Given the sheer number of third parties on which companies rely and with whom they collaborate it’s important to evaluate and manage the related risks. Corporate boards can play an important role by ensuring management has established effective third-party risk management programs.
While the full board should understand management’s process for addressing this risk, it’s common to delegate regular oversight to a committee.
Boards with risk committees commonly task that group with oversight
Many other boards allocate risk oversight responsibilities in general to the audit committee
Regardless of the committee that has responsibility for oversight, the full board needs to understand how management is addressing this risk
This might highlight the significant third parties that are integral to the company’s delivery of their business strategy. While the company will be responsible for establishing third-party diligence processes and monitoring risk, the board should understand what that entails. To do this effectively, the board needs to understand:
Boards can ask if internal audit should perform an annual review of the key controls associated with a third-party risk management program. Boards should also think about whether the company requested and/or received any additional assurance by external parties over controls and processes in place at the third parties.
The nature and depth of reporting from management to the board will look different from company to company. The goal is for boards to understand the third-party risk landscape for their companies and to get comfortable with the related programs and processes.
Using third parties is a natural part of business. Third parties provide companies with many benefits, but they also bring risks. The sheer number of third-party relationships companies often have makes it difficult to oversee the risks involved. That’s why having an efficient and effective third-party risk management program—including oversight from the board—is critical.