Oversight of third-party risk

Board risk oversight

Audit Committee Leadership Network, November 2017

Companies, as well as their boards, are increasingly attuned to the risk presented by their suppliers, distributors, and other vendors due to regulatory pressure, the proliferation of third-party arrangements, and the complexity of cybersecurity. Regulation, intended to curtail risks to the public, has also brought pressure to bear. Some companies, especially those in regulated industries such as financial services, have created centralized third-party risk management programs, and even those without specialized programs are dedicating time and attention to ensure their third-party practices are consistent across the globe. 

On October 31, 2017, members of the Audit Committee Leadership Network (ACLN) met in New York to discuss the current state of third-party risk management with two guests: Jim Connell, managing director and head of corporate third-party oversight at JPMorgan Chase, and Darlene Nicosia, vice president of commercial products supply at the Coca-Cola Company. This ViewPoints includes background information and synthesizes the perspectives that members shared before and during the meeting on the following topics.  

  • The third-party risk landscape continues to evolve
    The number of third parties with whom companies engage continues to grow. Many companies are using more traditional vendors, such as suppliers and distributors, within their supply chain, while also utilizing new types of partnerships. Companies derive many benefits from these relationships, but reliance on outside parties comes with increased risk. ACLN members and guests noted that associated risks present real threats to business continuity, whether through cyber breaches or reputational damage. 

  • Companies use a variety of methods to manage third-party risk
    While there is no standard approach to structuring a third-party risk management program, members and guests shared a variety of practices for ensuring coordinated, successful oversight of these risks. Members discussed the centralized approach that some large banks are starting to use and whether that model would make sense in other sectors. In addition, members addressed practical techniques for onboarding new third parties and inspecting third-party practices for ongoing compliance.

  • Boards heighten the attention given to third-party risk
    Boards rely on a number of different frameworks and metrics to oversee third-party risk. In some cases, the issue is a regular item on the audit committee agenda; in others, it is delegated to another committee or is handled by the full board. In all cases, directors must understand the nature of the company’s third-party relationships and how the company is managing these risks.