Third-party management

Last updated

Third-party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. Third-party management is conducted primarily for the purpose of assessing the ongoing behavior, performance and risk that each third-party relationship represents to a company. Areas of monitoring include supplier and vendor information management, corporate and social responsibility compliance, Supplier Risk Management, IT vendor risk, anti-bribery/anti-corruption (ABAC) compliance, information security (infosec) compliance, performance measurement, and contract risk management. [1] The importance of third-party management was elevated in 2013 when the US Office of the Comptroller of the Currency stipulated that all regulated banks must manage the risk of all their third parties. [2]

Contents

Third parties

A 'third party', as defined in OCC 2013–29, is any entity that a company does business with. [2] This may include suppliers, vendors, contract manufacturers, business partners and affiliates, brokers, distributors, resellers, and agents. [2] Third parties can be both 'upstream' (suppliers and vendors) and 'downstream', (distributors and re-sellers) as well as non-contractual parties. [2]

Firms do not have to conduct critical activities to be considered a 'third party'; a cleaning services firm responsible for maintaining a company's office space is a third party as much as a primary supply-chain supplier. The role or size of the third party is not as important as the nature of the relationship, the criticality of its activities, the level of access it has to sensitive data or property, and a company's accountability for inappropriate actions of its third parties. A cleaning company with access to a CEO's filing cabinet represents a different but still significant risk relative to a supplier who provides a critical component to the production line.

A non-critical service provider – such as an air-conditioning contractor – operating in a country with low corruption risk may erroneously be considered a low risk. However, if that contractor has poor cyber-security and is able to submit invoices to a customer electronically across the customer's firewall, this may represent a high cyber risk to the customer company. Target Corporation's December 2013 data breach, in which approximately 70 million Target customers' credit and debit card information was stolen, highlights the cyber security risk posed by innocent third parties – even in low risk countries such as the US. Hackers exploited an HVAC contractor with poor cyber-security who conducted electronic payments with Target and thus had access to behind the firewall. [3]

Due to trends towards specialization and outsourcing, companies increasingly focused on core competencies are engaging greater numbers of third parties to perform key functions in their business value chain; [4] third-party activity is typically responsible for driving approximately 60% of total revenue. [5] This trend is creating greater numbers of critical third-party relationships throughout the economy which – in the case of companies with tens of thousands and even hundreds of thousands of third-party relationships – can become cumbersome to monitor and manage manually.

Regulation

Due to regulatory requirements, third-party management is most prevalent in the financial sector. The use of third-party management systems is mandated by the Office of the Comptroller of the Currency for American national banks and federal savings associations. [2] OCC bulletin 2013–29 explicates the third-party management requirements for financial institutions. The British Financial Conduct Authority (FCA) requires, under the SYSC 8.1 'Outsourcing Requirements', that critical functions conducted by third parties must be continuously monitored. [6]

The healthcare sector also has growing regulatory requirements that require third-party management. HIPAA, [7] the Health Insurance Portability and Accountability Act, sets the standard for protecting private patient data. There are regulations around the saving [8] and storing of PHI, Protected Health Information [9] which can be even more valuable than credit card information. [10] The HITECH Act, [11] signed in 2009 requires increased privacy and security obligations and extends those obligations to business associates.

While other industries are not required by law to have third-party management systems in place, most non-financial companies are bound by anti-bribery/anti-corruption (ABAC) and other regulations. [1] Consequently, many of them manage their third parties and have adopted third-party-management solutions. [12]

Third-party management solutions

Third-party management solutions are technologies and systems designed to automate the performance of one or more third-party management processes or functions. Such solutions are external-facing and designed to complement internal-facing governance, risk and compliance (GRC) systems and processes. They run on both on-premises-installed and SaaS-delivered enterprise platforms. [13]

Security ratings services (SRS), subscription services which "provide continuous, independent quantitative security analysis and scoring for organizational entities," are gaining popularity as well. [14] The market for SRS becomes increasingly competitive as providers such as BitSight and Panorays offer companies to compile different risk factors to calculate a quantitative score for vendor comparison.

Related Research Articles

Security management is the identification of an organization's assets i.e. including people, buildings, machines, systems and information assets, followed by the development, documentation, and implementation of policies and procedures for protecting assets.

Outsourcing is a business practice in which companies use external providers to carry out business processes, that would otherwise be handled internally. Outsourcing sometimes involves transferring employees and assets from one firm to another.

<span class="mw-page-title-main">Health Insurance Portability and Accountability Act</span> United States federal law concerning health information

The Health Insurance Portability and Accountability Act of 1996 is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It aimed to alter the transfer of healthcare information, stipulated the guidelines by which personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and businesses called covered entities from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. The bill does not restrict patients from receiving information about themselves. Furthermore, it does not prohibit patients from voluntarily sharing their health information however they choose, nor does it require confidentiality where a patient discloses medical information to family members, friends or other individuals not employees of a covered entity.

<span class="mw-page-title-main">Business process outsourcing in the Philippines</span> Overview of the process of outsourcing of various business processes

One of the most dynamic and fastest growing sectors in the Philippines is the information technology–business process outsourcing (IT-BPO) industry. The industry is composed of eight sub-sectors, namely, knowledge process outsourcing and back offices, animation, call centers, software development, game development, engineering design, and medical transcription. The IT-BPO industry plays a major role in the country's growth and development.

