Managing Third Party Risk in a Dynamic Environment

As companies have navigated the coronavirus pandemic and its impacts on business plans, third party risk continues to be a pressing concern. Reliance on existing and new vendors has increased as many employees have been working remotely, and ensuring the health and safety of key stakeholders has been a top priority for companies. As vendor relationships are added or evolve, it is important for companies to adhere to strong risk management practices.  Here are the elements that should be included in a third-party risk management framework.

Assessment

When evaluating potential new vendors, management must first determine whether the vendor aligns with the company’s business strategies and needs. To make this determination, an assessment should be prepared outlining the costs and risks of the vendor and the associated products and services. Additionally, management should determine whether sufficient oversight of the vendor can be performed initially and on an ongoing basis.

Due Dilligence

If a potential vendor is deemed to be in alignment with the company’s strategic needs, then due diligence should be performed and formally documented. At a minimum, initial due diligence should include: financial condition, experience and reputation, qualifications of the vendor and key personnel, established internal controls and technology environment, outstanding litigation or regulatory actions, business continuity plans, and sufficiency of insurance.

Due diligence should also determine whether significant contractors or other vendor relationships will be used to deliver products or services since this could present additional risks. This due diligence evaluation should be prepared or reviewed by a manager or committee independent of the company’s relationship with the potential vendor.

Contract Oversight

If the potential vendor is deemed to be appropriate for the company, then a formal contract should be established and critically reviewed by both management and legal counsel. Topics that should be considered at a minimum in vendor contracts are timeframe for delivery of the product or provision of service, clear definition of service or product provided, roles and responsibilities of the company and the vendor, limitations of liability, vendor compliance with applicable laws, authorization of the company to review the vendor for compliance with applicable agreements and perform ongoing evaluation, indemnification, compensation, dispute resolution and termination.

Monitoring

In a dynamic risk environment like we’ve experienced in 2020, ongoing monitoring of third parties is absolutely critical. As with initial due diligence, ongoing monitoring should be performed timely (no less than annually and more frequently if significant changes have occurred), formally documented, and prepared or reviewed by a manager or committee independent of the company’s relationship with the vendor. Topics that should be considered in ongoing monitoring include compliance with applicable contracts, effectiveness of products or services and continued alignment with strategic needs, financial condition, controls audit results, changes in key vendor personnel, business continuity plans, insurance adequacy and outstanding litigation or regulatory actions. If concerns are identified with the vendor, then those concerns should be presented to an appropriate committee or level of management for review.

Key vendor relationships will continue to be critical for companies in working through the ongoing safety, technology, and economic impacts of COVID-19.  Adhering to a strong framework of vendor management will enable companies to manage their third-party risks. Weaver’s Risk Advisory Services team has the knowledge and experience to support companies as they navigate this new terrain. If you would like to evaluate your third-party risk management practices, contact us. We are here to help.

© 2020