Can you name the material suppliers of your most critical outsourced vendors?
If you cannot, maybe after reading this post, it might be a good time to start.
The focus upon layered vendor risk management has always been present, but oftentimes fourth-party inclusion has been ignored and certainly has not been easily determined. What you do not have line of sight upon in your vendor management program, presents the greatest risk.
Transparency has always been absolutely essential
Vendor transparency has been a goal of the regulatory bodies more formally over the last several years. The OCC identified concentration risk as a requirement in early 2017, which included the identification of third and fourth-party operating locations. Another example of the move to greater vendor transparency was the change from the SSAE16 to the SSAE18 format, or more commonly referenced as a SOC 1 Control Audit, in May 2017. This was in part to expand these audit formats to include the identification of material subcontracting fourth-party providers. At least in theory.
Combing through SOC1 reports that often time define material subcontractors generically, and engaging vendor account representatives over details not easily forthcoming is labor-intensive. But is a necessity to determine who is supporting your organization and from where. Clearly, this is the risk that must be evaluated as a sub-context to your primary relationship with the contracted vendor.
If you’re a regulated financial institution, you have a need to know, and a right to request detail that would allow an appropriate assessment of the risks posed by the overall relationship.
Fourth-party vendor oversight is now the expectation
Knowing the existence of a fourth-party relationship and obtaining, reviewing, and tracking this information is entirely a second elevation in sophistication and commitment to a vendor management program. This is becoming the expectation of the industry and its regulators. In order to meet these expectations, one must consider the following:
- Identifying and being able to categorize fourth party/subcontracting vendors for all critical/material vendors
- Identifying and mapping the fourth-party/subcontractors by global location
- Requesting and inventorying your vendor’s Third-Party Risk Management business practices
- Requesting, receiving, and reviewing due diligence on fourth parties from your contracted vendor
- Factoring the utilization and complexity of these arrangements into the overall risk categorization of the contracted vendor relationship
- On-going monitoring of the fourth-parties as a component of the on-going risk program
Soluciones
To help you build these foundational elements for successful compliance adherence, companies are turning to state-of-the-art software solutions to cost-effectively mitigate these potential risks.
Gestión de riesgos de proveedores
A vendor risk management software solution like Mitratech TPRM (Prevalent) helps your company gain visibility into risk factors within your vendor network or supply chain, allowing you to mitigate problems before they occur and cause damage to your operations or enterprise.
Gestión del riesgo empresarial
To gain true visibility into the risks threatening your organization, a next-generation solution for managing enterprise risk, like EnterpriseInsightTM, aggregates the risks from across your organization with unprecedented ease and insight.
Cumplimiento y gestión de obligaciones
Una solución de gestión de cumplimiento y obligaciones, como la oferta de OCM de Mitratech, utiliza una interfaz sencilla e intuitiva para permitir a los empleados y auditores ser proactivos en la gestión de incidentes y auditorías, incluyendo las obligaciones de la Regla Volcker, controles, investigaciones e informes de no conformidad. Informe fácilmente de los incidentes, comprenda sus obligaciones y mejore continuamente su rendimiento en materia de cumplimiento.
