Ask the Expert: How has audit’s role in evaluating third-party risk changed in the last year?
Dawn Ward, Senior Solution Consultant at Iceberg Networks and Chris Murphey, VP Advisory Services at Iceberg Networks, discuss how evaluating the Third-Party Risk Management program has evolved for internal auditors. The following is an edited transcript of the conversation.
Dawn Ward: Looking at the events that have taken place and stepping away from a piecemeal program and trying to build a stronger, holistic, integrated program that includes supply chain disruption and vendor solvency and other components that are more outward looking than just that vendor relationship. Internal audit has to take a holistic view of the program, so they’re uniquely situated to do that, they have that bird’s-eye-view of the organization, they can see across the business units, across the functions. So, they need to assess whether there’s a clear vision, as well as if it’s robust and clearly defined in a framework for that vision to support the programs. They really need to look at that say, has the organization considered this holistically and have they set up that vision and the framework and the program to be able to manage that holistic program out from just that vendor into what is happening throughout all of the supply chain and other areas. They need to also assess the operational resiliency around supply chains and outsourcing strategies to make sure that there’s enough focus within the organization on key areas that affect third-party risk management, because it’s not just looking at a vendor and what is the risk to the organization for the vendor. When you’re talking about a strategic program where you are now outsourcing key components of your business, you need to understand all of the implications around that holistically. Operational resiliency, it has become clear, is very important and impactful. So how is the organization managing that?
They also need to consider the program through the lens of the associated risk landscape and ensure that the vendors are being evaluated and then re-evaluated based on the changing risks for the organization. If you see that a risk that hadn’t been anticipated to be impactful has become impactful, you now have to relook at those vendor relationships and determine that if that risk has changed, has that vendor’s risk changed in relation to the organization.
Chris Murphey: I think Dawn’s points are so strong. One of the things I pull out of what she just said is essentially that internal audit is the arbiter of the enterprise risk management program inside of an organization and they’ve had to think beyond the boundaries of what third-party risk was so they can better advise organizations and provide perspective and context and recommendations on how to improve the operations in that bigger capacity.
The other part I pulled out from what Dawn said is that supply chain risk and resiliency and operational needs there have really take a hold of organizations. Those are excellent points.