With companies outsourcing more responsibilities to third parties, the risks associated with outside firms are also increasing. While chief risk officers are often called upon to manage those risks, however, it is internal auditors who are responsible for setting up processes to identify third-party risk factors.
While CROs and internal auditors work together, it’s tricky to tease out who actually owns the risk — that is, who has primary responsibility for managing it. “Ownership of risk should be diverse,” says Rick Warren, a principal with Crowe Horwath and co-author, along with the Institute of Internal Auditors, of “Closing the Gaps in Third-Party Risk Management,” a study which surveyed 164 chief-audit executives about their role in third-party risk management. In fact, 78 percent of respondents had a high level of concern for monitoring third-party risk-management practices. Others think, however, that the least risky approach is for CROs to be in the driver’s seat, with internal auditors pursuing an arm’s length, objective approach to analyzing the risk.
In the past couple of decades, risk management has evolved, especially as the global economy continues to grow. The extent of outsourcing was not as prevalent as it is today. “Even 15 years ago, you might have a supplier, but they may not outsource. Now, we have these tiers,” Warren says. For example, company A outsources to Company B who outsources to Company C, and so on. In fact, 65 percent of internal-audit executives who responded to the survey said their reliance on third parties is “significant” or “extensive.”
For the most part, organizations are evolving, explains Denise Cicchella, executive director and founder of construction-auditing consultancy Auspicium. Most companies have processes in place, she adds, including a more thorough vetting process of third parties.
A good vetting process includes looking at a potential third parties’ work history, checking professional qualifications and highlighting credit risks. Companies should also enter into insurance contracts under which insurers have the right to subrogation, which enables a company’s insurance carrier to go after third parties that have created losses for the company.
Overall, most companies also need to find out what approach to managing third-party risk works best. According the survey, 82 percent of respondents said they devote less than 20 percent of their internal audit resources to assessing third-party risks (see Exhibit 6.1), including 11 percent who don’t devote any resources at all. And yet, 78 percent of respondents said they had “some concern” or “high concern” about difficulties monitoring third-party risk-management practices.
The best practice for companies to deploy in handling third-party risks is to segment risk management into different areas, experts say. The CRO or risk-management team should be responsible for mitigating loss exposures with third parties, while an internal auditor should determine what the risks are. Keeping the internal auditor separate from owning risk allows for more transparency and less collusion.
“In an ideal world, there’s a chief risk officer,” explains Mike Jacka, a former internal auditor for Farmers Insurance Group and currently co-founder of auditing-consulting firm Flying Pig Audit. Because internal auditing is about assessing and working with people to mitigate risk, it would be a conflict of interest if they also were the owners of third-party risk. Internal auditors need to be independent and objective. “We can’t own that piece of it or we’d have to review our own work,” Jacka says, adding that it’s an internal auditor’s role to ensure there is a “robust” risk-management process in place.
Generally, the role of the internal auditor is to recognize the risk and ensure the owner of the risk is handling it, Cicchella says. “Auditors shouldn’t own risk. They should see how it’s managed,” she says.
As a former CRO, Shelley Hurley, who is now executive director of risk management and global resources lead at Accenture, the consulting firm, says her previous role as CRO was to identify, mitigate and own risk, working closely with the internal audit group. The internal auditor would be part of the corporate risk committee, a group that included the chief accounting officer, the tax group and the credit-risk-management group.
To illustrate the desirability of such segmentation, she pointed to the typical splitting of companies into three parts: front office, mid-office and back office. Those pieces are purposely segmented so that there is no possibility for collusion, Hurley says. When companies get in trouble, it’s because they don’t honor the separation among the different parts of the office. Hurley views risk and compliance in the same way. It’s balancing powers and having a system of checks and balances that assures that internal auditors measure risk not own it. “If you own risk, it’s hard to audit and evaluate,” she says.
According to the survey, 32 percent of all respondents said the business unit or functional leadership own risk. Zero percent of respondents said internal auditors owned risk.
In addition, boards and CFOs are looking to add more value to the internal-audit function, Warren says. Because of this, the C-suite is providing process improvements and expectations for internal auditors to accomplish the goal of identifying third-party risk. Indeed, CFOs tend to own internal and external risks including financial and supply-chain technology perils and are “uniquely qualified to shepherd the [third-party risk-management] process,” Warren says.
A CFO, however, should rely on internal auditors to help analyze third-party risk because they “have the skills and capabilities to make significant improvements to an organization’s performance,” he adds.