How your board can oversee third-party risk

Third parties are critical to business today. But they can also bring big risks.

Given the sheer number of third parties on which companies rely and with whom they collaborate it’s important to evaluate and manage the related risks. Corporate boards can play an important role by ensuring management has established effective third-party risk management programs.

What role should the board play?

Determine which board committee will cover third-party risk

While the full board should understand management’s process for addressing this risk, it’s common to delegate regular oversight to a committee. 

  • Boards with risk committees commonly task that group with oversight

  • Many other boards allocate risk oversight responsibilities in general to the audit committee

  • Regardless of the committee that has responsibility for oversight, the full board needs to understand how management is addressing this risk

Understand how the company leverages third parties

This might highlight the significant third parties that are integral to the company’s delivery of their business strategy. While the company will be responsible for establishing third-party diligence processes and monitoring risk, the board should understand what that entails. To do this effectively, the board needs to understand:

  • The risk landscape and get comfortable with the program and the processes
  • The challenges involved in managing third-party relationships
  • What an effective third-party risk management program might include

Consider the impact of third parties as it relates to enterprise risks

Boards can ask if internal audit should perform an annual review of the key controls associated with a third-party risk management program. Boards should also think about whether the company requested and/or received any additional assurance by external parties over controls and processes in place at the third parties.

 

Seek periodic updates from those in charge

The nature and depth of reporting from management to the board will look different from company to company. The goal is for boards to understand the third-party risk landscape for their companies and to get comfortable with the related programs and processes.

How boards can stay ahead of the curve

Using third parties is a natural part of business. Third parties provide companies with many benefits, but they also bring risks. The sheer number of third-party relationships companies often have makes it difficult to oversee the risks involved. That’s why having an efficient and effective third-party risk management program—including oversight from the board—is critical.

Contact us

Ray  Garcia

Ray Garcia

Leader, Governance Insights Center, PwC US

Carolyn Holcomb

Carolyn Holcomb

Privacy Assurance Leader, Sustainability Partner, PwC US

T.R. Kane

T.R. Kane

Principal, Cyber, Risk & Regulatory, PwC US

Dennis Quandt

Dennis Quandt

Director, PwC US

Brian Schwartz

Brian Schwartz

Partner, Cyber, Risk and Regulatory, PwC US

Dean Spitzer

Dean Spitzer

Principal, PwC US

Catie Hall

Catie Hall

Director, Governance Insights Center, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide