Organisations today, big or small, can no longer function or indeed survive on their own. Business partners, vendors, third party providers - all manner of relationships are required for the modern business to operate.
For some, the attraction of engaging with these partners is to reduce their costs - a partner with scale in the particular area of expertise can almost always do it more effectively and efficiently.
For others, there is a desire to outsource or contract out anything that is not considered 'core' business for the organisation. This too has some logic as the organisation can focus the mind of its team on the things it does best.
More organisations are utilising third parties to perform function as diverse as IT network management, payroll, call centre operations right through to cleaning the floors and maintaining property, plant and equipment.
But what happens when that provider doesn't perform their obligations as agreed in the contract or some negative event occurs in their business?
This week we saw a major incident with many Woolworths customers being charged a second time for a previous transaction. Note that I have no information on this incident other than what I have seen in the media.
Woolies has been quick to point out that the problem lay with their financial processing provider, Cuscal and to their credit, Cuscal has been open and upfront in admitting that the problem was at their end. They have apologised profusely to the customers affected.
This is just one example of many where a business's reputation has been tarnished by the performance of a third party.
So what has all this got to with risk management?
Risk management is about making business decisions that take advantage of opportunities and minimise the threats. So when the opportunity to engage a third party to perform the function means a cheaper and more efficient provision of that service, the threats should also be considered (what if they don't perform, do they have the capacity? etc) and actions taken to mitigate them.
These business relationships need to be the subject of just as much scrutiny when considering an organisation's risks as anything that occurs within the business. And there should be a concerted effort to understand how big the issue could be. For instance:
Does the organisation have a listing of key third party relationships?
Is there a formal, up to date agreement in place that guides performance expectations and critically, does it include a 'right to audit' clause?
Do the organisation understand which relationships could cause major impacts to business as usual operations or to its reputation?
Who in the organisation is responsible to manage and monitor each of these risks?
Is there sufficient budget allocated to the Internal Audit function to include audits of the highest risk third party relationships?
Is a risk assessment performed before a new outsourcing arrangement is considered?
What arrangements are in place with third party providers for business interruption events? Have these been tested?
Are regular performance reports received from the third party provider and how do you determine that the information is factual and complete?
What process is taken to review previous performance before an arrangement is renewed or extended?
This is not an exhaustive list - each organisation should determine the key services / functions provided by third parties and evaluate how the relationships are being managed for the benefit of both parties.
Most organisations will have auditors at their disposal and should have a risk function active in the business - if you haven't done it already, now is the time to call on their expertise in evaluating the potential risks.
Better to manage the problem up front than to try and do it in front of the cold, hard glare of the TV cameras. Telling the world it was someone else's fault, even if it's true, is not going to help much in the court of public opinion.