I was surprised to hear some financial services industry experts say that many large firms don’t always know who their third parties are and what exactly they are doing for the firm.
I work for a large company that uses a decent amount of outsourced labor, as do most large companies, and creating an accurate list of all contractors, their duties, and their understanding of any such firm’s policies, procedures and values is a challenge. The first of many challenges, but a logical and possibly under-appreciated one.
Should you create an inventory of every single contractor — or just those that pose a certain level of risk to the firm because of the type of data they handle, deals they broker or communications they create? Only you and your team can answer that one.
Ironically, many firms hire consultants to track their consultants and then do this risk analysis.
The firm should also not forget another step in the early game of managing supply-chain risk: Identifying the third parties that are paying the firm to work with it.
Is your firm getting an item of value from a third party for its ability to appear on your site in some fashion, or use your customer/subscriber lists, or market its wares at your events? You can’t just look for those parties you pay in doing these risk determinations.
If I can use the word “lastly” when creating just a preliminary list of action items, here goes: Lastly, who should be in charge of supply-chain risk in your firm?
It probably can’t just be the department finding the suppliers or signing the contracts with them. It is likely some collection of the procurement, legal, compliance, risk, audit, information technology and human resources departments.
These departments must work together to collect the information mentioned above and decide how to proceed with the data in terms of risk, training, oversight, etc.
Since your company is likely to continue using third parties to get work done, the goal is to do so knowledgeably. And to manifest this awareness in documentation that you can show a regulator or two.
Julie DiMauro is a contributing editor of the FCPA Blog. She’s a regulatory intelligence and e-learning expert in the GRC division of Thomson Reuters Accelus. Follow Julie on Twitter @Julie_DiMauro. Email Julie at [email protected].