Can you name the material suppliers of your most critical outsourced vendors?
If you cannot, maybe after reading this post, it might be a good time to start.
The focus upon layered vendor risk management has always been present, but oftentimes fourth-party inclusion has been ignored and certainly has not been easily determined. What you do not have line of sight upon in your vendor management program, presents the greatest risk.
Transparency has always been absolutely essential
Vendor transparency has been a goal of the regulatory bodies more formally over the last several years. The OCC identified concentration risk as a requirement in early 2017, which included the identification of third and fourth-party operating locations. Another example of the move to greater vendor transparency was the change from the SSAE16 to the SSAE18 format, or more commonly referenced as a SOC 1 Control Audit, in May 2017. This was in part to expand these audit formats to include the identification of material subcontracting fourth-party providers. At least in theory.
Combing through SOC1 reports that often time define material subcontractors generically, and engaging vendor account representatives over details not easily forthcoming is labor-intensive. But is a necessity to determine who is supporting your organization and from where. Clearly, this is the risk that must be evaluated as a sub-context to your primary relationship with the contracted vendor.
If you’re a regulated financial institution, you have a need to know, and a right to request detail that would allow an appropriate assessment of the risks posed by the overall relationship.
Fourth-party vendor oversight is now the expectation
Knowing the existence of a fourth-party relationship and obtaining, reviewing, and tracking this information is entirely a second elevation in sophistication and commitment to a vendor management program. This is becoming the expectation of the industry and its regulators. In order to meet these expectations, one must consider the following:
- Identifying and being able to categorize fourth party/subcontracting vendors for all critical/material vendors
- Identifying and mapping the fourth-party/subcontractors by global location
- Requesting and inventorying your vendor’s Third-Party Risk Management business practices
- Requesting, receiving, and reviewing due diligence on fourth parties from your contracted vendor
- Factoring the utilization and complexity of these arrangements into the overall risk categorization of the contracted vendor relationship
- On-going monitoring of the fourth-parties as a component of the on-going risk program
To help you build these foundational elements for successful compliance adherence, companies are turning to state-of-the-art software solutions to cost-effectively mitigate these potential risks.
Vendor Risk Management
Enterprise Risk Management
Compliance & Obligations Management
A compliance and obligations management solution, like Mitratech’s CMO offering, uses a simple, intuitive interface to let employees and auditors be proactive in incident and audit management, including Volcker Rule obligations, controls, investigations, and non-conformance reporting. Easily report incidents, understand your obligations, and continuously improve your compliance performance.