R&C: How would you characterise the level of risk that can arise from third-party relationships in today’s business world? To what extent are potential liabilities increasing in this area?

Matthews: Outsourcing is where a service you traditionally performed is handed over to a third party to deliver. Outsourcing exposes an organisation to the risk that the third party will not manage risk in a manner consistent with the outsourcer’s policies and expectations. For example, if confidential data is shared with a third party, and that data is lost because the third party did not safeguard the data in line with the outsourcer’s policies, the outsourcer’s reputation is negatively impacted, and the cost of remediation efforts can severely impact the bottom line.

Dowie: Outsourcing continues to increase, driven by the need to manage costs and to meet customer demands. This trend is likely to continue as the ecosystems of product/service support and client experiences becomes ever more complex.

Blanco: The ultimate responsibility for managing risk and negative consequence remains with the outsourcer. Therefore, third-party risk management (TPRM) programmes have been evolving to ensure that each of the responsible risk oversight functions – such as compliance, information security and business continuity, among others – and the business unit itself are deeply involved in assessing how the third party is managing risk on behalf of the outsourcer, both pre- and post-contracting. The business unit which engaged the third-party has the responsibility to ensure that the service is delivered in line with expectations and that the requisite controls deemed essential by the oversight functions are in place and operating as expected.

Apr-Jun 2019 Issue