Third party vendor risk management should be a main priority for companies that outsource all or some of their IT and business services to third party service providers in order to reduce costs, leverage external expertise, and focus on their craft. As they say, “the main thing should always be to keep the main thing, the main thing”.
As companies place their trust in others to serve them and ultimately their customers, they must have some assurance that the vendors providing support services are managing the risks properly and meeting compliance and regulatory expectations. From a governance standpoint, vendors should not be in a position to dictate a company’s policies although vendors can help shape the policies and standards with their exposure to industry best practices.
This article is about the risks that arise when engaging a vendor to support a business process or outsourcing some functions which must be managed.
Companies are ultimately liable for the protection of their client data and quality of services that they provide to their clients whether they outsource some or all of their services. Companies must also ensure compliance with regulatory and industry requirements such as privacy as part of their services. In the normal course of business operations, companies are pretty good at managing their risks by identifying, prioritizing and mitigating them. However, businesses might be a little less concerned with risks that they assign to their third part service providers when they outsource. Thus, companies must shift their thinking when it comes to third party vendor risk management in order to raise awareness the risks which if left unaddressed or unmanaged, can present a variety of negative consequences for companies. This is why service level agreements and data protection clauses are important to make sure vendor risks are managed properly.
Consequences of Poor Third Party Vendor Risk Management
Consequences of unaddressed third-party vendor risks include data breach incidents, lost clients and revenues, lawsuits, negative publicity, damaged company brand, penalties from noncompliance with government regulations, and jail time for executives. Customers are often unaware that their companies outsource their services to third parties but even if they are aware, they would care less as long as they remain confident that their companies take full responsibility for data protection and the quality of services.
When outsourcing, companies must maintain control over information security governance, document comprehensive contracts that list vendor responsibilities especially with respect to information security, data access, use or sharing, and perform independent audits to ensure compliance with privacy, information security, and contractual requirements.
Companies must ensure that their established policies and procedures are being followed through employee training and monitoring, but they must also ensure their vendors apply the same level of due care when it comes to managing risks. Information security officers can develop and execute a customized audit program for each selected vendor as part of their annual security plan to assess risks and provide constructive feedback to their executive management regarding vendor policies, procedures and operations.
Information Security Governance
Information security governance should not be confused with information security management. Governance, which must be an internal company function, determines who is authorized to make decisions, specifies the accountability framework, provides oversight to ensure that risks are adequately mitigated, and, ensures that security strategies are aligned with business objectives and consistent with regulations. Information security management, which can be wholly or partly outsourced, is concerned with making decisions, ensuring that controls are implemented to mitigate risks, and recommends security strategies.
National Institute of Standards and Technology or NIST describes information security governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls and provide assignment of responsibility to manage risks.
Since information must be treated as any other critical asset essential to the survival and success of the organization, information security governance which is a complex and critical function must be elevated to the highest organizational levels. According to Identity Management Institute, governance refers to an organization’s oversight and practices by a committee of the Board of Directors and/or Executive Management to assign a chief information security officer, provide strategic direction, approve the information security program, support the CISO to achieve its objectives, and require an annual report regarding the state of information security and compliance.
Vendor Compliance Risks and Beyond
When a company outsources some services to a vendor or multiple vendors, whether it’s for a particular business process, software development, or system management, the company also expects and relies on the vendor to manage the same risks that they would have to manage if they were performing the outsourced activities in-house. For example, vendors are expected to have proper hiring and staff management practices around their employees and contractors, which include full background checks, adequate human resources policies and procedures, and employee training. When internal controls don’t exist or are not functioning properly, then companies can be exposed to some unmanaged risks.
Depending on the nature of the outsourced business process, some services pose greater risks than others. For example, there is usually less risks with an automated service if the system has been properly tested and undergoes limited and less critical changes. On the other hand, if your company is a bank and you outsource loan application processing, you may be exposed to risks in the areas of privacy compliance, system integrity and loan decision accuracy, as well as system security, data backup and protection, disaster recovery and business continuity.
