Conquer Your Third-Party Risk

供应商是当今商业环境中的一个常见元素.  Outsourcing services 和 processes to vendors provides flexibility, convenience 和 cost savings.  然而，这些外包安排并非没有增加的风险.  Data breaches stemming from third parties have been increasing year over year.  当身份被盗或敏感信息被公开时, 你的客户不会在意这是供应商的错.  监管机构和审查机构也注意到了这一点, 和 it can be seen in recent legislation 和 guidance related to managing third parties.  According to the Federal Deposit 和 Insurance Corporation’s (FDIC) Guidance For Managing Third-Party Risk, “An institution's board of directors 和 senior management are ultimately responsible for managing activities conducted through third-party relationships, 识别和控制这些关系产生的风险, 与该活动在机构内处理的程度相同.“虽然bet9平台游戏可以外包，但风险却不能.

Why is this important?  Many organizations continue to outsource critical activities 和 fail to recognize the risks that arise from those relationships.  无论是外包某些信息技术业务, 敏感数据处理和存储, or simple marketing, legal or HR services, sensitive/proprietary information is often shared with third parties without first assessing the security controls within that organization.  为此目的, third-party risk management is critical when it comes to managing risk across the enterprise.  对由第三方执行的活动作出保证, 组织应该实施健全的第三方风险管理实践.       

说到指导，有很多很好的选择.  There are many compliance-based guides that may be applicable based on the industry you are in.  例如, 和我们在银行业的客户, 我想到了之前提到的联邦存款保险公司的指导方针.  在施耐德唐斯，我们是共享评估计划的成员公司, which provides widely adopted vendor risk management tools 和 resources for enterprise organizations to evaluate 和 measure vendor risk.  These tools are industry agnostic 和 provide third-party risk management best practices regardless of the industry you may be in.

No matter what framework or guidance you plan to adopt, some of the key recommendations remain.

第三方风险管理的主要建议

1. 规划 -制定第三方风险管理计划，确定风险范围, outsourced services, 并在使用数据控制风险.  列出你的供应商和他们持有的数据类型.
2. 尽职调查和第三方选择 - Conduct reviews of third parties prior to signing contracts, 和 annually thereafter.  To assist with this review, 获取和审查独立报告, such as SOC 1 和 SOC 2 reports, 确保第三方遵守行业标准.  In absence of these reports, use an industry-adopted best practice such as the St和ard Information Gathering (SIG) questionnaire.
3. Contract negotiation - Develop contracts with third parties that clearly outline the responsibilities of each party.  合同应定期审查, as part of the contract, 确保他们解决当前的第三方风险. 合同还应包括“审计权”条款.
4. Ongoing monitoring - Perform IT 和 operational assessments of third parties’ internal controls on a regular basis to ensure that third parties have appropriate controls in place for protecting sensitive/proprietary information. Continuous review is necessary to underst和 the most current level of risk for each vendor.
5. 终止 - Develop contingency plans for transferring activities to another third-party, bringing the activity in-house, 或者完全消除活动(和相关数据).

除了上述活动之外, organizations should assign responsibilities for third-party management to appropriate members of the organization with sufficient knowledge of the enterprise risk management process 和 nature of third-party relationships.  St和ardized documentation 和 reporting procedures should be implemented to ensure that third-party management activities are appropriately being performed 和 reported on.  最后, organizations should perform independent reviews of their third-party management programs to ensure that third-party risk management activities are appropriately aligned with their enterprise-wide risk program, that they meet industry recommended best practices 和 that they effectively manage the risk posed by third parties.

联系 us if you have questions implementing a third-party risk management strategy 和 visit our Internal Audit page to learn about services that Schneider Downs offers.