engaged to undertake an activity on behalf of or in partnership with the contracting organization.There are significant benefits of working this way. Indeed, it is difficult to avoid entering into a
range of relationships with third parties. However, when working with others, the risks must be
considered carefully.
Third parties include:
- Suppliers.
- Contractors.
- Subcontractors.
- Consultants.
- Strategic allies.
- Business partners.
- Subsidiaries.
- Agents.
There should be a good reason for collaborative efforts, such as a way of increasing efficiency,
sharing risk, gaining additional capability, or exploiting new opportunities. Sometimes, however,
organizations are presented with the chance to work with another party and then attempt to create
activity to exploit the opportunity. While this can be successful, it also can result in unfocused activity
that falls outside the strategic plan, and ultimately serve as a distraction from achieving core
objectives.
Clarifying the nature of the relationship through a formal agreement or memorandum of
understanding (MOU) is one way of confirming expectations at the outset and avoiding
misunderstanding later. Such agreements may specify the period the relationship is intended to
endure, the objectives to be achieved, the roles and responsibilities of each party, how financial
commitments and rewards are to be shared, and the options for terminating the agreement.
Once initiated, such relationships rely on effective communication and good working relations. It
is important to agree on a schedule for making contact, holding meetings, sharing information, and
issuing reports.
The engagement of a third party to undertake some activity does not absolve the organization of
responsibility for risk. The organization’s own risk management processes need to extend to the
exposure to risks presented by the use of third-party contractors, subcontractors, vendors, affiliates,
and partners. While the appropriate response to any of these risks may be through various legal and
financial protections, it is important to recognize the full range of potential risks.
Third-party risks tend to be greater when:
- The relationship is new.
- The relationship is entered into quickly.
- The services provided are critical to the organization’s operations.
- The financial value of the arrangement is significant.
- The duration of the relationship is extensive.
- The nature of the undertaking is complex.
- The third party is also engaged in other activities or relationships that may be in direct competition or conflict. There are several parties involved.
- The third party is planning to subcontract some or all of the work.
- The potential for risk in third-party relationships is significant, stemming from failures by the third party or of the relationship itself.
These risks include:
- Operational risk due to the complexities of two or more organizations working together different systems and strategic priorities.
- Reputational risk through association with another organization’s shortcomings.
- Financial risk involving delays, disruptions, underperformance, and penalties.
- Compliance risk where expectations are unclear and no party within the alliance has full oversight of all activities and related regulatory duties.
- Legal risks arising from a partner ’s breaches in regard to regulation and statutory requirements.
- Strategic risk through the potential for the relationship with the third party to soak up additional time and resources, divert the organization away from its primary goals, and result in the failure to achieve major objectives.