Utilizing Key Performance Indicators (KPIs) To Manage Third-Party Risks

Utilizing Key Performance Indicators (KPIs) To Manage Third-Party Risks

Utilizing Key Performance Indicators (KPIs) To Manage Third-Party Risks
 Utilizing Key Performance Indicators (KPIs) To Manage Third-Party Risks 


Learn how to monitor third-party performance utilizing key performance indicators (KPIs). For more information regarding third-party risk management (TPRM), please refer to Beginner’s Guide to Vendor, Supplier and Third-Party Risk Management.
Within third-party risk management (TPRM), it is essential that organizations monitor third-party performance by encouraging business departments that own outsourced functions or processes to complete Key Performance Indicators (KPIs). Key Performance Indicators (KPIs) measure the quality of service provided by the third-party when delivering products and services to the organization. 
 
Download Also:
By capturing KPIs, organizations can measure whether third-parties perform according to contractual standards and expectations. When third-parties fail to meet their contractual obligations, they expose the organization to potential third-party risks. To protect the organization, organizations should utilize KPIs as a tool to proactively manage third-party activities that could potentially undermine the strategic objectives of the organization.
 
Third-party risk represents the probability or likelihood of material and monetary losses due to outsourcing business processes and functions to external entities such as vendors or suppliers. As a subset of operational risk, third-party risk includes the following risk areas below.
Information Security: The probability or likelihood of material and monetary losses as a result of an organization lacking adequate internal controls to prevent the unauthorized access, use, disclosure, disruption, modification, inspection, recording or destructionof information. As a result, it is the probability or likelihood of material and monetary losses due to an organization’s inability to protect the confidentiality, integrity and availability of information (CIA Triad) due to inadequate internal controls.
 
Business Continuity: The probability or likelihood of material and monetary losses due to an organization lacking adequate internal controls in place to ensure that they can continue to provide services or products to the organization and meet their contractual obligations in the event of a business disruption.

-Disaster Recovery: The probability or likelihood of material and monetary losses due to an organization lacking adequate internal controls to ensure that vital technological systems, infrastructure and information are recoverable due to a natural and man-made disaster.   
 
-Financial: The probability or likelihood of material and monetary losses due to the inability of an organization to earn adequate income, pay its debts and reward its shareholders.  
-Compliance: The probability or likelihood of material and monetary losses due to an organization not adhering to regulations, laws or industry standards.   
 
-Reputational: The probability or likelihood of material and monetary losses due to poor public opinion as a result of a business event that compromises the ability of an organization to meet its regulatory and strategic objectives. 

To mitigate third-party risks, organizations should utilize KPIs to determine whether third-parties meet their service level agreements as dictated by the contract. Service Level Agreements (SLAs) represent performance metrics that measure whether a third-party performed according to the standards and expectations as dictated by the contract. When monitoring third-party performance, organizations should complete KPIs to ensure that third
 
-parties meet their performance metrics without exposing the organization to operational risk. According to Basel II, operational risk represents the probability or likelihood of losses due to inadequate failed systems, processes, people or from external events. By completing KPIs, organizations can monitor all third-party activities and implement controls to protect the organization from operational risks caused by third-party activities. 
Within the third-party life cycle, KPIs are completed during the monitoring phase by relationship managers and owners within various business departments that choose to outsource business functions and processes to third-parties. The third-party life cycle consists of five phases listed below.

Planning: Determine the business need to outsource a specific function or process to an external entity such as a third-party (i.e., vendor or supplier). 

Due Diligence and Third-Party Selection: Determine the level of risk associated with outsourcing business processes and functions to third-parties utilizing the third-party risk management (TPRM) process.

Contract Negotiation and Implementation: Execute the contract and implement any technological solutions necessary to utilize third-parties. 

Monitoring: Monitor and measure third-party performance to determine if third-parties meet their contractual obligations to the organization. Organizations should utilize KPIs to capture third-party performance and determine if third-parties adhere to SLAs and performance metrics.
Termination: Terminate the contract according to the termination clauses in the contract in the event that the organization no longer needs the services or products of the third-party. The organization should work with the third-party to return or destroy all data provided to the third-party according to the data destruction clause within the contract. In the event that the third-party cannot return or destroy the data, the third-party should maintain the data as required by the records retention clause in the contract. Termination clauses require 10 to 30 days notice prior to terminating the contract with the third-party.

