Third-party Management Risks
Share
Risk : Lack of commitment from senior management
How to mitigate: Identify any serious issues that have occurred or may potentially occur within the organization due to weaknesses in third-party management and share these findings with senior management. Ensure that third-party management is designed with stakeholders and management approves this process. The third-party management process should be integrated into the IT Governance system.
Risk: Weak contracts
How to mitigate: Third-party Management should ensure that business case is prepared before procurement phase starts and risks associated with the contract are identified. Business and IT service requirements should be defined with stakeholders and third-party management process should ensure that the contract covers these requirements. A contract manager should be appointed well in advance to oversee the structure and provisions of the contract.
Risk: Misalignment of service levels between third-party and business
How to mitigate: Third-party management process should ensure supply chain analysis and alignment of all requirements. Be aware the service levels don’t cover just service outage recovery times and availability rates.
Risk: Weak or no monitoring of contractual commitments by service provider
How to mitigate: Third-party Management process should ensure that every critical contract has an assigned contract manager, monitoring and reporting of contractual commitments should be ensured by this role. Escalation should occur if necessary.
Risk: IT staff is not fully aware of the technical and operational contractual provisions
How to mitigate: Contract manager ensures that knowledge is transferred and contractual commitments and related controls are embedded in the tools, processes or systems of the service provider. Third-party management ensures proper oversight.
Risk: Insufficient awareness of contractual provisions
How to mitigate: The contract should include provisions that enforce alignment with relevant policies and procedures. A transition phase should be planned to ensure this alignment is properly designed.
Risk: Weak third-party risk management leading to non-compliance, security incidents and low service quality
How to mitigate: Introduce a third-party risk management process aligned to enterprise risk management. Enhance organization’s risk management culture.
For third-party management audit checklist refer to this product :
Third-party management audit checklist
You can document or improve your third-party management process using this toolkit :
Third-party management process toolkit