Contact Us Login

OCEG’s Illustrated Series
Third Party Management

Integrated 3rd Party Management

In today's complex economy third parties play critical roles in your business success. Third Parties include: suppliers, vendors, distributors, resellers, contractors, and agents. Third party management is too complex to implement without an integrated strategy that includes people, process and technology.

The illustrations below are meant to give a birds-eye view of a particular third party management process from end-to-end. The illustrations are meant to be a guide to a successful Third Party Management Program that includes risk management, compliance management, performance management and information management.

Integrated 3rd Party Management Click to download

To download a pdf of the illustration above, please click and enter your information. The illustration then opens in a separate browser window.

Please disable your web browser’s POP-UP BLOCKERS for this website in order to allow the illustration to open properly.

Compliance Week
Marie Patterson

The Complexity of Third-Party Management

An OCEG Roundtable with Compliance Week and
Marie Patterson, VP, Marketing, Hiperos

Compliance Week: Let’s start with basics. How do you define, and identify third parties?

Patterson: Third parties are any entities that are not company employees, including suppliers, vendors, sub-contractors, contract manufacturers, resellers, distributors, partners, captives, and affiliates. They represent an increasingly large portion of revenues; statistics from our customers would suggest +/- 60 percent. The challenge, for most organizations, is that they do not know with certainty who their third parties are. For companies with a lot of third parties, initial identification can seem overwhelming. Our recommendation is to approach this in three ways: (1) utilize your list of “high risk” third parties; (2) integrate with other sources—such as accounts payable where third-party payment details may be stored; and (3) given that third parties change at between 15 perecnt and 20 percent per year, implement a way to capture third-party details up front.

Many individuals need to interact with third parties in some manner—IT, finance, HR, legal, compliance, accounts payable, procurement, etc. For the majority, the management of third parties is not their day job. The challenge is determing how you assist them to complete their third-party management tasks, ensure that they’re doing so in compliance with your policies and procedures, and take appropriate steps to escalate matters when necessary. One of the big advantages of technology is that it automates this process and enforces your corporate policies and procedures in a way that’s consistent and objective across the organization, while aligning the correct persons within your organization with individuals at the third party.

Compliance Week: Do you recommend particular policies and procedures for oversight of third parties based on their risk ranking?

Patterson: Policies and procedures are essential. Specifically, understanding what your policies and procedures are and knowing when they apply. Not only does every third party not require the same level of controls, organizations also need to understand what business they’re doing with a particular third party, considering the specific contracts, engagements, statements of work, consulting engagements, etc., and implement controls at that level. The challenge for companies is that they are dealing with so many third parties and the requirements for initial and ongoing due diligence is unique for each. Again, depending on the number of third parties, this is impossible to manage manually, which leads to companies not completing appropriate due diligence or never updating it. The beauty of technology and automation is the ability to apply appropriate controls based on specific circumstances.

Compliance Week: How do you control what your third parties do in terms of their own agents and suppliers?

Patterson: In certain industries, such as banking, the management of sub-contractors is required by regulators, but everyone needs to understand whether goods and services will be delivered directly by the third party or by a sub-contractor to appropriately manage risk. For example, one of our customers found that a number of their third parties were actually all using the same sub-contractor, creating consolidation risk, so they increased the risk ranking of these third parties, put additional controls in place, and identified additional sources.