Read more about the current Greenbook proposals. ...
This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.
Vendors are a common element in today’s business environment. Outsourcing services and processes to vendors provides flexibility, convenience and cost savings. However, these outsourcing arrangements don’t come without increased risk. Data breaches stemming from third parties have been increasing year over year. When identities are stolen or sensitive information is made public, your customers won’t care that is was the vendor’s fault. Regulators and examiners alike are also taking note, and it can be seen in recent legislation and guidance related to managing third parties. According to the Federal Deposit and Insurance Corporation’s (FDIC) Guidance For Managing Third-Party Risk, “An institution's board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.” While services can be outsourced, the risk cannot.
Why is this important? Many organizations continue to outsource critical activities and fail to recognize the risks that arise from those relationships. Whether it is outsourcing certain information technology operations, sensitive data processing and storage, or simple marketing, legal or HR services, sensitive/proprietary information is often shared with third parties without first assessing the security controls within that organization. To that end, third-party risk management is critical when it comes to managing risk across the enterprise. To achieve assurance over activities performed by third parties, organizations should implement sound third-party risk management practices.
When it comes to guidance, there are plenty of great options available. There are many compliance-based guides that may be applicable based on the industry you are in. For example, with our clients in the banking world, the FDIC guidance mentioned earlier comes to mind. At Schneider Downs we are a member firm of the Shared Assessments Program, which provides widely adopted vendor risk management tools and resources for enterprise organizations to evaluate and measure vendor risk. These tools are industry agnostic and provide third-party risk management best practices regardless of the industry you may be in.
No matter what framework or guidance you plan to adopt, some of the key recommendations remain.
In addition to the aforementioned activities, organizations should assign responsibilities for third-party management to appropriate members of the organization with sufficient knowledge of the enterprise risk management process and nature of third-party relationships. Standardized documentation and reporting procedures should be implemented to ensure that third-party management activities are appropriately being performed and reported on. Lastly, organizations should perform independent reviews of their third-party management programs to ensure that third-party risk management activities are appropriately aligned with their enterprise-wide risk program, that they meet industry recommended best practices and that they effectively manage the risk posed by third parties.
Contact us if you have questions implementing a third-party risk management strategy and visit our Internal Audit page to learn about services that Schneider Downs offers.
Read more about the current Greenbook proposals. ...
Learn more about the regional and national supply chain implications of the Baltimore Key Bridge collapse. ...
We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.
Ask us
[email protected]
p:412.261.3644
f:412.261.4876
[email protected]
p:614.621.4060
f:614.621.4062
[email protected]
p:571.380.9003