There are a few ways that companies can make sure that vendors are properly managing the risks. For example, some of the least expensive risk assurance options include Request For Information (RFI), Standard Information Gathering questionnaires and review of independent audit reports provided by vendors such as SSAE16, FISMA, and ISO audit reports. A more expensive option is to send auditors to examine a specific area in depth. Most companies use a combination of all these options to get comfortable with a vendor’s internal controls but many of these actions depend on how the outsourcing deal was negotiated and what the contracts allow for or prevent a company to do in the area of risk assurance.
Vendor Options for Managing Audit Costs
In order to manage audit costs and prevent all customers to audit as they wish which can lead to enormous time and resource allocation, service organizations should consider undergoing an independent audit and share the results with customers. Even if customers decide to audit vendors at their own expense, there are still many audit support costs that vendors will incur especially if they have thousands of customers. One of the acceptable and most common audit options in the US is the SSAE 16 audit which is also popular due to the increased regulatory oversight of the Sarbanes-Oxley act and customer requirement that their service organizations obtain and submit an independent audit report. Other benefits of an SSAE 16 audit report for vendors includes instant credibility with their customers and perception that the vendors are responsible, independent confirmation by a third-party of their internal controls, and cost savings as the annual audit report can be shared with all clients who ask for it. In addition, a credible independent audit report can satisfy multiple customer audit requests and reduce the number of customer audits.
SSAE 16 Audits
SSAE 16 stands for the Statement on Standards for Attestation Engagements, number 16, which is a recognized third-party assurance audit designed for service organizations. There are two types of SSAE 16 audits. Type one provides the limited assurance at a point of time whereas the SSAE 16 type two provides the highest level of assurance based on a period of time, which includes detailed testing. The scope of the SSAE 16 audits is either decided by the vendor or negotiated as part of the business contracts; however, the usefulness of the audit reports depends on the audits performed around the outsourced services. Some common areas covered in the SSAE 16 audits include employee and contractor management, privacy, identity and access management, information security system developments, data backup and IT operations. The final SSAE 16 audit report is very important to companies because it gives them an independent opinion regarding vendor’s internal controls.
Best Audit Options
Due to their inherent nature, RFIs are less reliable because vendors attest to their own internal controls and there is no independent verification of the assertions. On the other hand, independent audits are more reliable, but they can be expensive. So in order to be cost effective in the vendor assurance process, the high-risk vendors can be identified and audited based on a predetermined audit type and frequency. Companies must determine what constitutes a high-risk vendor and decide what type of audit they will need to perform and how often so they can include audit provisions in the contract.
Often the companies are required to pay for the audits that they choose to perform and other times vendors cover the audit costs when they complete questionnaires, submit documents for review, and obtain an SSAE16 audit report. Independent audits by third parties can be very expensive, however sometimes vendors cover the costs to satisfy either contractual agreements made with their clients, appear being a good business to attract new customers or retain the existing ones, and reduce the overall audit costs.
Final Thoughts on Third Party Vendor Risk management
For third party vendor risk management, companies must first identify the high-risk vendors, depending on the type of services that they outsource and the data that they share with them. Next, they must decide the type and frequency of assurance methods such as standard information gathering questionnaire, document review, reliance on the SSAE 16 audit report, or, a combination of these methods. However, SSAE6 audit reports are not always available and do not include the critical processes in the audit scope to satisfy customers. One thing to keep in mind is that audit requirements once identified must be coordinated between the legal, vendor management, business, and audit teams for a couple of reasons. First, we want to make sure that there’s an audit clause included in the contract which allows the company to actually audit the vendor as necessary at the company’s discretion, and, allow the security team to schedule resources if they have to audit a particular vendor. And lastly, companies should review the results of the audits and follow up with this service organization to make sure that they remediate the potential findings within the agreed upon time frame.