OCEG Integrated Third Party Management Visual Overview
Created with industry association OCEG, this infographic was designed to help you understand how your suppliers, distributors, sub-contractors, agents and other third parties affect your business success in today’s economy. Third party management is too complex to implement without an integrated strategy that includes people, process and technology. See how to protect and grow value across your entire third party landscape with real-time information about external and internal events that may change risk proﬁles and impact performance.
- Core Components
- Keys to Success
- Common Mistakes
Compliance Week: Let’s start with basics. How do you define, and identify third parties?
Opus: Third parties are any entities that are not company employees, including suppliers, vendors, sub-contractors, contract manufacturers, resellers, distributors, partners, captives, and affiliates. They represent an increasingly large portion of revenues; statistics from our customers would suggest +/- 60 percent. The challenge, for most organizations, is that they do not know with certainty who their third parties are. For companies with a lot of third parties, initial identification can seem overwhelming. Our recommendation is to approach this in three ways:
- utilize your list of “high risk” third parties;
- integrate with other sources—such as accounts payable where third-party payment details may be stored; and
- given that third parties change at between 15 perecnt and 20 percent per year, implement a way to capture third-party details up front.
Many individuals need to interact with third parties in some manner—IT, finance, HR, legal, compliance, accounts payable, procurement, etc. For the majority, the management of third parties is not their day job. The challenge is determining how you assist them to complete their third-party management tasks, ensure that they’re doing so in compliance with your policies and procedures, and take appropriate steps to escalate matters when necessary. One of the big advantages of technology is that it automates this process and enforces your corporate policies and procedures in a way that’s consistent and objective across the organization, while aligning the correct persons within your organization with individuals at the third party.
Compliance Week: Do you recommend particular policies and procedures for oversight of third parties based on their risk ranking?
Opus: Policies and procedures are essential. Specifically, understanding what your policies and procedures are and knowing when they apply. Not only does every third party not require the same level of controls, organizations also need to understand what business they’re doing with a particular third party, considering the specific contracts, engagements, statements of work, consulting engagements, etc., and implement controls at that level. The challenge for companies is that they are dealing with so many third parties and the requirements for initial and ongoing due diligence is unique for each. Again, depending on the number of third parties, this is impossible to manage manually, which leads to companies not completing appropriate due diligence or never updating it. The beauty of technology and automation is the ability to apply appropriate controls based on specific circumstances.
Compliance Week: How do you control what your third parties do in terms of their own agents and suppliers?
Opus: In certain industries, such as banking, the management of sub-contractors is required by regulators, but everyone needs to understand whether goods and services will be delivered directly by the third party or by a sub-contractor to appropriately manage risk. For example, one of our customers found that a number of their third parties were actually all using the same sub-contractor, creating consolidation risk, so they increased the risk ranking of these third parties, put additional controls in place, and identified additional sources.