Third party assurance - protecting yourself from reputational damage
Third parties are increasingly prevalent in every aspect of business and day to day life. Is Internal Audit enabling businesses to protect their reputations and is there sufficient due diligence on third-party suppliers?
Third parties are increasingly prevalent in every aspect of business and day to day life. From ordering products via Amazon or eBay, where third-party platforms display and profile goods, often with third-party reviews and then using third-party delivery agents, to day to day business administration dependent on third-party cloud hosted software and apps; the third-party can exert strong influence over both brand and product. We are living in a world where the words of a single third-party, such as a social media influencer, can have more impact on a share price than development of a new product or the achievement of a successful quarter. Firms in the UK increasingly rely on third parties to support the core activities across their extended enterprise, and in tough market conditions key third-party support can help businesses gain a competitive edge.
While the use of third parties can offer a range of benefits, increasingly complex supply chains bring additional risk and the need to effectively manage these relationships has never been higher. The current focus on operational resilience, the prevalence of third-party providers in areas such as cloud, security and data management, and the general connected business world has, not for the first time, highlighted third parties as a significant potential cause for operational disruption.
When things don’t go according to plan, there has often been a third-party relationship at the heart of the issue. At times like these, the long-used mantra that “you outsource a process, you don’t outsource responsibility” has significant and more deep felt meaning. Often when incidents occur, be they regulatory breaches, data loss or operational incidents, the third-party does not get mentioned in the press and the user organisation may bear the brunt of customer and regulator focus along with the brunt of any reputational damage. This clearly highlights the need to effectively understand the risk associated with any third-party, and have a plan to manage, mitigate or, in some instances, to accept this risk.
Despite the reliance on third-party relationships, a 2019 survey by Thomson Reuters found that participating global organisations conducted due diligence on just 62% of their third parties, suppliers and distributors. Additionally, 61% did not know the extent to which their third parties outsourced their work, and just 36% monitored the associated risks on an ongoing basis. While many organisations may not be taking the risks seriously, regulatory and legislative bodies are. In 2015, the PRA issued a fine of over £1 million for a firm who failed to adequately oversee their third-party arrangements. An increasingly complex regulatory landscape may lead to higher fines and serious punitive measures in the future.
Third-party relationships are already monitored through legislation around Anti-Money Laundering, Anti-Bribery and Corruption, the Sarbanes-Oxley Act and the Financial Instruments and Exchange Act; but the introduction of the EU General Data Protection Regulation (GDPR) and the Senior Managers and Certification Regime (SM&CR) bring additional governance and conduct requirements. To demonstrate this in real terms, a high-profile telecoms data breach (due to a cyber-attack on a third-party) resulted in a fine of £400,000 from the Information Commissioner’s Office (ICO) in 2019. However, under GDPR the fine could have been much higher – up to an equivalent to 4% of their annual turnover. Similarly, the Senior Manager Regime in the Financial Services sector allows some management activities to be outsourced, but the regulatory responsibility for that activity remains with the relevant Senior Manager, and they are personally accountable for it. Any issue that could have been addressed through a reasonable steps assessment by the regulators may result in fines, remuneration clawback or even a prison term.
Internal audit functions have a key part to play in ensuring that their business understands the risk exposure for the business from each of the third parties that the business is associated with. It is important that this third-party risk is undertaken throughout the third-party lifecycle, from pre-selection due diligence through to end of agreement, as there are risk exposures to the user organisation at all points. The challenge is the sheer breadth of third-party impact, the evolving nature of these relationships across the extended enterprise, and the subtle ways in which these organisations can impact the business.
Organisations should be able to demonstrate to their clients and regulators that they have an adequate framework in place to control and minimise risk from their third-party relationships. Failure to do so may result in regulatory censure, fines and loss of confidence amongst partners.
A recently introduced key requirement of effective third-party risk management is to improve financial stability by minimising disruption to institutions in areas including, but not restricted to,
- Business continuity – keeping the organisation running, or promptly returning to business as usual, in the event of a serious incident or event.
- Operational resilience – managing the critical services that, if disrupted, could cause serious financial harm to individuals or the wider economy.
While these are key issues in terms of financial stability, regulators often take a proportionate stance in terms of their application, with more stringent requirements for sub-outsourcing or those in a different regulatory jurisdiction. Outsourced functions that support critical services – referred to as material outsourcing – also face additional scrutiny. But each outsourced relationship should not be reviewed in isolation and it is important to monitor the cumulative effect of outsourcing to prevent both undue risk and the organisation becoming an empty shell.
It is important to consider the benefits of outsourcing within the context of each individual firm, its unique risk profile, and the type of activity being outsourced. Reviewing the proposed activity, as part of a robust risk assessment, will help to identify material functions, and determine if outsourcing would add any undue risk or reduce the faculty for effective supervision. The aggregated impact of multiple outsourcing arrangements, and current governance of them, should also be considered. A third-party should undergo strict due diligence processes for evidence of capabilities, reputation, financial stability, group structure, ownership and regulatory supervision, amongst others. The supplier’s approach to data protection should be reviewed, with reference to the specific activity being outsourced, the type of data involved and the jurisdiction in which it is to take place. The additional risk of any proposed sub-outsourcing arrangement should also be reviewed, for example loss of influence and oversight across a longer supply chain. Considering the criticality of the outsourced activity, and the potential harm from a disrupted service, significant organisations should review the overall sustainability of the proposed provider. Specifically, what would happen if the supplier suffered stressed conditions and needed financial or operational support to maintain the outsourced activity?
Firms are free to outsource multiple functions, including those that are regulated or material, but they must ensure this does not result in an organisation that is essentially an empty shell. When managing outsourced relationships, organisations must retain their core as an organisation, and be able to assert influence over their third parties in order to govern the relationship effectively.
Without adequate business oversight including involvement of internal audit across the whole extended enterprise, the many commercial advantages of using third parties will be adversely impacted if the responsibility is not retained. The associated reputational impact may just be the start of the problems that this may cause.
You can outsource a process but you can’t outsource the impact to your business when things at your third-party provider go wrong.
Authors: Sandy Kumar FCCA is a Partner and Head of Business Risk Services for the Financial Services Sector at Grant Thornton UK LLP. Ravi Joshi is the Head of Technology Risk Services at Grant Thornton UK LLP.