4th Party Exposure: A Growing Challenge

Sourcing & Technology Vendor Management professionals are facing a troubling dynamic that increases regulatory and compliance risk: growth of 4th Party contractors (sub-contractors to those third parties that have contractual agreements with your firm).

Technology organizations have engaged third party service providers for a number of reasons spanning from a desire to gain efficiency to access to skills and capacity to support their technology roadmap. These third parties are typically selected through a formal evaluation, selection and negotiation process which includes language covering the third parties use of contractors – 4th Parties. Based on recent regulator focus and actions (OCC 2017-7), this typical language is insufficient and does not align to operational realities of today’s business requirements.

Why is this a growing challenge?

As businesses embrace digital transformation it drives increased stakeholder expectation for speed, leveraging emerging technology to bring value to customers. Combined with the current visa environment, third party service providers are having trouble staffing the required niche skills or capacity necessary to meet demand. They are increasingly turning to contractors (4th Parties) to fill this void at the same time regulators are targeting this risk area. Obligations defined in the third party service providers agreement and the processes required to validate and get approval of a 4th party contractor are in conflict with operational reality. Many times, the TVMO and TPRM teams may learn of 4th party contractor involvement months after if at all.

Working with Sourcing and Procurement, Technology Vendor Managers must support Third Party Risk Management accountability for effectively tracking third party service provider use of contractors and ensure these individuals are properly documented, trained and made aware of all policies and procedures necessary to satisfy regulator expectation.

Here are some recommendations that should support your efforts to control 4th party contractors in your environment.

1.      Reinforce with technology and business leaders the importance of the TVMO rules of third part engagement.

Effective management of technology service providers and other 3rd parties comes from a unified front across technology and business leaders as well as operational managers accountable to deliver. This is no different than all other aspects of quality vendor and third party risk management.

2.      Revisit contract language on the use of contractors with each of your strategic service providers.

Language needs to go beyond current best practice to obligate and make the 3rd party service provider accountable for a breach with defined remedy. Align the contract language with the obligation to identify all contractors in each distinct statement of work or work order to ensure identification is provided before the work starts.

3.      Develop a basic classification of 4th Party Contractors to enable the technology team to execute in the required time with an identified and quantified risk factor.

Regulators appear to be most focused on 4th Party contractors who are providing more strategic, functional contribution to the project or solution. This is where awareness and understanding of regulations and requirements enables creation of a solution that meets or exceeds expectations. Consider aligning 4th Party Contractor by two categories: Functional Execution & Contributor Execution. This will enable TVMO and TPRM’s to focus while establishing clear guidance for technology and third party service provider teams.

• Ø Functional Execution = Business and functional requirement development, architecture, design and functional QA.
• Ø Contributor Execution = Technical requirement development, coders, developers, test who are executing the provided design.

4.      4th Party Contractor Management is based upon the classification.

Build the third party service provider obligations for use of 4th party contractors with an understanding that if audited, regulators will seek proof of conformance. Create a package of required training and policy review for Functional Execution contractors that is different from the Contributor Execution category. Consider leveraging a Learning Management System (LMS) as a way to control and track compliance.

5.      Use of contractors could be an indicator of Third Party health.

Typically, third party service providers are selected based upon their expertise and capability to support a customer’s technology environment. Significant use of contractors could be an indicator that they really do not have the skills or there may be some underlying service challenge. Technology Vendor Management teams need to pay close attention and monitor potential service risk.

Based on the negotiated agreement position, lack of compliance should carry a heft credit with the potential implications for termination in the event of continued breach or accountability if there is a ruling by a regulator. In addition, TVMO and TPRM teams should track internal stakeholder compliance and provide targeted reporting across technology and business leaders.