With companies outsourcing more responsibilities to third parties, the risks associated with outside firms are also increasing. While chief risk officers are often called upon to manage those risks, however, it is internal auditors who are responsible for setting up processes to identify third-party risk factors.
While CROs and internal auditors work together, it’s tricky to tease out who actually owns the risk — that is, who has primary responsibility for managing it. “Ownership of risk should be diverse,” says Rick Warren, a principal with Crowe Horwath and co-author, along with the Institute of Internal Auditors, of “Closing the Gaps in Third-Party Risk Management,” a study which surveyed 164 chief-audit executives about their role in third-party risk management. In fact, 78 percent of respondents had a high level of concern for monitoring third-party risk-management practices. Others think, however, that the least risky approach is for CROs to be in the driver’s seat, with internal auditors pursuing an arm’s length, objective approach to analyzing the risk.
In the past couple of decades, risk management has evolved, especially as the global economy continues to grow. The extent of outsourcing was not as prevalent as it is today. “Even 15 years ago, you might have a supplier, but they may not outsource. Now, we have these tiers,” Warren says. For example, company A outsources to Company B who outsources to Company C, and so on. In fact, 65 percent of internal-audit executives who responded to the survey said their reliance on third parties is “significant” or “extensive.”
For the most part, organizations are evolving, explains Denise Cicchella, executive director and founder of construction-auditing consultancy Auspicium. Most companies have processes in place, she adds, including a more thorough vetting process of third parties.
A good vetting process includes looking at a potential third parties’ work history, checking professional qualifications and highlighting credit risks. Companies should also enter into insurance contracts under which insurers have the right to subrogation, which enables a company’s insurance carrier to go after third parties that have created losses for the company.
Overall, most companies also need to find out what approach to managing third-party risk works best. According the survey, 82 percent of respondents said they devote less than 20 percent of their internal audit resources to assessing third-party risks (see Exhibit 6.1), including 11 percent who don’t devote any resources at all. And yet, 78 percent of respondents said they had “some concern” or “high concern” about difficulties monitoring third-party risk-management practices.