Completing Key Performance Indicators (KPIs)  

As part of the monitoring phase within the third-party life cycle, organizations should ensure that relationship managers and owners complete KPIs to measure third-party performance utilizing the performance metrics within the contract. Relationship managers and owners represent the first lines of defense when managing third-party risk. Because they manage the daily activities associated with third-parties, they play a crucial role in managing and controlling operational risks associated with third-parties. To complete KPIs, relationship managers and owners should leverage the contract to understand the services and products provided to the organization. 
 
For example, if a third-party is required to process 100 loan applications per month according to the scope of work within the contract, the relationship manager or owner should complete KPIs to determine the number of applications processed correctly versus incorrectly. Depending on the number of applications processed correctly versus incorrectly, the relationship manager or owner should calculate the KPI score utilizing the established performance metrics in the contract. The relationship manager or owners should also complete KPIs to measure the number of applications completed on time as required by the contract versus the number of application completed late. 
For example, if the contract requires third-parties to complete one loan application correctly within 24 hours, relationship owners should ensure that the KPI captures whether the third-party met their Recovery Time Objective (RTO) of 24 hours. To complete KPIs, the third-party should provide reports on consistent basis that demonstrate whether the third-party met their contractual obligations when providing loan application processing services to the organization. If the third-party cannot provide reporting detailing daily activities, relationship managers and owners should create their own reporting to track third-party performance. Please refer to the Sample KPI Template.
 

When to Complete KPIs  

When completing KPIs, the frequency should depend on the level of criticality associated with the outsourced business functions or processes. To determine the level of criticality, relationship managers and owners should leverage the Sample Inherent Risk Tool to calculate the inherent risk score. The inherent risk score enables relationship managers and owners to determine how often to complete KPIs.  
 
For example, relationship managers and owners should complete KPIs on a monthly basis for critical business functions and processes with an inherent risk score of Tier 1. For outsourced business functions with inherent risk scores of Tier 2, Tier 3 and Tier 4, relationship managers and owners should complete KPIs on a quarterly, semi-annual and yearly basis. *Inherent Risk: The probability or likelihood of material and monetary losses without taking into consideration compensating controls.

Conclusion

Overall, KPIs allow organizations to proactively manage third-party activities that could potentially undermine their strategic objectives. From a regulatory perspective (i.e., OCC 2013-29), organizations own all operational risks when they choose to outsource business activities to third-parties.  As a result, regulators hold organizations financially responsible for any third-party activities that lead to regulatory violations
 
Because organizations are responsible for all third-party activities, it is essential that organizations monitor and measure third-party performance to protect their public brands and public reputations. Ultimately, KPIs serve as an effective tool for organizations to understand their operational risk exposure related to third-party activities and to ensure that third-party activities fit within the third-party risk appetite.

Related Topics:

                                                  Catherine Tibaaga
About:
I am a Risk Management professional who has over seven years of experience working for global firms such as Jones Lang LaSalle, E*TRADE Financial, JPMorgan Chase & Co. and Freddie Mac. I have worked in a variety of roles in third-party risk management, procurement and accounting. To provide value to organizations, I conduct and lead risk assessment activities for corporations that seek to outsource their activities to third-party suppliers. 
I also help companies build their vendor, operational, and enterprise risk management programs. Using my expertise in building risk management programs, I work with organizations to ensure that their vendor risk management programs align and comply with regulations (i.e. OCC 2013-29, GLBA and Privacy laws) and industry standards (i.e. ISO 27000 family of standards, PCI and NIST standards). 

My core expertise includes: 
Risk Management: Third-Party Risk, Operational Risk, Enterprise Risk RiskTools: Hiperos, MetricStream, Archer, Agiliance Regulations: OCC, GLBA and Privacy Laws, FRB, FDIC Industry Standards: ISO 31000, ISO 27001, ISO 27002, PCI Compliance, NIST Standards (800-14, 800-37, 800-52), COSO Framework
Previous Post Next Post

Comments