Today’s business climate dictates that organizations will need to continue to rely on third parties to alleviate internal processing burden and remain competitive. All of these third-party relationships present some sort of risk to your organization that require managing and monitoring.
What Does Outsourcing Third-Party Risk Management Mean?
Outsourcing third-party risk management means partnering with professionals and experts who can analyze your vendor controls and assess their effectiveness in reducing risk.
However, this is a good moment to emphasize that while you can outsource tasks that free up more time, space and resources dedicated to third-party risk management you can never truly outsource the risk a vendor poses to your organization.
Evaluating Internal vs. External Resources
Research has shown that the actual cost of a full-time employee is approximately 1.4 times that of the salary when you consider benefits, insurance and all other employee perks. Industry expertise demands a higher premium and will impact the profit and loss. It’s also why we find some managers taking on multiple roles within an organization that don't allow them to focus on their core duties. Sooner or later, something is going to give.
With that in mind, a fully experienced vendor manager may be an expert in just a few areas. Consideration should be given to how you can satisfy the requirements of a robust and well documented vendor management program.
When It Needs to Remain In-House
The roles which should be retained in house are those based on relationship, providing feedback loops and general reporting features (with the exception of contract management). There are some aspects and insights around managing vendors that just can't be exported to a service provider.
The following roles benefit greatly from being retained in-house:
- Performance and Relationship Management. It’s vital to maintaining strong service levels. Relationship management is often intangible but goes a long way in creating a long-lasting partnership between the client and vendor. This is often best performed by internal staff.
- Board Reporting. Ultimately, the risk of using any third-party provider rests with the executive board. While they may not need a granular level of detail, the vendor management team is best aligned to manage the boards expectations, provide summary reports and ad-hoc notices which may place the organization at risk.
- Contract Management. Contract management, specifically focused on contract terms, should ideally be managed by in-house counsel or a subject matter expert (SME) in contractual language. The lower end of the scale becomes a function of an administrative role.
- Line of Business Interaction. Internal vendor managers are most often the conduit between the users and the vendor service. It wouldn’t be practical to add an additional layer of outsourced vendor management staff to this time sensitive requirement.
Capitalizing on Outsourcing Third-Party Risk Management
With the above in mind, in an environment of increasing competition (and increasing margins) there is valid reasoning that leadership might consider other cost containment initiatives. This is where outsourcing comes in.
All of your vendor relationships present some sort of risk to your organization that require managing and monitoring.
Outsourcing third-party risk management can help:
- Meet industry standards and regulations. This often requires specific expertise in numerous areas and disciplines such as:
- Financial reports
- SOC reports
- Compliance and regulations (which vary by industry, region and country)
- Centralize the data on your third parties. No longer is it sufficient to manage hundreds, perhaps thousands, of third parties using Excel or a similar non-automated tool. This is where a software tool comes in, which can:
- Automate due diligence and monitoring tasks
- Avoid missing key dates
- Pull comprehensive reports for exams
- Streamline processes
- Dramatically increase efficiency
- Speed up strategic maturation. The number one way to mature your third-party risk program is to be strategic. By focusing on shifting some of the heavy lifting in the oversight process, it allows you to compliment your existing program while you can focus on the strategic aspects of oversight.
- Overcome internal hurdles. Outsourcing can complement a program where the vendor management function is being handled by another department that lacks the time to perform those duties because of their core responsibilities and equally where the department is top heavy in one discipline.
For example: If your vendor management department today hasn’t performed any level of due diligence but has a well-oiled contract management process, then realistically you do not have a vendor management department, you have a contract management department. A regulator will identify that gap in your program during their first department interview.
Vendor Management is sometimes viewed as a “non-profit generating line item,” but by taking a closer look at your current staffing levels, expertise and successfully outsourcing key functions when expertise or bandwidth is not readily available internally, you’ll be able to deliver on the premise of doing more with less.
The cost savings of vendor management outsourcing will become apparent when compared to your annual, full time employee costs. Today, outsourcing vendor management has never made more sense.
Want to learn more about the ROI of investing in third-party risk management? Check out this eBook.