Third-Party Risk Management: 25 priorities for 2021

1. Before your vendor uses software from a third party, what process do they go through to ensure any known vulnerabilities are resolved before it is accepted for use and after it has been deployed?
2. Complex products tend to generate millions of lines of computer code; ensure the vendor has automated code scanning environments to automatically test for coding practice as part of their R&D process.
3. Does management ensure that the third party’s internal control environment as it relates to the service or product being provided to your organization is sufficiently audited or monitored?
4. Does management follow your organization’s policies and procedures for terminating or probating third-party relationships, based on findings from audits and performance monitoring?
5. Do your contracts provide indemnification provisions that require the third party to hold your organization harmless from liability as a result of negligence by the third party, and vice versa?
6. Does your company conduct a regular review of third-party risk management policies and programs to ensure they address the ever-changing landscape of third party risk and regulations?
7. Does your organization have any agreements with third-party developers that involve the sharing of customers’ personal data for the purpose of offering customers certain benefits or options?
8. Does your risk appetite and risk strategy meaningfully capture your third-party risk of today and the future, and does this cascade down to day-to-day monitoring and management?
9. Ensure all your tech is covered in risk management. For example, if you’re an IoT product provider, do your IoT device consumers incur a duty to warn third-party consumers or others on their property of the risks associated with your IoT device, including the collection of PII by the IoT device?
10. Ensure management assesses the impact of services provided to third-party service organizations on internal controls over financial reporting (ICFR), including the risks of material misstatements.
11. Face the critical question that now all organizations must answer when it comes to compliance: Should you build the solution in-house or outsource it to a third-party provider?
12. Has management demonstrated a clear understanding of your organization’s dependencies on third-party vendors and the level of risk they introduce into the delivery of critical business services?
13. Have a high-quality security clearance process that should assess whether an applicant or vendor is susceptible to inappropriate influence or blackmail from a foreign government or another third party.
14. Have an appropriate level of reporting and any associated third-party audits to enable your organization to monitor compliance requirements.
15. Be detailed and specific. For example, for volatile contaminants of potential concern, is the risk management plan adequate to ensure monitoring of vapour concentrations near buildings, within the building, and near the source of vapours?
16. How do you incorporate ESG risks and opportunities in your process (either directly or through the selection, appointment, and monitoring of third-party managers/operators)?
17. How does new proposed rule making ensure that third-party device manufacturers and software developers are meeting an adequate level of software and hardware security, including supply chain risks?
18. How much is the changing regulatory landscape driving you to reassess your third-party relationships, including joint ventures, suppliers, distributors, agents, or other business relationships?
19. If a vendor is embedding third-party software components in a product, do you verify with your vendor that the third-party software is covered by a lifecycle management process?
20. In light of the information and data cybersecurity, how does your organization update your due diligence procedures to help mitigate third-party-related risks across your supply chain and customer base?
21. Is your organization’s compliance management system (CMS) adapted to effectively address the third-party relationship and appropriately respond to emerging issues and compliance deficiencies?
22. Learn from why other organizations still fail to adequately assess their third-party supplier IT security risks and ensure the ongoing security and availability of their business-critical information.
23. Staff expertise – are there individuals within the business entity who can perform the services, in case the risk of working with the third-party proves greater than the business would like?
24. What measuring stick should you use to get an understanding as to third-party data handling controls, and whether those controls are in line with your own organization’s controls and compliance?
25. Define how much risk you should retain yourself and how much should be transferred via insurance or another form of financial instrument to a third party.

__________

About the Author: Gerard Blokdyk is the CEO of The Art of Service. Learn more at https://theartofservice.com.