Contract management or contract administration is the management of contracts made with customers, vendors, partners, or employees. Contract management includes negotiating the terms and conditions in contracts and ensuring compliance with the terms and conditions, as well as documenting and agreeing on any changes or amendments that may arise during its implementation or execution. It can be summarized as the process of systematically and efficiently managing contract creation, execution, and analysis for the purpose of maximizing financial and operational performance and minimizing risk.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

The Chief Privacy Officer (CPO) is a senior level executive within a growing number of global corporations, public agencies and other organizations, responsible for managing risks related to information privacy laws and regulations. Variations on the role often carry titles such as "Privacy Officer," "Privacy Leader," and "Privacy Counsel." However, the role of CPO differs significantly from another similarly-titled role, the Data Protection Officer (DPO), a role mandated for some organizations under the GDPR, and the two roles should not be confused or conflated.

A vendor management system (VMS) is an Internet-enabled, often Web-based application that acts as a mechanism for business to manage and procure staffing services – temporary, and, in some cases, permanent placement services – as well as outside contract or contingent labor. Typical features of a VMS application include order distribution, consolidated billing and significant enhancements in reporting capability that outperforms manual systems and processes.

Anti-money laundering (AML) software is software used in the finance and legal industries to help companies comply with the legal requirements for financial institutions and other regulated entities to prevent or report money laundering activities. AML software can facilitate faster and more accurate compliance and investigations.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

Outsourcing relationship management (ORM) is the business discipline widely adopted by companies and public institutions to manage one or more external service providers as part of an outsourcing strategy. ORM is a broadly used term that encompasses elements of organizational structure, management strategy and information technology infrastructure.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

In computing, managed security services (MSS) are network security services that have been outsourced to a service provider. A company providing such a service is a managed security service provider (MSSP) The roots of MSSPs are in the Internet Service Providers (ISPs) in the mid to late 1990s. Initially, ISP(s) would sell customers a firewall appliance, as customer premises equipment (CPE), and for an additional fee would manage the customer-owned firewall over a dial-up connection.

Supplier risk management (SRM) is an evolving discipline in operations management for manufacturers, retailers, financial services companies and government agencies where an organization is dependent on suppliers to achieve business objectives.

Network intelligence (NI) is a technology that builds on the concepts and capabilities of deep packet inspection (DPI), packet capture and business intelligence (BI). It examines, in real time, IP data packets that cross communications networks by identifying the protocols used and extracting packet content and metadata for rapid analysis of data relationships and communications patterns. Also, sometimes referred to as Network Acceleration or piracy.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

The Health Information Technology for Economic and Clinical Health Act, abbreviated the HITECH Act, was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009. Under the HITECH Act, the United States Department of Health and Human Services resolved to spend $25.9 billion to promote and expand the adoption of health information technology. The Washington Post reported the inclusion of "as much as $36.5 billion in spending to create a nationwide network of electronic health records." At the time it was enacted, it was considered "the most important piece of health care legislation to be passed in the last 20 to 30 years" and the "foundation for health care reform."

Contractor management is the managing of outsourced work performed for an individual company. Contractor management implements a system that manages contractors' health and safety information, insurance information, training programs and specific documents that pertain to the contractor and the owner client. Most modern contracts require the effective use of contract management software to aid administration between multiple parties.

Healthcare CRM, also known as Healthcare Relationship Management, is a broadly used term for a Customer relationship management system, or CRM, used in healthcare.

The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.

References

  1. 1 2 "International law and tax experts - CMS international law firm". cms.law. Retrieved 15 September 2019.
  2. 1 2 3 4 5 "OCC: Third-Party Relationships: Risk Management Guidance". occ.gov.
  3. Gregory Wallace (6 February 2014). "HVAC vendor eyed as entry point for Target breach". CNNMoney.
  4. "Outsourcing: on the increase as firms hone core competencies". Osney Buy-Side.
  5. "Use Cases for Third Party Management", Hiperos 3 pm White Paper
  6. "Combined View". fshandbook.info.
  7. "Health Information Privacy". HHS.gov. 26 August 2015. Retrieved 15 September 2019.
  8. Rights (OCR), Office for Civil (10 September 2009). "The Security Rule". HHS.gov. Retrieved 15 September 2019.
  9. "HIPAA.com -". HIPAA.com. Retrieved 15 September 2019.
  10. "Medical records 10x more valuable to hackers than credit card information". www.beckershospitalreview.com. Retrieved 15 September 2019.
  11. Rights (OCR), Office for Civil (28 October 2009). "HITECH Act Enforcement Interim Final Rule". HHS.gov. Retrieved 15 September 2019.
  12. "Managing third-party risk in a changing regulatory environment" McKinsey & Company (Working Papers on Risk, Number 46)
  13. "The Difference Between Enterprise Software and Software-as-a-Service". effectivedatabase.com.
  14. "Hype Cycle for Risk Management Solutions, 2016". Gartner. Retrieved 15 September 2019.