party to implement and maintain adequate controls to prevent the unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. The contract should also reference industry and regulatory standards such as the ISO 27000 family standards, NIST, or any other industry and regulatory standards that require the third-party to protect the confidentiality, integrity and availability (CIA Triad) of information.
In addition to industry and regulatory standards, procurement should also reference all relevant information security risks included in the Risk Mitigation Action Plan (R-MAP). The R-MAP represents a document prepared by the risk-subject matter experts (SMEs) that summarizes all residual risks identified during the third-party risk assessment. By leveraging the R-MAP, procurement ensures that the contract requires the third-party to mitigate and monitor information security risks that could potentially compromise the organization. Please refer to the Risk Mitigation Action Plan (R-MAP) template.
Business Continuity/Disaster Recovery: Depending on the criticality of the services or products provided by the third-party, the contract should include legal language that requires the third-party to implement and maintain adequate controls to ensure that in the event of a business disruption due to operational failure, natural or man-made disasters,
the third-party can continue to meet their service level agreements (SLAs) and contractual obligations to the organization. For example, the contract should stipulate a recovery time objective (RTO) of 24-72 hours for critical business processes and functions. Procurement should also leverage the R-MAP to address any relevant business continuity/disaster recovery risks in the contract. Please refer to the Risk Mitigation Action Plan (R-MAP) template.
Regulatory/Compliance: The contract should contain legal language that ensures that the third-party follows applicable laws and regulations (i.e. GLBA, HIPAA, CFPB) when providing services or products to the organization. To protect the organization, procurement should work with Corporate Legal and Compliance to incorporate the required laws, regulations and industry standards into the contract.
Insurance Coverage: Procurement should also work with Corporate Legal and Enterprise/Operational Risk Management (ERM/ORM) to incorporate the correct insurance requirements into the contract. Incorporating insurance requirements into the contract holds the third-party responsible for possessing adequate insurance coverage to protect itself and the organization from financial losses in the event of operational failure.
To ensure that the third-party holds adequate insurance, the contract should require the third-party to show proof of insurance in the form of a certificate of insurance (COI) on an annual basis. The COI demonstrates that the third-party can protect the organization from any activities that expose the organization to operational risk.
Service Level Agreements (SLAs): Procurement should work with the appropriate business department(s) to ensure that the contractual agreement includes the appropriate SLAs that measure the quality of service expected from the third-party. SLAs represent performance metrics that measure whether the third-party performed according to the standards and expectations as dictated by the organization.
By including SLAs within the contract, the organization can require that the third-party to protect the organization from operational risk by requiring the third-party to perform according to the performance metrics established in the contract. In the event the third-party cannot meet their performance metrics, the contract should stipulate any penalties that punish the third-party for not providing the quality of service as dictated by the SLAs in the contract.
Other Legal Language: Procurement should work with Corporate Legal to incorporate other legal language that protects the organization from legal liability. Other legal language should include indemnification, limits of liability, insurance requirements, right-to-audit and any other language that minimizes the organization’s exposure to legal and contractual risk. For example, all contracts should contain right-to-audit language that allows the organization to perform onsite and offsite third-party risk assessments.
By including right-to-audit language, the organization can assess the effectiveness of the third-party’s controls to mitigate third-party risks.To ensure that the contract contains the correct legal language, legal should provide procurement with a contract template that includes all the legal language required to protect the organization from the probability of loss due to outsourcing. Please refer to OCC 2013-29 Bulletin for contractual language to incorporate into the contract.
*Third-party risks include information security, business continuity, disaster recovery, regulatory/compliance, and financial.
*According to Basel II, Operational risks represents the probability or likelihood of loss due to inadequate systems, processes, procedures, or people.
Conclusion
Overall, executing a contract represents a risk mitigation activity that protects the organization from risks associated with outsourcing business functions and processes to third-parties. Therefore, it is essential that contractual agreements between the organization and third-parties benefit the organization while protecting it from liability. As an important stakeholder within the third-party life cycle, procurement ensures that all contractual agreements with third-parties protect the strategic objectives of the organization. Ultimately, procurement enables organizations to maximize the benefits of outsourcing business processes and functions while minimizing the risks.
Related Topics:
The Author: Catherine Tibaaga
About:
I am a Risk Management professional who has over seven years of experience working for global firms such as Jones Lang LaSalle, E*TRADE Financial, JPMorgan Chase & Co. and Freddie Mac. I have worked in a variety of roles in third-party risk management, procurement and accounting. To provide value to organizations, I conduct and lead risk assessment activities for corporations that seek to outsource their activities to third-party suppliers.
I also help companies build their vendor, operational, and enterprise risk management programs. Using my expertise in building risk management programs, I work with organizations to ensure that their vendor risk management programs align and comply with regulations (i.e. OCC 2013-29, GLBA and Privacy laws) and industry standards (i.e. ISO 27000 family of standards, PCI and NIST standards).
My core expertise includes:
Risk Management: Third-Party Risk, Operational Risk, Enterprise Risk RiskTools: Hiperos, MetricStream, Archer, Agiliance Regulations: OCC, GLBA and Privacy Laws, FRB, FDIC Industry Standards: ISO 31000, ISO 27001, ISO 27002, PCI Compliance, NIST Standards (800-14, 800-37, 800-52), COSO Framework
Post a Comment