- CFOs are increasingly aware of the need to get a handle on the risk third-party vendors and subcontractors pose to their companies, but many are only now getting a sense of what that entails, risk experts say.
- Only 18% of finance executives identify and assess the risk their subcontractors pose, according to a survey Deloitte conducted with the Wall Street Journal earlier this year.
- Another 17% don’t monitor subcontractors at all, 11% do an assessment only when taking on new subcontractors, and 44% rely on outside partners to monitor subcontractors but do monitor the third party.
Ryan Flynn, principal at Deloitte, shared the findings as part of discussion of third-party risk in a webinar August 13 hosted by CFO magazine.
Risk can be broadly categorized into three tiers, said Mark Deluca, senior vice president at Coupa, a cloud platform that helps companies manage their spending and sponsor of the webinar. The first tier concerns functional risks and is the type CFOs are most familiar with, because they concern the company financials, auditing, regulatory compliance and budgeting.
The second tier is operational, involving business operations, fraud, suppliers, and cyber risks. The third tier involves forward-looking, strategic risks: the macro economy, industry dynamics, capital, and reputation.
Deluca said most third-party vendors and subcontractors don’t pose a lot of risk to companies. They don’t have access to sensitive data or their intersection with the company’s operations is otherwise limited.
The way to get a handle on your risk is to assess your vendors and subcontractors, determine which ones pose the most risk based on the data they access or what part of the operation they’re connected to and what risk-measures they have in place, Deluca said.
Nevertheless, be vigilant about reassessing even non-risky vendors any time their work for the company changes, said Flynn. If a company has been previously assessed and not considered a risk because of the limited scope of its work, that doesn’t mean you don’t have to reassess them if they take on a new assignment. If a company is doing IT work and is assigned a new task involving sensitive employee information, you have to reassess them.
A vendor that has a high-risk profile doesn’t necessarily have to be eliminated from your list of vendors, Flynn said. You just have to work with them with an understanding of the heightened risk they pose and account for that in the way you assess and monitor their work. “Go into it with your eyes wide open,” he said.
To access the webinar, go to CFO's past webinar page and click on the webinar called "How CFOs take the lead on third-party risk management and governance."