ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Third-Party Vendor Selection: If Done Right, It’s a Win-Win

Third-Party Vendor Selection: If Done Right, It’s a Win-Win

Ryan Abdel-Megeid, CISA, Director, Internal Audit, AARP
| Posted at 3:04 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (2)

Ryan Abdel-MegeidThe benefits that can be realized from using third parties to support the delivery of products and services are always part of any good sales pitch by prospective vendors. Often these benefits include reductions in operational spend, scalability, improved delivery time, specialized capabilities, and the availability of proprietary tools or software, all of which equate to a competitive advantage for companies leveraging third-party relationships effectively.

Companies recognize and capitalize on these advantages: A study in 2017 of nearly 400 private and public companies reported that two-thirds of those companies have over 5,000 third-party relationships, according to a report released by the Audit Committee Leadership Network. This staggering statistic illustrates how deeply organizations have come to rely on third parties for everything from back-office activities (payroll, help desk, business continuity infrastructure, etc.) to customer-facing roles (call center, sales and distribution, marketing, etc.). But this heavy reliance also elevates third-party risk management from a “nice to have” capability to a business imperative.

While these relationships provide the opportunity for an organization to realize significant benefits, they also introduce a number of potential risks. Before deciding to outsource responsibilities, business leaders must have a broad understanding of their organization’s risk landscape and develop an approach to evaluate the risks introduced by using third parties. Shifting the focus from saving money to creating value is one way companies can start thinking differently about how they manage third parties.

How Do I Know What I Should Outsource?
The most essential step is knowing the value your organization brings to the market.

As an example: If your company is known for developing and distributing high-quality instruments, outsourcing your manufacturing operations is not the best place to start. Issues with that third-party relationship are likely to be customer-facing and impact your hard-earned reputation for precision and quality. Additionally, the skillsets and facilities required to manufacture your product may not be widely available, making your business effectively a hostage of your vendor.

In contrast, if you decide to outsource a function like a payroll, even though poor performance might be an annoyance for employees, it is easily remedied by switching to one of the many alternatives available. There also is no direct customer impact in the short term, so your reputation remains intact.

The most successful outsourcing relationships allow companies to focus on the value they deliver to the market by outsourcing activities that require significant resources or specialized abilities but are outside an organization’s core competencies and not aligned with their long-term strategic vision.

How Should I Perform Due Diligence on Potential Third Parties?
Once you have identified which processes can be outsourced as well as their inherent risks, you can begin performing due diligence on potential vendors. The level of due diligence should be tailored to the significance of the relationship as well as the potential risks it poses. Document your requirements and request prospective vendors to address each item directly, rather than allowing the vendor to give you their boilerplate sales pitch, as they are typically designed to gloss over or avoid known weaknesses.  Make sure you are comfortable with any capability or control gaps and have considered whether internal resources can shoulder the additional burden.

We Have Selected a Third Party to Engage – Now What?
Once you have determined the process to be outsourced, identified the inherent risks associated with that process, performed your due diligence, and selected a vendor, it is time to formalize the relationship with a contract – typically a Statement of Work (SOW) – that includes both adequate safeguards and defined performance targets.

Those charged with contract negotiation (typically Legal and/or Procurement) need to be acutely aware of the value you expect the third party to provide to structure an effective contract. To avoid potential conflicts of interest, purchasing managers should not be responsible for negotiating vendor contracts without oversight, as they are often incentivized by operational goals, and less likely to consider the broader enterprise risk landscape.

While most vendor contracts contain defined Service Level Agreements (SLAs) for operational metrics, like timeliness and accuracy, they often don’t include provisions like the mandatory disclosure of system/data breaches, timely communication of relevant audit observations, insurance requirements, periodic reporting on financial viability, etc., leaving organizations in a tough spot when issues stemming from a third-party relationship arise.

How Can I Make Sure My Outsourced Provider Is Meeting Expectations and Minimizing the Inherent Risk to My Organization?
The best way to illustrate this step is to steal from an old cliché: “Treat others how you wish to be treated.” That is, if you want your third parties to share your values and protect the interests of your organization that same way you would, not only is it important to formalize critical details of the relationship in the contract but also to help them understand the business context around the service they provide. The more you treat your third parties like partners rather than vendors, the more likely they are to perform in line with your organization’s values. Mix in a reasonable number of SLAs designed around the identified risks with clearly assigned accountability for monitoring SLA performance, and you will be positioned to identify threats or emerging risks that could impact your organization before they damage your bottom line – or worse – end up as front-page news.

Editor’s note: For additional insights on the topic, download ISACA’s recent white paper on managing third-party risk.

Comments

RE: Third-Party Vendor Selection: If Done Right, It’s a Win-Win

Well said!!! Thanks for sharing this educative post.

I really agree with the facts that you have stated. However, as an addendum, I want to state that with Service providers, besides the issue of ensuring an adequate and agreeable SLA's and others listed, it is equally pertinent to note;

1. That the Service provider or links in the chain must be reliable, trustworthy, and a reputable organization that is willing to disclose its practices and other security requirements to its business partners. This is because it is expected that each link in the chain is responsible and accountable to the next link.

2. That the service provider properly organizes,documents, manages, and audits its end products and other associated resources for sanity and an assurance that the delivered services/product is devoid of future negative issues that could impact its Client's resource or other infrastructure negatively.

3. That the Client on its own part also ensures that there is a proper On-Site Assessment visit to the Service provider's site to review and investigate the means by which datasets and other documentation are exchanged.

4. That the Client company also checks on the formal processes by which the Service provider performs assessments and other necessary reviews. This is to ensure compliance per regulatory requirements and to avoid future fines and/or litigations.

Lastly, other important checks would be to review how the company's
Process/Policy/procedures, and other incidents are documented and stored for assurance of the CIA clause.

Thank you.
Idris841 at 9/16/2019 12:57 AM

RE: Third-Party Vendor Selection: If Done Right, It’s a Win-Win

Well said!!! Thanks for sharing this educative post.

I really agree with the facts that you have stated. However, as an addendum, I want to state that with Service providers, besides the issue of ensuring an adequate and agreeable SLA's and others listed, it is equally pertinent to note;

1. That the Service provider or links in the chain must be reliable, trustworthy, and a reputable organization that is willing to disclose its practices and other security requirements to its business partners. This is because it is expected that each link in the chain is responsible and accountable to the next link.

2. That the service provider properly organizes,documents, manages, and audits its end products and other associated resources for sanity and an assurance that the delivered services/product is devoid of future negative issues that could impact its Client's resource or other infrastructure negatively.

3. That the Client on its own part also ensures that there is a proper On-Site Assessment visit to the Service provider's site to review and investigate the means by which datasets and other documentation are exchanged.

4. That the Client company also checks on the formal processes by which the Service provider performs assessments and other necessary reviews. This is to ensure compliance per regulatory requirements and to avoid future fines and/or litigations.

Lastly, other important checks would be to review how the company's
Process/Policy/procedures, and other incidents are documented and stored for assurance of the CIA clause.

Thank you.
Idris841 at 9/16/2019 12:57 AM
You must be logged in and a member to post a comment to this blog.
Email