THE EXTENDED ENTERPRISE: Third-party governance models are a must for today's organizations.

Author:Ryan, Melissa
Position:Governance Perspectives

Wherher it is referred to as third-party risk, vendor management, supply chain management, or something else, organizations must recognize the risk implications of operating as an extended enterprise. Today's interconnected business models enable companies to leverage partnerships to manage costs and increase competitive advantage. In the extended enterprise, company data and, in many cases, its client or associate data are shared, transferred, processed, or stored by external entities. Very often, this data is among the organization's key information assets. The risk to the entity unknowingly increases when management has not assessed or addressed the potential threats being posed to key assets in this sharing process. These risks may include security protections and associated breach risk, availability standards and associated operational risk, ownership rights and associated strategic risk, and other key risk points across financial, operational, reputational, and legal areas. Considering these risks and evolving business operations--alongside an increasingly complex regulatory landscape--third-party governance and oversight models are a must-have for organizations.

Gone are the days when an organization's simple inquiry into a new vendor's policies, data security practices, and control structure during the vendor procurement process was considered sufficient. Over time, simple inquiry evolved into a brief, often narrowly focused, evidence or documentation gathering exercise with limited actual review or scrutiny. Fast forward to today when organizations are expected, by stakeholders and regulators, alike, to know, assess, and actively monitor external providers' adherence to defined practices. Internal audit--and its first and second line counterparts--must determine whether appropriate measures are in place to address third-party risk. This process begins by identifying and understanding two key data points: 1) Who are the organization's vendors and external partners (and their subcontractors or providers)? and 2) What information is being shared with them? Once the landscape and risk profiles are understood, appropriate governance and monitoring also can be established.

Identifying key vendors is the initial step--keeping in mind individual relationships and vendor services structures must be fully understood. Does the organization use an external data center provider? Are there software as a service (SaaS)-based applications used...

To continue reading