Shared Assessments has released it’s latest White Paper – Building Best Practices: Third Party Contract Development, Adherence & Management.
This paper documents best practices for streamlining Third Party contract development, approval, exceptions and addendums processes, examines the need for actionable contracts and shows how they can be written and managed across the relationship lifecycle from both the outsourcer and Third Party provider perspectives. Below we provide an Executive Summary of the paper’s key findings.
Optimising contract processes is important for both the outsourcer and the Third Party. Once outsourcers have fully documented the risks associated with a Third Party the negotiation, approval, addendums and management processes prove to be most effective when the outsourcer works with its Third Party as a team across the relationship lifecycle.
Contract best practices processes are shown below to help set realistic expectations for both parties regarding due diligence, contract negotiations, onboarding, oversight (including control assessments), reporting requirements and terminations. Additional resources are available in the Shared Assessments Program Best Practices Awareness Group companion paper in this series: Third Party Contract Development, Adherence & Management.
Contract development and management due diligence techniques are demanding closer scrutiny of a number of factors that affect the establishment and ongoing maintenance and monitoring of relationships with Third Parties (and, where possible, to nth parties).
Most notably, regulatory agencies have helped establish the best practice (required in some industries) of obtaining board approval before execution of any contract for any Third Party relationship that involves activities deemed as “critical” by that organisation.
Other areas in which contract management requires extra due diligence because of the threat landscape include:
- right to audit requirements;
- material changes to services and/or products being provided;
- fourth party relationships;
- geolocation and other infrastructure considerations;
- risks surrounding emerging technologies (such as IoT, Artificial Intelligence, robotics, etc.);
- establishment and renewal of evergreen contracts; and
- merger and acquisition (M&A) activities.
Emerging Best Practices
A defined, documented organisational structure in which parameters are set at the beginning of a contracting process with a Third Party provides a solid foundation for the success of the relationship and improves the maturity of the outsourcer’s Third Party risk management program.
Setting parameters requires key stakeholder conversation, in which all the relevant groups: the business, the sourcing lead, the Third Party risk practitioner and the legal department can learn from one another what works best in practical settings and in their own unique environments.
Benefits & Conclusion
A well-developed, unified contract management process throughout the Third Party lifecycle that is applied across the enterprise provides a documented, consistent, and defensible approach to contract management. Robust contract development practices provide benefits to both the outsourcer and the Third Party provider.
A more predictable future state of risk with respect to the outsourcer’s Third Party ecosystem
Overall strengthening of risk governance throughout the enterprise with better top-down, bottom-up communications
Improved relationships based on individualised risk ratings and actual assessment results
Greater assurance for meeting contract requirements and satisfying the outsourcer’s service delivery, price, quality risk and control expectations
Possible reduction in current and future legal and compliance costs through the use of standardised, defensible contracting best practices
Download The Full White Paper
You can download the full white paper – Building Best Practices: Third Party Contract Development, Adherence & Management from the Shared Assessments website.
About Shared Assessments
As the trusted source in Third Party risk, the member-driven Shared Assessments Program has been setting the standard in Third Party risk assessments since 2005. Shared Assessments Program members work together to build and disseminate best practices, building resources that give all third party risk management stakeholders a faster, more rigorous, more efficient means of conducting security, privacy and business resiliency control assessments. Learn more about our relationship with Shared Assessments.
This Executive Summary and content is published with the kind permission of Shared Assessments.
1 – Vendor Risk Management Benchmark Annual Survey. Protiviti, Inc. and The Santa Fe Group, Shared Assessments Program. 2017.
2 – Second Annual Study on the Internet of Things (IoT): A New Era of Third-Party Risk. Ponemon Institute and The Santa Fe Group, Shared Assessments Program. 2018.