Oversight of third-party risk

Third-party relationships can be a substantial source of enterprise risk. The proliferation of third-party partners, regulatory pressure, and the complexity of cyber-related risks has led companies to dedicate more time and attention to the potential risks presented by their suppliers, distributors, vendors, and other partners. In some companies, including those in highly regulated industries like financial services, this has led to the creation of a centralized model for overseeing third-party risk.

On July 11, 2018, members of the European Audit Committee Leadership Network met in Frankfurt to discuss key third-party risks their companies face and strategies to mitigate these risks with two guests: Achim Laube, regional head of non-financial risk management–risk type control, for Germany and Europe, the Middle East, and Africa, at Deutsche Bank, and Netta Nyholm, partner and advisory risk services leader for Germany, Switzerland, and Austria at EY.

This ViewPoints includes background information and synthesizes the perspectives that members shared before and during the meeting on the following topics:

The current third-party environment
Third-party relationships enable companies to be flexible and competitive in a global business environment. Large, publicly listed companies now rely on a wide range of different third parties to help with various aspects of their businesses. These relationships often allow companies to delegate important tasks so that they can focus on their core competencies. While these relationships include traditional suppliers and distributers, many companies are also entering into new types of partnerships, ventures, or similar relationships with smaller start-ups.
The major risks associated with third-party relationships
With the benefits gained from third parties comes related risks that pose significant threats to a business, such as cyber breaches, business continuity challenges, or reputational damage. Moreover, as the regulatory landscape evolves, companies must ensure that third parties comply with legal requirements, which can be especially challenging when dealing with smaller third parties in certain risky situations.
How companies manage third-party risk
Third-party risk management varies depending on the sector of the business and the scale of third-party relationships. For highly regulated industries like financial services or pharmaceuticals, these functions are often centralized, with specialized executive leadership overseeing risk for the whole enterprise. Other organizations tend to have more decentralized or hybrid functions, with business units locally owning the risk or groups like compliance, procurement, or legal overseeing the risk. Regardless of the formal risk management model, it is critical for companies to grasp the scale of their third-party relationships and adopt uniform practices and processes for dealing with third parties.
The board’s role in overseeing third-party risk
Boards, specifically audit committee chairs, understand that today’s global business environment requires relationships with an increasingly diverse group of third parties. EACLN members recognized that while many boards are in the early stages of overseeing third-party risk management, the issue is likely to require heightened attention in the future. Audit chairs were therefore interested in how best to advise management on these risks to ensure thorough oversight of third-party relationships from the outset.