How your board can oversee third-party risk
Third parties are critical to business today. But they can also bring big risks.
Given the sheer number of third parties on which companies rely and with whom they collaborate it’s important to evaluate and manage the related risks. Corporate boards can play an important role by ensuring management has established effective third-party risk management programs.
What role should the board play?
- Determine which board committee will cover third-party risk
- Understand how the company leverages third parties
- Consider the impact of third parties as it relates to enterprise risks
- Seek periodic updates from those in charge
Determine which board committee will cover third-party risk
While the full board should understand management’s process for addressing this risk, it’s common to delegate regular oversight to a committee.
Boards with risk committees commonly task that group with oversight
Many other boards allocate risk oversight responsibilities in general to the audit committee
Regardless of the committee that has responsibility for oversight, the full board needs to understand how management is addressing this risk
Understand how the company leverages third parties
This might highlight the significant third parties that are integral to the company’s delivery of their business strategy. While the company will be responsible for establishing third-party diligence processes and monitoring risk, the board should understand what that entails. To do this effectively, the board needs to understand:
- The risk landscape and get comfortable with the program and the processes
- The challenges involved in managing third-party relationships
- What an effective third-party risk management program might include
Consider the impact of third parties as it relates to enterprise risks
Boards can ask if internal audit should perform an annual review of the key controls associated with a third-party risk management program. Boards should also think about whether the company requested and/or received any additional assurance by external parties over controls and processes in place at the third parties.
Seek periodic updates from those in charge
The nature and depth of reporting from management to the board will look different from company to company. The goal is for boards to understand the third-party risk landscape for their companies and to get comfortable with the related programs and processes.
How boards can stay ahead of the curve
Using third parties is a natural part of business. Third parties provide companies with many benefits, but they also bring risks. The sheer number of third-party relationships companies often have makes it difficult to oversee the risks involved. That’s why having an efficient and effective third-party risk management program—including oversight from the board—is critical.
Related content
Contact us
Follow us
