A Case for Implementing a Formal Third-Party Risk Program

Eric Bonnell, Senior Vice President, Risk Management at Atlantic Union Bank

Eric Bonnell, Senior Vice President, Risk Management at Atlantic Union Bank

We recently had a local contractor update the bathrooms and laundry room in our home. The work included:

• all three rooms received tile floors

• the guest bathroom received a new sink and cabinet

• the master bathroom received a double sink and larger cabinet (replacing a single sink), a more spacious shower, and a fresh paint job

The week that the crew was here was chaotic, but that was expected, and we muddled through. The result was varied, as the crew had varying skills. The floors were laid very well. The new molding was less than perfect. The cabinets, custom-built, were gorgeous. The shower was done well, except,the drain pushed a hole through to the living room ceiling below. The paint job was horrid. We called management and had the imperfections addressed to our satisfaction. For a while it was stressful, having multiple rooms partially available for another week, but with an abundance of oversight on our part, the crew finally came through.

Isn’t this the way it is with third-party relationships? Most companies have core competencies and may not provide great service in all areas. Sometimes their performance depends on the availability of competent resources. In the case above, the contractor’s regular painter was unavailable, and a fourth party was brought in. The contractor took a risk on our behalf with his choice of replacement assignment. If I were the contractor, I would have made a different decision.

In the end, we lost over a week on the scheduled completion, had to spend our own time micromanaging the situation and were left with a less than favourable opinion of the contractor’s effectiveness. We’ll use someone else next time to do any new work on our house. In fact, had we had the time to do the work ourselves, we would have ended up with a better result.

Have you experienced a negative impact due to the poor performance of your corporate vendors?

What Are the Risks of Outsourcing Work?

Outsourcing ancillary business functions may free you up to focus on your core business. Murphy’s Law dictates that although that may be mostly true, you still must manage expectations, monitor supplier performance, and address operational contingencies when things go wrong. This is the case, in general, to reasonably maintain your business operations. However, if you are a regulated entity, such as a bank, your regulators expect that you demonstrate this third-party (and fourth-party) management in a formal program.

What Impacts Might a Company Incur

A general list of impacts that you must guard against when outsourcing portions of your business operations include:

• Failure to consider the full strategic value of third-party services may cause unexpected results. If the vendor is not fiscally sound, it may go out of business or be purchased, leading to disruption in service offerings or increased expenses. If the third-party’s services are not well-managed or do not meet business needs, it is likely that there will be performance issues, delivery delays and/or errors, or the need to fund a vendor replacement project (including new vendor assessments, new vendor on boarding and existing contract extensions, and increased cost of new implementation and decommissioning activities).

“Murphy’s Law dictates that although that may be mostly true, you still must manage expectations, monitor supplier performance, and address operational contingencies when things go wrong.”

• Failure to negotiate safe and sound contract terms, including the handling of confidential information, service level agreements and SLA breach penalties, contract termination exit conditions and strategies, etc. May lead to the inability to address breaches of contract, service delivery failures, or other contingency conditions.

• Lack of formal expectations or service level agreements may lead to miscommunicated business requirements and time frames. This could result, as it did with my home contractor, in delivery delays, unexpected rework, and an impact on the business and third-party reputation.

• Failure to understand and test third-party disaster recovery and business resiliency plans to support the continuation of company operations in cases of system process, and/or resource outages may result in the inability to conduct business operations effectively or to recover expenses from resultant insurance claims.

• If your supplier is providing customer-facing services, such as customer care center services, lack of or inconsistent management of out sourced operations may result in customer complaints. Customer complaints may lead to legal fees, regulatory penalties, and a negative impact on business reputation. If you are regulated by the CFPB or another agency, a significant complaint or issue trend might become a red flag for the examiners to look further into your business operations. Customer complaints related to customer privacy and fair treatment are especially suspicious and potentially damaging.

• Management of vendor performance is especially important if your vendor provides protective services, such as cyber security monitoring or other secure or redundant services.

• Failure to validate that third parties are managing their third parties (that is, your fourth parties) in the same diligent manner can result in a negative impact on all parties, including customers (first party), the company (second party), the third party, and the fourth party.

What Can a Company Manage Third and Fourth Parties?

A formal Third-Party Risk program is called for. This function should gather due diligence and identify areas of concern within regular senior management reporting. The scope of assessment should be broad and cover impacts on company financial reporting, budget and expenditure well-being, business operations, customer fairness and welfare, legal and regulatory compliance, and insurance coverage.

Conclusion

In short, outsourcing does not remove your obligation to manage performance. If not a regulatory expectation, it is the cost of ensuring continuity within business operations as much as it is to manage expenses and reduce the risk of unknown business impact.

Manage your third and fourth-party resources as closely as you manage your own employees. The actions these outsourced entities take on your company’s behalf directly affect business operations, customer service, and regulatory compliance.

Invest in a formal Third-Party Risk Management program with senior management oversight to oversee the performance and sound operations of third and fourth parties to anticipate impacts to the company, address risks, and demonstrate regulatory compliance.

Legal

Risk Management

Financial

Disaster Recovery