HOME

TheInfoList



OR:

Third-party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. Third-party management is conducted primarily for the purpose of assessing the ongoing behavior, performance and risk that each third-party relationship represents to a company. Areas of monitoring include supplier and vendor information management, corporate and social responsibility compliance, Supplier Risk Management, IT vendor risk, anti-bribery/anti-corruption (ABAC) compliance, information security (infosec) compliance,
performance measurement Performance measurement is the process of collecting, analyzing and/or reporting information regarding the performance of an individual, group, organization, system or component. Definitions of performance measurement tend to be predicated upon an ...
, and contract risk management. The importance of third-party management was elevated in 2013 when the US Office of the Comptroller of the Currency stipulated that all regulated banks must manage the risk of all their third parties.


Third parties

A 'third party', as defined in OCC 2013–29, is any entity that a company does business with. This may include suppliers,
vendor In a supply chain, a vendor, supplier, provider or a seller, is an enterprise that contributes goods or services. Generally, a supply chain vendor manufactures inventory/stock items and sells them to the next link in the chain. Today, these terms ...
s,
contract manufacturer A contract manufacturer (CM) is a manufacturer that contracts with a firm for components or products (in which case it is a turnkey supplier). It is a form of outsourcing. A contract manufacturer performing packaging operations is called copacker ...
s, business partners and affiliates, brokers, distributors,
reseller A reseller is a company or individual (merchant) that purchases goods or services with the intention of selling them rather than consuming or using them. This is usually done for profit (but can be done at a loss). One example can be found in the ...
s, and agents. Third parties can be both 'upstream' (suppliers and vendors) and 'downstream', (distributors and re-sellers) as well as non-contractual parties. Firms do not have to conduct critical activities to be considered a 'third party'; a cleaning services firm responsible for maintaining a company's office space is a third party as much as a primary supply-chain supplier. The role or size of the third party is not as important as the nature of the relationship, the criticality of its activities, the level of access it has to sensitive data or property, and a company's accountability for inappropriate actions of its third parties. A cleaning company with access to a CEO's filing cabinet represents a different but still significant risk relative to a supplier who provides a critical component to the production line. A non-critical service provider – such as an air-conditioning contractor – operating in a country with low corruption risk may erroneously be considered a low risk. However, if that contractor has poor cyber-security and is able to submit invoices to a customer electronically across the customer's firewall, this may represent a high cyber risk to the customer company.
Target Corporation Target Corporation ( doing business as Target and stylized in all lowercase since 2018) is an American big box department store chain headquartered in Minneapolis, Minnesota. It is the seventh largest retailer in the United States, and a com ...
's December 2013 data breach, in which approximately 70 million Target customers' credit and debit card information was stolen, highlights the cyber security risk posed by innocent third parties – even in low risk countries such as the US. Hackers exploited an HVAC contractor with poor cyber-security who conducted electronic payments with Target and thus had access to behind the
firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spr ...
. Due to trends towards specialization and outsourcing, companies increasingly focused on core competencies are engaging greater numbers of third parties to perform key functions in their business
value chain A value chain is a progression of activities that a firm operating in a specific industry performs in order to deliver a valuable product (i.e., good and/or service) to the end customer. The concept comes through business management and was fir ...
; third-party activity is typically responsible for driving approximately 60% of total revenue. This trend is creating greater numbers of critical third-party relationships throughout the economy which – in the case of companies with tens of thousands and even hundreds of thousands of third-party relationships – can become cumbersome to monitor and manage manually.


Regulation

Due to regulatory requirements, third-party management is most prevalent in the financial sector. The use of third-party management systems is mandated by the Office of the Comptroller of the Currency for American national banks and federal savings associations. OCC bulletin 2013–29 explicates the third-party management requirements for financial institutions. The British Financial Conduct Authority (FCA) requires, under the SYSC 8.1 'Outsourcing Requirements', that critical functions conducted by third parties must be continuously monitored. The healthcare sector also has growing regulatory requirements that require third-party management. HIPAA, the
Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...
, sets the standard for protecting private patient data. There are regulations around the saving and storing of PHI, Protected Health Information which can be even more valuable than credit card information. The HITECH Act, signed in 2009 requires increased privacy and security obligations and extends those obligations to business associates. While other industries are not required by law to have third-party management systems in place, most non-financial companies are bound by anti-bribery/anti-corruption (ABAC) and other regulations. Consequently, many of them manage their third parties and have adopted third-party-management solutions.


Third-party management solutions

Third-party management solutions are technologies and systems designed to automate the performance of one or more third-party management processes or functions. Such solutions are external-facing and designed to complement internal-facing governance, risk and compliance ( GRC) systems and processes. They run on both on-premises-installed and
SaaS Software as a service (SaaS ) is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. SaaS is also known as "on-demand software" and Web-based/Web-hosted software. SaaS is con ...
-delivered enterprise platforms. Security ratings services (SRS), subscription services which "provide continuous, independent quantitative security analysis and scoring for organizational entities," are gaining popularity as well. The market for SRS becomes increasingly competitive as providers such as
BitSight BitSight is a cybersecurity ratings company that analyzes companies, government agencies, and educational institutions. It is based in Back Bay, Boston. Security ratings that are delivered by BitSight are used by banks and insurance companies amon ...
and Panorays offer companies to compile different risk factors to calculate a quantitative score for vendor comparison.


References

{{Reflist Risk management in business