fbpx
Wikipedia

Third-party management

April 10, 2024

Third-party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. Third-party management is conducted primarily for the purpose of assessing the ongoing behavior, performance and risk that each third-party relationship represents to a company. Areas of monitoring include supplier and vendor information management, corporate and social responsibility compliance, Supplier Risk Management, IT vendor risk, anti-bribery/anti-corruption (ABAC) compliance, information security (infosec) compliance, performance measurement, and contract risk management.[1] The importance of third-party management was elevated in 2013 when the US Office of the Comptroller of the Currency stipulated that all regulated banks must manage the risk of all their third parties.[2]

Third parties edit

A 'third party', as defined in OCC 2013–29, is any entity that a company does business with.[2] This may include suppliers, vendors, contract manufacturers, business partners and affiliates, brokers, distributors, resellers, and agents.[2] Third parties can be both 'upstream' (suppliers and vendors) and 'downstream', (distributors and re-sellers) as well as non-contractual parties.[2]

Firms do not have to conduct critical activities to be considered a 'third party'; a cleaning services firm responsible for maintaining a company's office space is a third party as much as a primary supply-chain supplier. The role or size of the third party is not as important as the nature of the relationship, the criticality of its activities, the level of access it has to sensitive data or property, and a company's accountability for inappropriate actions of its third parties. A cleaning company with access to a CEO's filing cabinet represents a different but still significant risk relative to a supplier who provides a critical component to the production line.

A non-critical service provider – such as an air-conditioning contractor – operating in a country with low corruption risk may erroneously be considered a low risk. However, if that contractor has poor cyber-security and is able to submit invoices to a customer electronically across the customer's firewall, this may represent a high cyber risk to the customer company. Target Corporation's December 2013 data breach, in which approximately 70 million Target customers' credit and debit card information was stolen, highlights the cyber security risk posed by innocent third parties – even in low risk countries such as the US. Hackers exploited an HVAC contractor with poor cyber-security who conducted electronic payments with Target and thus had access to behind the firewall.[3]

Due to trends towards specialization and outsourcing, companies increasingly focused on core competencies are engaging greater numbers of third parties to perform key functions in their business value chain;[4] third-party activity is typically responsible for driving approximately 60% of total revenue.[5] This trend is creating greater numbers of critical third-party relationships throughout the economy which – in the case of companies with tens of thousands and even hundreds of thousands of third-party relationships – can become cumbersome to monitor and manage manually.

Regulation edit

Due to regulatory requirements, third-party management is most prevalent in the financial sector. The use of third-party management systems is mandated by the Office of the Comptroller of the Currency for American national banks and federal savings associations.[2] OCC bulletin 2013–29 explicates the third-party management requirements for financial institutions. The British Financial Conduct Authority (FCA) requires, under the SYSC 8.1 'Outsourcing Requirements', that critical functions conducted by third parties must be continuously monitored.[6]

The healthcare sector also has growing regulatory requirements that require third-party management. HIPAA,[7] the Health Insurance Portability and Accountability Act, sets the standard for protecting private patient data. There are regulations around the saving [8] and storing of PHI, Protected Health Information[9] which can be even more valuable than credit card information.[10] The HITECH Act,[11] signed in 2009 requires increased privacy and security obligations and extends those obligations to business associates.

While other industries are not required by law to have third-party management systems in place, most non-financial companies are bound by anti-bribery/anti-corruption (ABAC) and other regulations.[1] Consequently, many of them manage their third parties and have adopted third-party-management solutions.[12]

Third-party management solutions edit

Third-party management solutions are technologies and systems designed to automate the performance of one or more third-party management processes or functions. Such solutions are external-facing and designed to complement internal-facing governance, risk and compliance (GRC) systems and processes. They run on both on-premises-installed and SaaS-delivered enterprise platforms.[13]

Security ratings services (SRS), subscription services which "provide continuous, independent quantitative security analysis and scoring for organizational entities," are gaining popularity as well.[14] The market for SRS becomes increasingly competitive as providers such as BitSight and Panorays offer companies to compile different risk factors to calculate a quantitative score for vendor comparison.

References edit

  1. ^ a b "International law and tax experts - CMS international law firm". cms.law. Retrieved 15 September 2019.
  2. ^ a b c d e "OCC: Third-Party Relationships: Risk Management Guidance". occ.gov.
  3. ^ Gregory Wallace (6 February 2014). "HVAC vendor eyed as entry point for Target breach". CNNMoney.
  4. ^ "Outsourcing: on the increase as firms hone core competencies". Osney Buy-Side.
  5. ^ "Use Cases for Third Party Management", Hiperos 3 pm White Paper
  6. ^ "Combined View". fshandbook.info.
  7. ^ "Health Information Privacy". HHS.gov. 26 August 2015. Retrieved 15 September 2019.
  8. ^ Rights (OCR), Office for Civil (10 September 2009). "The Security Rule". HHS.gov. Retrieved 15 September 2019.
  9. ^ "HIPAA.com -". HIPAA.com. Retrieved 15 September 2019.
  10. ^ "Medical records 10x more valuable to hackers than credit card information". www.beckershospitalreview.com. Retrieved 15 September 2019.
  11. ^ Rights (OCR), Office for Civil (28 October 2009). "HITECH Act Enforcement Interim Final Rule". HHS.gov. Retrieved 15 September 2019.
  12. ^ "Managing third-party risk in a changing regulatory environment" McKinsey & Company (Working Papers on Risk, Number 46)
  13. ^ "The Difference Between Enterprise Software and Software-as-a-Service". effectivedatabase.com.
  14. ^ "Hype Cycle for Risk Management Solutions, 2016". Gartner. Retrieved 15 September 2019.

