Board oversight of third-party risk management

While many companies have robust third-party risk management (TPRM) programs in place as a strategic imperative, ensuring that TPRM processes keep pace with the rapidly changing risk, regulatory, and compliance environment is a significant challenge.

For boards overseeing management’s efforts to maintain effective TPRM programs, key areas of focus should include:

• Third-party cybersecurity and data privacy risks
• Risks posed by use of third-party artificial intelligence tools
• Third-party climate, sustainability, and other ESG risks
• Management’s projects to address business operations vulnerabilities and improve resilience and sustainability

The following are questions for boards and board committees to keep in mind as they reassess how they can effectively oversee third-party risk:

• Do the management team members responsible for specific risks understand the scope and magnitude of the risk being managed by third parties and whether that risk is appropriately managed and controlled in line with the company’s policies?
• Does management have a complete risk-ranked inventory of critical services provided by third parties, including subcontractors?
• How often does the board want updates on third-party risk from management? How is the information provided? Is data available in real time?
• Where should board oversight of third-party risk be housed—full board, risk committee, or another committee? Does the audit committee have responsibility for supply chain risks by design or by default?
• Is the TPRM program approached holistically, as an enterprisewide activity (versus silo-driven) and effectively integrated with risk management and compliance functions?
• Do the TPRM team and other functions have sufficient skills/talent, funding, and technology to keep pace?

When should the board be involved in the oversight and approval of large or complex services involving third parties?