I was honored to host the Third Party Risk Avoiding Business Disruption event in Oak Brook last week. It was well-attended and interactive. The speakers focused on the unique needs, opportunities, and challenges faced by executives in governing and managing Third Party Risk in publicly traded and private entities today. A significant amount of information was shared among the attendees.
Managing Third Party Risk
Ron Kral, Managing Partner from Candela Solutions, LLC, provided an overview of the COSO framework, which is designed to mitigate operational risk, not only internal controls, for financial reporting. The COSO framework refers to Outsourced Service Providers (OSP) nearly 100 times.
Additionally, Ron discussed the leading practices to manage the risk with Outsourced Service Providers in the following areas:
- Cybersecurity breaches
- Leaking of confidential information
- Ethics violations
Bruce Ward from Peters & Associates shared insights about Data Classification/Significance and Confidentiality Risk. He also facilitated a Data-Driven Risk Assessment exercise where participants used real life scenarios from their respective companies.
Some key takeaways:
- Applying COSO’s 2013 framework and its 17 principles to outsourced service providers (OSPs) enables better identification of changes in your risk landscape over time.
- Use a practical risk-based approach in managing OSPs by categorizing them into three tiers based on vendor importance and information shared.
- Ensure good OSP governance and management processes exist for pre-and post-contract reward.
- Hold OSPs accountable for service levels, terms and conditions, and results.
- Data Classification is a key component in the risk identification and assessment process.
- Due diligence must be conducted for OSPs with access to sensitive data.
Congratulations again to John Krupinski on being the lucky winner of the autographed Mike Ditka Football.
If you would like to learn more about managing Third Party Risk, please email me directly at firstname.lastname@example.org.