April 10, 2024
third, party, management, process, whereby, companies, monitor, manage, interactions, with, external, parties, with, which, relationship, this, include, both, contractual, contractual, parties, conducted, primarily, purpose, assessing, ongoing, behavior, perfo. Third party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship This may include both contractual and non contractual parties Third party management is conducted primarily for the purpose of assessing the ongoing behavior performance and risk that each third party relationship represents to a company Areas of monitoring include supplier and vendor information management corporate and social responsibility compliance Supplier Risk Management IT vendor risk anti bribery anti corruption ABAC compliance information security infosec compliance performance measurement and contract risk management 1 The importance of third party management was elevated in 2013 when the US Office of the Comptroller of the Currency stipulated that all regulated banks must manage the risk of all their third parties 2 Contents 1 Third parties 2 Regulation 3 Third party management solutions 4 ReferencesThird parties editA third party as defined in OCC 2013 29 is any entity that a company does business with 2 This may include suppliers vendors contract manufacturers business partners and affiliates brokers distributors resellers and agents 2 Third parties can be both upstream suppliers and vendors and downstream distributors and re sellers as well as non contractual parties 2 Firms do not have to conduct critical activities to be considered a third party a cleaning services firm responsible for maintaining a company s office space is a third party as much as a primary supply chain supplier The role or size of the third party is not as important as the nature of the relationship the criticality of its activities the level of access it has to sensitive data or property and a company s accountability for inappropriate actions of its third parties A cleaning company with access to a CEO s filing cabinet represents a different but still significant risk relative to a supplier who provides a critical component to the production line A non critical service provider such as an air conditioning contractor operating in a country with low corruption risk may erroneously be considered a low risk However if that contractor has poor cyber security and is able to submit invoices to a customer electronically across the customer s firewall this may represent a high cyber risk to the customer company Target Corporation s December 2013 data breach in which approximately 70 million Target customers credit and debit card information was stolen highlights the cyber security risk posed by innocent third parties even in low risk countries such as the US Hackers exploited an HVAC contractor with poor cyber security who conducted electronic payments with Target and thus had access to behind the firewall 3 Due to trends towards specialization and outsourcing companies increasingly focused on core competencies are engaging greater numbers of third parties to perform key functions in their business value chain 4 third party activity is typically responsible for driving approximately 60 of total revenue 5 This trend is creating greater numbers of critical third party relationships throughout the economy which in the case of companies with tens of thousands and even hundreds of thousands of third party relationships can become cumbersome to monitor and manage manually Regulation editDue to regulatory requirements third party management is most prevalent in the financial sector The use of third party management systems is mandated by the Office of the Comptroller of the Currency for American national banks and federal savings associations 2 OCC bulletin 2013 29 explicates the third party management requirements for financial institutions The British Financial Conduct Authority FCA requires under the SYSC 8 1 Outsourcing Requirements that critical functions conducted by third parties must be continuously monitored 6 The healthcare sector also has growing regulatory requirements that require third party management HIPAA 7 the Health Insurance Portability and Accountability Act sets the standard for protecting private patient data There are regulations around the saving 8 and storing of PHI Protected Health Information 9 which can be even more valuable than credit card information 10 The HITECH Act 11 signed in 2009 requires increased privacy and security obligations and extends those obligations to business associates While other industries are not required by law to have third party management systems in place most non financial companies are bound by anti bribery anti corruption ABAC and other regulations 1 Consequently many of them manage their third parties and have adopted third party management solutions 12 Third party management solutions editThird party management solutions are technologies and systems designed to automate the performance of one or more third party management processes or functions Such solutions are external facing and designed to complement internal facing governance risk and compliance GRC systems and processes They run on both on premises installed and SaaS delivered enterprise platforms 13 Security ratings services SRS subscription services which provide continuous independent quantitative security analysis and scoring for organizational entities are gaining popularity as well 14 The market for SRS becomes increasingly competitive as providers such as BitSight and Panorays offer companies to compile different risk factors to calculate a quantitative score for vendor comparison References edit a b International law and tax experts CMS international law firm cms law Retrieved 15 September 2019 a b c d e OCC Third Party Relationships Risk Management Guidance occ gov Gregory Wallace 6 February 2014 HVAC vendor eyed as entry point for Target breach CNNMoney Outsourcing on the increase as firms hone core competencies Osney Buy Side Use Cases for Third Party Management Hiperos 3 pm White Paper Combined View fshandbook info Health Information Privacy HHS gov 26 August 2015 Retrieved 15 September 2019 Rights OCR Office for Civil 10 September 2009 The Security Rule HHS gov Retrieved 15 September 2019 HIPAA com HIPAA com Retrieved 15 September 2019 Medical records 10x more valuable to hackers than credit card information www beckershospitalreview com Retrieved 15 September 2019 Rights OCR Office for Civil 28 October 2009 HITECH Act Enforcement Interim Final Rule HHS gov Retrieved 15 September 2019 Managing third party risk in a changing regulatory environment McKinsey amp Company Working Papers on Risk Number 46 The Difference Between Enterprise Software and Software as a Service effectivedatabase com Hype Cycle for Risk Management Solutions 2016 Gartner Retrieved 15 September 2019 Retrieved from https en wikipedia org w index php title Third party management amp oldid 1169949068, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.