As businesses navigate the risks associated with these unprecedented new operating conditions, an entire, multifaceted area of vulnerability may be overlooked—the potential risks presented by third party service providers.
Many businesses try to focus on their core competencies and outsource other business functions to third party service providers. These functions can include payroll, benefits, payment disbursement and collection, compliance, customer service, and IT services. In these situations, even when a function, task, or process is transferred to a third party, many of the associated risks remain with the business. Businesses often put their trust in these service providers, but it is still the responsibility of each business to monitor the risks associated with the provider relationship. Nowadays, more than ever, third party services provider risks have become elevated because of a wide array of factors.
Factors That May Trigger Third Party Risks
- By implementing work from home policies for employees, third parties may experience diminished control effectiveness
- Third party employees may be restricted from accessing their facilities and, as a result, they may:
- Have new responsibilities assigned to them
- Be relocated
- Be furloughed or terminated
- Changes in control quality may occur – including tolerance levels or the frequency which each control is performed
- Lack of sufficient management review
- Breakdown of timely reconciliation procedures
- A virtual work environment can be a breeding ground for new cybersecurity risks
- Working alone may result in reduced reliance on support by team members and supervisors
- Systems and procedures originally planned for a change or upgrade may be delayed or not implemented at all
Reassess Your Provider Relationship
Each organization should reassess their third party service provider relationships. This process should include:
- Communicating with each service provider and inquiring about operations in the current work environment
- Reviewing information for each relationship and assessing the changes between conditions prior to the pandemic and the current risks associated with each provider
- Do not just “hope for the best.” Instead start enhanced monitoring to ensure that your goals and expectations are still being met
- If deemed necessary, add extra monitoring mechanisms in the form of frequency and means. Depending on the risks identified, a combination of monitoring controls with different frequencies may be put in place. For example, implement teleconferenced “field visits” in addition to weekly or daily calls or newly designed score cards. Additional methods can include assessment checklists, heat-maps, and incident reports.
- Work collaboratively with providers to resolve identified risks, newly arising problems, and operational challenges.
- Continue to review and analyze Service Organization Control (SOC) reports which cover the control environment at each third party service provider. These reviews, as always should promote compliance with User Control Considerations (UCCs) as formulated by third party service providers and ensuring all control deficiencies identified in the SOC reports are addressed and control weaknesses (if any) compensated with your own internal controls.
For further insights on mitigating risks in today’s environment, read: Are Your Internal Controls Still Effective?—Managing in This Challenging Environment and Beyond.
If you have questions about the best approach to third party service provider risk management for your business or would like to discuss having a third party risk assessment performed, contact Alexander Moshinsky, Director, Operational Advisory and Risk Management at 212.331.7448 | AMoshinsky@BERDONLLP.com.
For more information on any other matter related to the COVID-19 pandemic, please contact your Berdon advisor and visit Berdon’s COVID-19 Information Center.
