The recent Covid19 pandemic has made companies relook at their third-party relationships as for some companies supply chains for stressed or reliance on cloud providers increased,
The view point pre-pandemic was that majority of third parties used can easily be replaced in the open market due to large number of options. Managements rated third party related risks low or quoted strong contracts and penalty clauses as mitigants. Due to this investment into active monitoring of third parties has been low and in majority of cases restricted to a SOC Audit or ISO27001 certificate.
However, going forward with the increase in dependency on third-parties, companies should relook at the approach and move from a passive monitoring to more active oversight.
Key risks to consider while overseeing third parties are:
- Financial viability of the third party to ensure it is available
- Lack of controls over information security
- Service levels and complaints
- Level of sub-contracting by the third party
- Lastly, a number of unknows
Active monitoring of third parties involves:
- A proper documentation of services offered and dependencies on the third party. This would involve ensuring engagement with a vendor across the organisation is mapped to ensure services provide by the vendor to various parts of the company are captured. The current technology scenario has enabled vendors to go across country boundaries.
- Criticality assessment. The organisation needs to do an assessment of how critical each vendor is to the organisation. This assessment cannot be solely based on overall spend with the vendor, as a vendor whose billing is not high can be more critical than a vendor which has a high billing.
- Alternatives – Based on the criticality the organisation needs to ensure that they have viable alternatives for all critical vendors. It is not enough to identify alternatives; you need to put contracts in place and utilise the alternative vendors from time to time to ensure the supply chain works and there is an ongoing relationship with the vendor.
- Contract oversight and control over sub-contracting by the third-party. Contract management goes beyond ensure that the contract with the vendor is always current. The vendor management team should be tasked with generating regular reports on key contract clauses and ensuring compliance with them. As a first step here, the company along with the business departments utilising the vendor should identify key clauses in the contract that are important to them and not leave it to the legal team only.
A number of times clause are added to contract for specific reasons, but those reasons are lost or not communicated properly due to which the vendor may get away with by not following those requirements.
- Monitor linkage between multiple third parties to ensure visibility about over dependence on one large corporate entity. This is a fairly complex requirement and not easy to track. But in todays world with active M&A’s happening and companies trying to consolidate their positions. It is important to keep track of ownership structure of your key vendors to ensure they are all not being owned by one party. Due to which the careful exercise of choosing alternative goes to waste
Further, it is recommended that periodic vendor audits be conducted for critical vendors. These audits should focus on key risk factors.
Comments are closed.
