The best practice for companies to deploy in handling third-party risks is to segment risk management into different areas, experts say. The CRO or risk-management team should be responsible for mitigating loss exposures with third parties, while an internal auditor should determine what the risks are. Keeping the internal auditor separate from owning risk allows for more transparency and less collusion.
“In an ideal world, there’s a chief risk officer,” explains Mike Jacka, a former internal auditor for Farmers Insurance Group and currently co-founder of auditing-consulting firm Flying Pig Audit. Because internal auditing is about assessing and working with people to mitigate risk, it would be a conflict of interest if they also were the owners of third-party risk. Internal auditors need to be independent and objective. “We can’t own that piece of it or we’d have to review our own work,” Jacka says, adding that it’s an internal auditor’s role to ensure there is a “robust” risk-management process in place.
Generally, the role of the internal auditor is to recognize the risk and ensure the owner of the risk is handling it, Cicchella says. “Auditors shouldn’t own risk. They should see how it’s managed,” she says.
As a former CRO, Shelley Hurley, who is now executive director of risk management and global resources lead at Accenture, the consulting firm, says her previous role as CRO was to identify, mitigate and own risk, working closely with the internal audit group. The internal auditor would be part of the corporate risk committee, a group that included the chief accounting officer, the tax group and the credit-risk-management group.
To illustrate the desirability of such segmentation, she pointed to the typical splitting of companies into three parts: front office, mid-office and back office. Those pieces are purposely segmented so that there is no possibility for collusion, Hurley says. When companies get in trouble, it’s because they don’t honor the separation among the different parts of the office. Hurley views risk and compliance in the same way. It’s balancing powers and having a system of checks and balances that assures that internal auditors measure risk not own it. “If you own risk, it’s hard to audit and evaluate,” she says.
According to the survey, 32 percent of all respondents said the business unit or functional leadership own risk. Zero percent of respondents said internal auditors owned risk.
In addition, boards and CFOs are looking to add more value to the internal-audit function, Warren says. Because of this, the C-suite is providing process improvements and expectations for internal auditors to accomplish the goal of identifying third-party risk. Indeed, CFOs tend to own internal and external risks including financial and supply-chain technology perils and are “uniquely qualified to shepherd the [third-party risk-management] process,” Warren says.
A CFO, however, should rely on internal auditors to help analyze third-party risk because they “have the skills and capabilities to make significant improvements to an organization’s performance,” he adds.